DECEMBER 2011 • WWW.SCMAGAZINEUS.COM
How secure is the cloud
and the use of social
networks? What’s up
with mobile malware?
We take a backward glance
ce at
2011’s major developments.
nts.
As well, we pick the year’s top
luminaries and call out the products and
events that shaped the IT security field.
REBOOT
2011
VOLUME 22 NO. 12 • DECEMBER 2011 • WEBSITE WWW.SCMAGAZINEUS.COM • EMAIL SCFEEDBACKUS@HAYMARKETMEDIA.COM
CAN YOU SEE
EVERYWHERE
AT ONCE?
YOU CAN.
You can’t stop threats if you can’t spot them. That’s
why HP Enterprise Security offers proven solutions
that deliver context-aware visibility into security risk.
There’s no better way to proactively detect security
issues and drive situational awareness across your
applications, operations, and infrastructure.
The HP Security Intelligence and Risk
Management platform provides integrated
correlation, application protection and
network defenses that can secure modern IT
environments from sophisticated threats.
For more information go to
www.hpenterprisesecurity.com
REGULARS
FEATURES
PRODUCT REVIEWS
4
Reboot: Special year-end issue
43 Products section
Editorial Summing up the year
that was
18 The top five influential
8
Threat report Thieves have been
planting skimming devices on ATMs
around Nashville, Tenn.
10 Threat stats The Clampi trojan
topped the attack list in the United
States
12 Update The hacktivist group
Anonymous made good on its promise
of digital retaliation against the
Oakland Police Department
13 Debate The Stuxnet authors are
behind the Duqu trojan
14 Two minutes on…The 2012
election & cybercrime
15 Skills in demand Candidates
who can create and manage a
comprehensive vendor risk program
are in high demand, says Joyce
Brocaglia, CEO at Alta Associates
security thinkers
SC Magazine profiles a select group as
2011 luminaries, interspersed with our
Book of Lists, a gathering of the biggest
breaking news and trends of the year.
As we say goodbye to 2011, we take
a look back to assess the major
developments in the IT security
marketplace
44 Innovators for 2011
The best products and services that
launched this year
30 Paying dividends
Financial institutions’ leaders must come
together to deal with data security risks
and compliance requirements.
32 Over the horizon
We asked a number of our most trusted
sources in the security space to make
predictions for the upcoming year.
Web exclusive
A special wrap-up of the products and
services selected by the SC Lab team in
2011 as Best Buy, Recommended and Lab
Approved. Click over to the slideshows on
our homepage, scmagazineus.com
Cyberoam from Elitecore Technologies P53
36 Case study: Game play
Keeping network operations going at an
amusement game company takes more
than a roll of quarters.
16 From the CSO’s desk Implement
cultural change in 2012, by Justin
Somaini, CISO at Yahoo!
17 Letters From the online mailbag
58 Last word Our own worst enemy, by
M86 Secure Web Gateway P52
Kyrus CTO Michael Tanji
Advanced protection
against advanced threats.
SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2011
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazineus.com.
Craig Spiezle P32
Mike Paquette P36
www.facebook.com/SCMag
www.twitter.com/scmagazine
Copyright ©2011 Hewlett-Packard Development Company, L.P.
Suzanna Schmeelk P18
Editorial
Summing up the year that was
I
’m a Johnny Cash fan. One of his coolest
tunes is a duet with Merle Haggard during
which they sing, “That ole’ wheel, it’s gonna
roll around again…”
They were singing about karma, of course,
but the idea of things coming full circle, of
trends being cyclical, can be inferred here.
This thought could be applied to the information security industry this year. However, in
my mind, there does seem to be a new development. So, this left me thinking: If I were to
write a headline to sum up 2011, what would
be the right fit? Hacktivists wreak havoc in
2011. 2011: The year of the data compromise.
Data security goes mainstream in 2011.
Perhaps all these ideas work. After all, we
had a mightily busy year.
Arguably, more than any year before, we
saw over the last 12 months a few prominent
groups rise up to call out what they perceived
as questionable practices adopted by government and private entities alike. Their compromises seemingly had no end, and often strived
to promote their various political ideologies.
This year also saw organizations of all
sizes across all markets hurtling countless
data breach notifications through cyberspace
to warn millions of customers about some
compromise of their personally identifiable
information. To say it has been a difficult year
for IT security pros is an understatement.
So, could 2011 be coined the year of the
breach? Sure. Many experts say, however, it’s
bound to get worse given the volume of elec-
tronic data and the many cybercriminals
ercriminals who
kills to get at it.
are continually honing their skills
ast point. At
And this brings me to my last
no time in our history have we seen individuals and organizations so dependent
on IT. Let’s count the ways.
There’s the bring-your-own-device
n-device
ronomimovement, along with an astronomipoints.
cally growing number of endpoints.
Companies and government agencies
n a dank
are looking for cost-savings in
puting
economy through cloud computing
ery walk
and paperless operations. Every
ial
of life is tethered to some social
nwhile,
networking application. Meanwhile,
legislators are worried about proth
tecting electronic records, with
ing
compliance mandates becoming
finetuned to integrate securityy
technologies, policies and
requirements.
Has cybersecurity gone
mainstream? I think, yes.
As a matter of fact, I think
I’ll tweet this as I imbibe my
ay
margarita at this year’s holiday
at
party and further ponder what
this might mean for us all in
2012. Here’s to you and yourss for
tya prosperous and data securityfilled New Year!
chief
Illena Armstrong is editor-in-chief
of SC Magazine.
From: Renewal time, here comes
the pain again
To: Predictable pricing &
consistent support
IT made easier with EdgeWave
We know there are things you’d rather be doing. Spend
less time managing your information security with
EdgeWave’s award-winning iPrism Web Security and
ePrism Email Security Suite. We believe in developing
innovative solutions that meet the needs or our
customers now, and in the future. With EdgeWave
SCM solutions:
As a special offer for SC Magazine readers, for a limited
time, we’ll give you $100 just for trying our Web or
Email security solutions. Already have a solution in
place? We’ll make it very easy to switch.
Visit www.edgewave.com/SCMag for more
information or call us at 1-800-782-3762 and
mention SC Magazine Innovator.
t Simple deployment has you up and running in 30
minutes or less
Has cybersecurity
gone mainstream?
I think, yes.”
t Easy to configure and fully-hosted solutions mean
low-to-no maintenance
t Revolutionary real-time defense against botnets
and emerging threats
t Fully integrated email security services for threat
protection, DLP, Encryption, Continuity and Archive
t Live, 24/7, US-based support team with customer
satisfaction rates over 95%
4 SC • December 2011 • www.scmagazineus.com
www.edgewave.com
SC MAGAZINE EDITORIAL ADVISORY BOARD 2011
WHAT IS SCWC 24/7?
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
Rich Baich, principal, security & privacy,
Deloitte and Touche
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Greg Bell, global information protection and
security lead partner, KPMG
Kris Lovejoy, vice president of IT risk, office of the
CIO, IBM
Christopher Burgess, chief security officer and
president, public sector, Atigeo
Tim Mather, director, information protection, KPMG
THIS MONTH
Jaime Chanaga, managing director,
CSO Board Consulting
Rufus Connell, research director information technology, Frost & Sullivan
Dec. 8
eSymposium: Fending off
attacks from all sides
The rate at which attackers have
breached enterprise systems has risen
rapidly. Whether spearheaded
cybercriminals, hacktivists,
/ by
state-sponsored offenders or
insiders, these assaults highlight the need
to be proactive and adaptive. Having the
most robust risk management programs
is critical. In short, such programs
must leverage people, processes and
technologies to enable systems to be
resilient. We learn from experts.
Some say advanced persistent threats
(APTs) are a combo package of attack
types complete with long-term information-siphoning that can bring companies
to their knees. Others, however, believe
APT has become a hype-filled marketing
term used by vendors to scare nervous
or confused executives into buying their
products. We take a deeper look at this
threat type to determine the truth.
Mobile security
To safeguard handheld devices used by
business execs is a constant trial – one
that rarely is satisfactorily remedied. But
companies must find a way to manage
these endpoints. We discuss solutions.
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Natasha Mulla at
natasha.mulla@haymarketmedia.com.
For sponsorship opportunities,
contact Mike Alessie at mike.alessie@
haymarketmedia.com. Or visit
www.scmagazineus.com/scwc247.
Randy Sanovic, former general director,
information security, General Motors
Dave Cullinane, chief information security officer,
eBay
* Howard Schmidt, cybersecurity coordinator,
White House; president and chief executive officer,
Information Security Forum
Mary Ann Davidson, chief security officer,
Oracle
Justin Somaini, chief information security officer,
Yahoo!
Dennis Devlin, former chief information security
officer, Brandeis University
Craig Spiezle, chairman, Online Trust Alliance;
former director, online safety technologies, Microsoft
Gerhard Eschelbeck, chief technology officer and
senior vice president, Sophos
W. Hord Tipton, executive director, (ISC)2;
former CIO, U.S. Department of the Interior
Gene Fredriksen, senior director, corporate
information security officer, Tyco International
Amit Yoran, chief executive officer, NetWitness;
former director, U.S. Department of Homeland
Security’s National Cyber Security Division
Maurice Hampton, technical account manager,
Qualys
* emeritus
WHO’S WHO AT SC MAGAZINE
ON DEMAND
APTs
Stephen Northcutt, president,
SANS Technology Institute
EDITORIAL
EDITOR-IN-CHIEF Illena Armstrong
illena.armstrong@haymarketmedia.com
EXECUTIVE EDITOR Dan Kaplan
dan.kaplan@haymarketmedia.com
MANAGING EDITOR Greg Masters
greg.masters@haymarketmedia.com
SENIOR REPORTER Angela Moscaritolo
angela.moscaritolo@haymarketmedia.com
TECHNOLOGY EDITOR Peter Stephenson
peter.stephenson@haymarketmedia.com
SC LAB MANAGER Mike Stephenson
mike.stephenson@haymarketmedia.com
DIRECTOR OF SC LAB OPERATIONS John Aitken
john.aitken@haymarketmedia.com
SC LAB EDITORIAL ASSISTANT Judy Traub
judy.traub@haymarketmedia.com
PROGRAM DIRECTOR, SC CONGRESS
Eric Green eric.green@haymarketmedia.com
CONTRIBUTORS
Stephen Lawton, Deb Radcliff, Jim Romeo,
Ryan Goldberg
DESIGN AND PRODUCTION
ART DIRECTOR Brian Jackson
brian.jackson@haymarketmedia.com
VP OF PRODUCTION & MANUFACTURING
Louise Morrin louise.morrin@haymarketmedia.com
PRODUCTION MANAGER
Krassi Varbanov
krassi.varbanov@haymarketmedia.com
SC EVENTS
SENIOR EVENTS MANAGER Natasha Mulla
natasha.mulla@haymarketmedia.com
SENIOR EVENTS COORDINATOR Anthony Curry
anthony.curry@haymarketmedia.com
EVENTS ASSISTANT Maggie Keller
maggie.keller@haymarketmedia.com
6 SC • December 2011 • www.scmagazineus.com
U.S. SALES
ADVERTISING DIRECTOR David Steifman
(646) 638-6008 david.steifman@haymarketmedia.com
EASTERN REGION SALES MANAGER Mike Shemesh
(646) 638-6016 mike.shemesh@haymarketmedia.com
WEST COAST BUSINESS MANAGER
Matthew Allington (415) 346-6460
matthew.allington@haymarketmedia.com
NATIONAL ACCOUNT MANAGER - EVENT SALES
Mike Alessie (646) 638-6002
mike.alessie@haymarketmedia.com
ACCOUNT EXECUTIVE Dennis Koster
(646) 638-6019 dennis.koster@haymarketmedia.com
SALES/EDITORIAL ASSISTANT Roo Howar
(646) 638-6104 roo.howar@haymarketmedia.com
UK ADVERTISEMENT DIRECTOR
Mark Gordon 44 208 267 4672
mark.gordon@haymarketmedia.com
LICENSE & REPRINTS ACCOUNT EXECUTIVE
Malika Touré (646) 638-6101
malika.toure@haymarketmedia.com
EMAIL LIST RENTAL
EMAIL SENIOR ACCOUNT MANAGER
Frank Cipolla, Edith Roman Associates
(845) 731-3832 frank.cipolla@epostdirect.com
CIRCULATION
GROUP CIRCULATION MANAGER
Sherry Oommen (646) 638-6003
sherry.oommen@haymarketmedia.com
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: Haymarket@cambeywest.com
WEB: www.scmagazineus.com/subscribe
MANAGEMENT
CEO OF HAYMARKET MEDIA Lee Maniscalco
EXECUTIVE VICE PRESIDENT Tony Keefe
Traditional thinking about
security can have a chilling effect
on your business.
Desktop Virtualization. A better way
to minimize risk without compromising
business productivity.
You need a security approach that can evolve
with your needs. Device proliferation and flexible
workstyles require new thinking.
Citrix desktop virtualization is a better way for
companies to fortify security without freezing
business productivity. It provides the foundation
for a layered security strategy that enables
desktops, applications and data to be delivered
securely, on demand, to any device.
And since applications and data are secured at
the data center–and not at the endpoint–you get
increased control and visibility without restricting
worker performance and business agility.
Citrix desktop virtualization. It's the coolest thing to
happen to security.
Visit www.citrix.com/secure
© 2011 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. and/or one or more of
its subsidiaries and may be registered in the United States Patent and Trademark Office and in other countries.
DataBank
ThreatReport
Cybercriminal activity across the globe, plus a roundup of security-related news
Colored spots on the map indicate levels of spam delivered via compromised computers (spam zombies). Activity is based on the frequency with which spam messaging corresponding with IP addresses are received by Symantec’s network of two
million probes with a statistical reach of more than 300 million mailboxes worldwide.
HIGH-LEVEL ACTIVITIES
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
FINLAND – The Nordic nation is planning to build
MONTANA – Authorities in the
Treasure State warned users to be on alert
for smishing attacks, in which victims are
called or contacted via SMS and asked to
provide credentials or personal data.
WILMINGTON, DEL. – Three
unencrypted backup tapes containing the names and Social Security
numbers of 1.6 million individuals
went missing from Nemours, a
children’s health system.
an offensive cyberspace capability, possibly as a
means of launching counterattacks against future
threats. The project’s purpose now, however, is to
conduct penetration tests against its own networks to
evaluate its protection level.
ATHENS, GA. – The
personal data of 18,931
staff and faculty members
at the University of
Georgia in 2002 was
found accessible online.
An administrative file was
placed on a publicly available web server where it
remained from at least
2008 until 2011.
TENNESSEE – Thieves planted skimming
devices on ATMs around the Nashville and Chattanooga areas to capture users’ debit card numbers.
Two men were arrested and charged in connection
with the crimes.
U.K. – The head of the Ministry of Defense’s cybersecurity
program told The Daily Telegraph that cyberattacks pose
the largest risk to the nation’s security, given that hackers
are regularly making off with intellectual property. He
placed much of the blame on “poor cyber hygiene.”
PALESTINE – Distributed denial-of-ser-
DOMINICAN REPUBLIC
vice attacks struck servers here, knocking
out web service to the West Bank and Gaza.
Officials said they don’t know the motive,
but the attacks began soon after Palestinians won UNESCO membership.
JAPAN – Hackers targeted both houses of the
nation’s parliament in an attempt to access internal
documents. In their raid on the lower house, intruders
stole data by tricking users into loading malware.
Upper house members also reported receiving suspicious emails, but officials said no data was taken.
– Hackers defaced the government
website, likely in protest of alleged
police killings and torture uncovered
in an Amnesty International report.
TANZANIA – The East African Community organiza-
India was top producer of zombie IP addresses
For October, the Asia-Pacific (APJ) region was the leading
source of all zombie IP addresses. Of the countries making up
the APJ, India was the top producing country. For the other
regions, the top producers were Brazil in South America, the
United States in North America and the Netherlands in the
EMEA (Europe, the Middle East and Africa) region. Source: Symantec
8 SC • December 2011 • www.scmagazineus.com
tion, based here and made up of members Kenya, Uganda,
Tanzania, Rwanda and Burundi, is expected to adopt
uniform laws addressing cybercrime. The plan for common
legislation comes as the nations are experiencing a boost
in e-commerce and e-government services.
www.scmagazineus.com • December 2011 • SC 9
DataBank
ThreatStats
Zombie IPs Global distribution
Fk_\i<lifg\()%0
Top 5 attacks used by U.S. hackers
1. Clampi trojan
@e[`X(/%-
2. Downloader trojan
There were 1,861,656 foreign attacks last month.
3. ZeuS trojan
Spam World’s most prevalent spam-support ISPs Malware Vertical encounter rate
Position
ISP
Number of current
known spam issues
1
hostnoc.net
78
2
telecomitalia.it
74
3
telefonica.com.ar
59
4
unicom-cn
54
5
unicom-hl
44
6
hinet.net
43
7
iliad.fr
41
8
telefonica.com.br
41
9
chinanet-zj
41
10
shawcable.net
39
4. TDSS Downloader trojan
Fk_\i8j`X
(/%.
M`\keXd
/%-
5. Sinowal trojan
Top 5 attacks used by foreign hackers
9iXq`c.%/
*''<[lZXk`fe
LbiX`e\)%-
@e[fe\j`X+%(
(,+=ff[Y\m\iX^\
1. Butterfly bot
:_`eX+%.
Iljj`X-%,
GXb`jkXe+%0
2. Downloader trojan
3. ZeuS trojan
().I\kX`cn_fc\jXc\
The biggest increases in month-over-month zombie activity occurred in
India, Vietnam and Pakistan, while the largest decreases occurred in Brazil
and “other” European nations.
Source: Commtouch Software Online Labs
('/@Kk\c\Zfd
4. SpyEye trojan
5. Sinowal trojan
There were 1,666,987 attacks in the United States last month, primarily
originating from New York; Cambridge, Mass.; Atlanta; Dallas; and Chicago.
There were 1,861,656 foreign attacks last month, primarily originating from
Moscow; Toronto; Beijing; Guangdong, China; and Amsterdam, Netherlands.
0)>fm\ied\ek
/(9Xeb`e^]`eXeZ\
Spam rate Compared to global email
Source: Dell SecureWorks
-0?\Xck_ZXi\
-'
'
,'
(''
(,'
)''
),'
Top 10 spyware threats Trojans still on top
*''
Source: www.spamhaus.org
Phishing Volume dropped nearly 40%
+'#'''
Top breaches of the month Data loss
*/#0.'
*,#'''
*'#'''
),#(0(
),#'''
)-#0'.
)*#'0.
The chart above reflects the encounter rate of web malware across a selection of industry verticals. Rates above 100 percent reflect a higher-thanmedian rate of encounter and rates below 100 percent reflect a lower-thanmedian rate.
Source: Cisco ScanSafe
)+#'(0
Type of breach
Tricare
(San Antonio,
Texas)
The car theft of backup tapes resulted
in the exposure of protected health
information from patients of military
hospitals and clinics.
4.9 million
Nemours
(Wilmington,
Del.)
Three unencrypted computer backup
tapes were reported missing.
1.6 million
Neurological
Institute of
Savannah
(Savannah, Ga.)
The car theft of a computer hard drive
may have exposed patient information.
63,425
DXp
Ale\
Alcp
8l^ljk
J\gk%
FZk%
In October, phishing volume dropped nearly 40 percent, as a handful of
brands observed to be heavily attacked in September endured fewer attacks.
The number of brands attacked last month remained virtually identical to the
previous month’s list, once again reflecting phishers’ inclination to repeatedly
target the same few brands.
Source: RSA Anti-Fraud Command Center
10 SC • December 2011 • www.scmagazineus.com
Total number of records containing sensitive personal information
involved in security breaches in the U.S. since January 2005:
542,361,948
Trojan.Win32.Generic: trojan
33.37%
2
Yontoo (v) Adware (General): adware (general)
1.77%
3
INF.Autorun (v): trojan
1.30%
4
Trojan.Win32.Adware: adware (general)
1.23%
5
Worm.Win32.Downad.Gen (v): worm.W32
1.01%
6
Trojan.Win32.Jpgiframe (v): trojan
0.98%
Le`k\[JkXk\j0%,-
7
Backdoor.Win32.Cycbot.cfg (v): backdoor
0.98%
AXgXe-%'-
8
Pinball Corporation. (v): adware (general)
0.88%
9
Trojan-Spy.Win32.Zbot.gen: trojan
0.84%
10
Virus.Win32.Sality.at (v): virus.W32
0.84%
)'
('
'
('&'*&((
('&('&((
('&(.&((
('&)+&((
('&*(&((
@jiX\c((%(-
@e[fe\j`X+%',
:XeX[X*%/*
'
)
+
-
/
('
()
(as of 11/7/11).
Source: Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org, hosted by the
Open Security Foundation)
1
Received spam Top five regions
))#,()'#'''
Percentage
*'
Number of
records
Name
Threat name
+'
;\k\Zk\[XZk`m`kp^cfYXc
The networks listed knowingly provide service to criminal spam gangs and
ignore alerts from anti-spam systems and internet users.
;\k\Zk\[XZk`m`kp
,'
Spam rate indicates the accumulated emails tagged as unsolicited.
Source: Fortinet Threatscape Report
ThreatNet statistics revealed that trojans continue to make up a large portion
of the most prevalent threats, taking four of the top 10 spots. The majority of
these threats propagate through stealth installations or social engineering.
(v) is a detection that has come directly from VIPRE.
Source: Sunbelt Software
www.scmagazineus.com • December 2011 • SC 11
Update
2 minutes on...
Me and my job
Skills in demand
The 2012 election
and cybercrime
Assessing security
postures to meet
regulations P15
Those who manage
vendor risk are in
high demand. P15
P14
»Duqu, the so-called “son of
The hacktivist group
Anonymous made good
on its promise of digital
retaliation against the
Oakland Police Department for the force it
used against protesters
following the clearing
of an Occupy Oakland
encampment. Members
of the collective launched
a denial-of-service
attack that took down
the department’s website, and also released
employment details on a
number of police officers.
Stuxnet” trojan, contains a dropper program that exploits a previously unknown vulnerability in the
Windows kernel. This adds merit
to security industry suspicions
that Duqu is a sophisticated piece
of malware, possibly containing
underlying Stuxnet code. Analysts
have suggested that Duqu was
created to conduct reconnaissance
of target industrial control systems,
and may be a precursor to another
Stuxnet-like attack.
»Chinese officials have repudi-
in malware infecting thousands
of WordPress websites that
use a popular image tool. The
attacks came to light after The
Poitou-Charentes Journal, a French
media outlet, began hosting malicious code on its WordPress site.
Jan Sirmer, a senior researcher
at Avast, found attackers had
“OpUprise” came in retaliation for Oakland police action against protestors.
THE QUOTE
Designing
to meet the
nuanced needs
of all web users
is really hard.”
—Jules Polonetsky,
director and co-chair
of the Future of Privacy
Forum, commenting
on a Carnegie Mellon
report that found web
users wishing to stop
advertisers from tracking
their online behaviors
face major hurdles
12 SC • December 2011 • www.scmagazineus.com
exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image
resizer to upload malicious PHP
files to the site. The attack used
the BlackHole exploit kit, which
redirected website visitors to an
external malware-hosting site.
»A trojan that has been targeting
Linux users for several years is
now setting its sights on the Mac
OS X. The so-called “Tsunami”
backdoor trojan is derived from an
older Linux malware family that has
been around since at least 2002,
according to Robert Lipovsky,
researcher at anti-virus company ESET. It enables infected
machines to participate in DDoS
attacks intended to flood websites
with traffic. The trojan also can be
used to download additional malware and take control of an affected
machine.
»Hackers targeted at least 29
companies in the chemical sector
during an attack campaign aimed at
stealing intellectual property, such
as design documents, formulas and
manufacturing processes, according to Symantec. The affected
firms, which were not identified,
include Fortune 100 companies
involved in research and development of chemical compounds and
advanced materials. The attacks,
dubbed “Nitro” by Symantec
researchers, began in late July and
continued into September.
» SC Magazine was named a
“Spectacular IT Publication” by Bill
Morton on the Masters of Information Technology website,
www.mastersofinformationtechnology.com, which provides students
with the information needed to
pursue their master’s degree in IT.
We’re honored. Thank you.
AP Photo/Ben Margot
Face off
»Researchers discovered a spike
Duqu trojan.
We are certain Duqu was created using the same source
code as Stuxnet. This is
because roughly 50 percent
of the code in Duqu is reused
from Stuxnet. It would be
nearly impossible to reverse
engineer Stuxnet’s binary and
Liam Ó Murchu
operations manager,
achieve code so similar, not to
security technology &
response, Symantec
mention impractical. Because
the same source code was used, Stuxnet and
Duqu share remarkable similarities: Duqu’s
method for loading modules into memory
has only ever before been observed in Stuxnet; both threats’ encryption algorithms are
nearly identical; both store their two primary
fi les, an executable and a configuration fi le
with a unique .pnf extension, in the same
subdirectory; and both are stored in a single
fi le with all other components included
therein. The organizational structure of the
components within these fi les is identical.
So, who has access to the Stuxnet source
code? The truth is only Stuxnet’s authors do.
All these facts taken into account leave no
doubt Duqu was created by, at the very least,
Stuxnet-affi liated attackers.
FOR
NEWS BRIEFS
ated a report from the U.S.-China
Economic and Security Review
Commission accusing the country
of attempted hacks into two U.S.
government satellites in 2007 and
2008. Hong Lei, a spokesman for
China’s Foreign Ministry, said the
draft report was “untrue and has
ulterior motives,” according to published accounts. The report, to be
released this month, said hackers
interfered with a Landsat 7 earth
observation satellite for 12 or more
minutes in October 2007 and June
2008, and a Terra AM-1 satellite
experienced 11 minutes of interference from 2007 to 2008.
Debate» The Stuxnet authors are behind the
As of Nov. 1, the known Duqu
payloads enable the attacker
to steal information from the
infected computer and the network to which it is connected,
capture keystrokes and download additional code. Currently,
no code in any of the known
Don Jackson
director, Dell Secure- Duqu variants pertain to or
Works Counter
Threat Unit
target industrial control systems,
as Stuxnet did. There have been
no confirmed Duqu victims that are industrial
control system (ICS) providers or manufacturers of ICS components, such as the programmable logic controllers targeted by Stuxnet. If
the Duqu actors are the Stuxnet actors, why
would they use the same code used in previously deployed cyber weapons (Stuxnet), knowing that the code would trip security alerts? The
code in common between Duqu and Stuxnet
are the modules used to decrypt other code and
inject it into the memory of other running programs. This is a common tactic used by modern
malware. Similar code can be found on malware
programming forums, and the specific implementation used by Stuxnet is given in detail in
source code available on the internet.
AGAINST
THE SC MAGAZINE POLL
THE STATS
Is Duqu, the so-called son of Stuxnet,
something to care about?
Oct. 28
).%,0
Ef#`kj`dgXZk
_XjY\\e
d`e`dXc%
.)%+(
P\j#XepkifaXe
k_XkZXii`\j
Jkloe\kZf[\`j
nfii`jfd\%
Mumbai officials seize
equipment from Web
Werks, suspected of
hosting a Duqu C&C server
30
days: threat
is configured to run by
default before automatically
removing itself from an
infected system
To take our latest weekly poll, visit www.scmagazineus.com
THREAT OF
THE MONTH
Unpatched
applications
What is it?
Organizations are routinely
compromised through
unpatched applications,
many of which have had
patches available for more
than a year.
How does it work?
Attackers tend to use
publically available
exploits, which means they
only need to worry about
delivery mechanisms.
While most public exploits
have patches available,
organizations aren’t patching as they should.
Should I be worried?
It is hard to find an organization that isn’t affected
by patch management
failures. This should be the
highest priority because
patches address the root
cause of security holes.
How can I prevent it?
Most obviously, enterprises should deploy
patches as soon as they
become available. Further,
they should limit administrator privileges to a
small number of people to
prevent rogue application
installation. Admins should
also consider deploying a
vulnerability management
solution to scan networks
for unpatched software.
– Marcus Carey, security
researcher at Rapid7
Source: Reuters/Symantec
www.scmagazineus.com • December 2011 • SC 13
Update
2 MINUTES ON...
The 2012 election & cybercrime
A
s he campaigned for
president in 2008,
then-candidate Barack
Obama witnessed both the
sheer power, and to a lesser
extent, the shortcomings of
the internet.
Indeed, the eventual 44th
president of the United
States masterfully leveraged the web in a way never
before done by a presidential
candidate – to raise money,
organize support and reach
constituents. But he also
witnessed the online medium’s underbelly, when, for
example, a hacker exploited
a cross-site scripting vulnerability to send visitors
from Obama’s campaign
site to the one belonging to
challenger Hillary Rodham
Clinton.
Briefs
The cyber worries Obama’s
campaign faced in 2008,
however, likely were just an
opening salvo. Not only have
attack tactics gotten more
sophisticated since 2008, but
there also has been a meteoric rise of politically motivated hacktivism, particularly
by the Anonymous collective,
which has made no qualms
about its interest in going
after individuals or organizations with which it disagrees.
And with the Iowa caucuses, the first major electoral
event related to the 2012
presidential nomination, set
for early next month, the
digital firefight may soon get
going, said Steve Livingston,
a principal at Deloitte and
lead of the company’s power
and utilities security practice.
“Campaign organizations
don’t have CISOs,” he said,
calling them soft targets.
“The incentive to show the
American people what someone is really thinking, not
just what their talking points
are, I think there’s too much
return on investment there
for a hacktivist [to pass up].”
Already, in a video posted
to YouTube in early Novem-
$500m
Amount of money
President Obama
raised online in his
21-month campaign
in 2008
– The Washington Post
ber, Anonymous asked
viewers to “occupy” the
presidential candidates’ campaign offices in Des Moines,
Iowa on Dec. 27, and then
“peacefully shut down” the
polls on Jan. 3.
“The primaries and caucuses put on by these parties
are part of an elaborate scam
that deceives the public into
voting for candidates that
serve the private interests of
the mega corporations,” said
a computer-generated voice
in the video.
The two-minute clip does
not explain how Anonymous
plans to accomplish this
action, whether it’s on the
ground or in cyberspace –
perhaps by way of a DDoS
attack? – but some have suggested the video is a hoax.
Regardless, its mere existence
underscores the possibility
that the race to next November may be far unlike any
other in presidential history.
– Dan Kaplan
JOBS MARKET
Me and my job
David McGuire
senior security engineer, Veris Group;
and vice chair of the operational
security testing panel, National Board
of Information Security Examiners
(NBISE)
How do you describe your
job to average people?
At Veris Group, I build
and run security assessment
programs to help customers
assess their security postures
and meet regulatory requirements in a way that is cost
effective and repeatable. At
NBISE, I extend that work
into a community effort to
define competency models
for security testers with the
goal of enhancing education.
Why did you get into IT
security?
I got into IT security while
in the Marine Corps because
breaking into computer systems seemed cool. I ended up
as a technical lead for a large
Department of Defense Red
Team and decided to stay in
the field because being a part
of the solution for securing
our critical IT systems is a
rewarding experience.
What was one of your
biggest challenges?
Many of the organizations we
work with are high-security
environments with a large
number of regulatory requirements, but constrained IT
budgets. Our greatest challenge is designing assessments
and training programs within
these environments.
What keeps you up at
night?
We are facing an increasing
number of cyberattacks. Yet,
our ability as an industry to
assess systems against these
threats is not keeping up.
Of what are you most
proud?
Approaching security assessments with a methodical
framework-based model is
the way of the future. I’d like
to think we play a role in this
changing mindset.
For what would you use a
magic IT security wand?
The maturity level of security
assessments as a whole is relatively low. Our first, and biggest, step would be to have
the community (both providers and customers) come to
an agreement that we must
tackle security assessments
in a structural, industry-wide
way, instead of the piecemeal
approach we use today.
Skills in demand
Companies are relying on
vendors for the achievement
of their business objectives
through outsourcing of development, creating products
and services, consulting and
augmenting staff.
What it takes
Candidates who can create
and manage a comprehensive
vendor risk program are in
high demand. They must
understand the risk of dealing
with vendors, have a background in audit and risk, and
face clients with strong project
management skills.
Compensation
The ability to drive policies,
practices, tools and metrics
is the key to success. Salary:
$100,000 to $150,000-plus.
– Joyce Brocaglia, CEO, Alta Associates,
and founder, Executive Women’s Forum
Company news
»
TRUSTe, provider of online
privacy and behavioral advertising compliance solutions, has
appointed Patricia Neuray
as managing director of ad solutions. She previously held the
position of senior VP of national
ad sales and customer marketing
at Business.com, an online
purchasing resource.
www.truste.com
»Alex Eckelberry, the
president and CEO of Sunbelt
Software for nine years before
leaving to serve as VP and general
colleagues that he plans to spend
time with his family as he plans
his “next great adventure.”
www.gfi.com
»Gerhard Eschelbeck has
Patricia Neuray, managing director
of ad solutions at TRUSTe
manager of GFI Software after
it acquired Sunbelt, has left the
company. He said in an email to
14 SC • December 2011 • www.scmagazineus.com
been appointed CTO and SVP
of Sophos. He most recently
served as CTO and SVP at Webroot Software, where he was in
charge of developing cloud-based
solutions. At Sophos, he will lead
the company’s technology strategy and drive product direction
and innovation.
www.sophos.com
»Endace, provider of network
monitoring and recording, has
hired Spencer Greene to lead
the opening of a new Californiabased office and head up worldwide product management and
marketing at the company, headquartered in New Zealand. Prior
to joining Endace, Greene served
as VP at Juniper Networks.
www.endace.com
»Aerospace and defense company Boeing has opened a
Cyber Engagement Center
in Annapolis Junction, Md. The
32,000-square-foot facility was
built to enhance the collaboration
of security experts and researchand-development teams, which
are creating capabilities on behalf
of the company’s commercial and
defense customers.
www.boeing.com
monetarily reward researchers
who present them with the bugs.
www.secunia.com
»Kevin Engelhardt, VP of
»Secunia, provider of vulnerability management solutions,
has launched its Vulnerability
Coordination Reward Program, open to researchers who
have discovered flaws in software
and want a third party to validate
Kevin Engelhardt, VP of security
operations at Diebold
their findings and handle the
coordination process with the
affected vendor. Secunia will
security operations at Diebold,
maker of security systems, has
been named interim VP of security solutions until a replacement
can be found. He takes over for
Bradley Stephenson, who
retired from the post. Stephenson
joined Diebold in 1973 and played
a major role in the firm’s security
business.
www.diebold.com
»
The Security Industry
Association has named Don
Erickson CEO. In his prior
role, as director of government
relations at SIA since 2006, he
served as the lead advocate when
appearing before Congress and
other government agencies.
www.siaonline.org
Follow us on Facebook
and Twitter
www.scmagazineus.com • December 2011 • SC 15
From the CSO’s desk
Letters
Got something to say?
Implement cultural change in 2012
Send your comments, praise or criticisms
to scfeedbackUS@haymarketmedia.com.
We reserve the right to edit letters.
Justin Somaini
T
he end of the year is a
really important time for
me and my team. It’s one
of those rare situations when
I feel reflection is forced upon
us. The business starts to slow
down for end-of-year finances,
IT shuts down for change
freezes, security organizations
have their end-of-year conferences, holiday parties are
held, reviews are conducted
and more. For me, I like to
think about what I’ve done,
and not completed, to help me
better position myself for the
next year. It’s also important
to reconnect with the beliefs
and core principles by which I
operate. I believe, very deeply,
that security is critically
important to each and every
one of us in our personal and
professional lives. To that
point, it’s important to do this
reflection to make sure we are
not off target.
I believe that people are the
main hurdle in implementing
good security. As we look at
the reasons why security fails
in organizations, it keeps coming back to people. The main
n’t pracreason why people don’t
ecause
tice good security is because
they don’t believe in it or see
oner,
the value. As a practitioner,
commuhave I done my job to
pulous
nicate to the entire populous
s? In a
the need to change this?
ted in
recent survey I conducted
rcent
June, more than 30 percent
portof executives were supported
ive of security compared
to less than 10 percent of
managers. If we believee that
changing people is the key to
curity,
implementing good security,
is more.
we need to focus on this
Our inability to do so will
tance
result in the same resistance
d.
we have always received.
arI believe that transpart
aree
ency, openness and dataa ar
es’
es
’
critical to obtain peoples’
oll
llme
ment
nt
understanding and enrollment
neve
ne
ver
r
into security. We will never
ple and
explain “why” to people
have them support ourr cause
rent,
unless we are transparent,
nlyy
nl
open and using data. O
Only
ent
ntss
14 percent of respondents
ric
icss
believed they had metrics
d
that predict trends and
ond.
allowed them to respond.
In addition, none (0),
rics
respondents sent metrics
to all employees.
e
If we don’t
show our metrics of security
to emp
employees, how can we
ever eexpect them to support o
our implementation of
contro
controls? Also, the constant
matur
maturity of our metrics is
impo
important to ensure we
f
are focusing
on the right
thin In industry, key
things.
perf
performance
indicators
(KP are seldom used, if
(KPI)
ever correct. Driving to this
level of maturity is significant
can to ensure we have a
robust data driven approach.
The method in which
wee im
implement controls is
impo
im
p r
important
to the defense of
ourr en
ou
environment. However,
it’s
it
’s o
our
ur ability to implement
cult
cu
ltur
ur
culture change that is critical.
Over
Ov
e 778 percent of respondent
de
n
dentss said culture change was
most iimportant compared
mo
to technical
ttech
controls. Yet,
thee da
th
d
data shows that we don’t
focu
fo
cus on it. Instead we focus
focus
on con
converting a subset of
emplo
employees and executives,
and leaving
le
it at that. If we
believ
believe in culture change, we
should change our behavior
to mee
meet it.
From the online mailbag
In response to an Oct. news
story, Federal security incidents
shoot up 650 percent:
Securing IT is just the beginning. While IT resources are
critical to securing data, other
aspects of security are often
forgotten. Physical plant, outsider access to computers and
servers, HR hiring practices and
application security along with
a strong enforceable policy are
all necessary to truly secure
assets. Unfortunately, government and organizations often
just focus on IT, put in some
controls and think they are
secure. They’re still a long way
from it.
Dgeddes1
In response to an Oct. news
story, Anonymous downs Oakland police site after violence:
Anonymous may be justified
in this case with their actions,
but this worries me. It feels as
if they are opening Pandora’s
box, and things are going to
spiral out of control when it
comes to hacktivists and personal information.
TheRational
Something that is missing
from the media coverage
related to the RSA, Lockheed
Martin and advanced persistent threat (APT) attacks is
that RSA and Lockheed Martin
are now self-phishing (i.e.,
conducting social engineering penetration testing). I
believe that is the answer
to spear phishing. Even my
mom knows not to give up her
password over the phone, but
she still might click on a link.
Educate, educate, educate.
In my experience, most
enterprises and even governments, are still using checkbox auditing and automated
vulnerability assessments to
“verify” their security. Adversarial penetration tests are
the only way to cut through
the bureacracy that protects
IT professionals – and the
managers who hobble them
with deficiencies in their
systems.
Somebody
In response to a Sept. news
story, Microsoft Windows 8 will
ship with built-in anti-virus:
This is very good news for
everyone. It is great news
for consumers, as they will
be safer, and good news for
security firms as they will need
to lift their game. Some small
anti-virus companies might
get wiped out of the market
unless they can provide a better product cheaper, maybe
free, ad funded.
Amadeus
Enroll now.
PREVENT DATA LOSS.
ACQUIRE NEW SKILLS.
Every year, data breaches cost companies millions of
dollars. That’s why it is important to know how to manage
risks like cyber attacks, accidental damage and more.
Take charge of your career with a master’s degree from
University of Maryland University College (UMUC). Our
nationally recognized information assurance program can
help you save your company critical dollars and increase
the value of your work.
Photo by Bob Adler
CISO, Yahoo!
In response to an Opinion,
Your security will fail, but is
this the right attitude?,
by Sean Martin, founder,
imsmartin consulting:
™ 9Zh^\cViZYVhVCVi^dcVa8ZciZgd[6XVYZb^X
:mXZaaZcXZ^c>c[dgbVi^dc6hhjgVcXZ:YjXVi^dc
Wni]ZCH6VcY9=H
™ BH^c^c[dgbVi^dciZX]cdad\nl^i]heZX^Va^oVi^dc^c
^c[dgbVi^dcVhhjgVcXZgZXd\c^oZYVhVEgd[Zhh^dcVa
HX^ZcXZBVhiZg¼hWni]Z8djcX^ad[<gVYjViZHX]ddah
30seconds on...
™ Egd\gVbd[[ZgZYZci^gZandca^cZ
»Getting it done
»Measure success
»Take it outside
»Dig into the details
Justin Somaini has a few
requests for security strategies
he’d like to see implemented in
2012. To start, establish town
halls for some of your largest
offices once a year.
Next, send a monthly communication to all employees on
security trends. Also, work to
establish a risk management
methodology supported by key
performance indicators.
Somaini also recommends
that security administrators
get their team to participate
in industry discussions and
events to drive overall maturity
within the enterprise.
To see the results of Somaini’s
S3 Survey, which focuses on
how security is managed internally, click on www.somaini.
net/justins-journal/2011/7/8/
s3-survey-results.html.
16 SC • December 2011 • www.scmagazineus.com
™ >ciZgZhi"[gZZbdci]aneVnbZcieaVcVkV^aVWaZ!eajh
ÃcVcX^VaV^Y[dgi]dhZl]dfjVa^[n
INFORMATION ASSURANCE
-%%"---"JBJ8™jbjX#ZYj$data
8deng^\]i'%&&Jc^kZgh^ind[BVgnaVcYJc^kZgh^in8daaZ\Z
www.scmagazineus.com • December 2011 • SC 17
Social networking, hacktivism, advanced
persistent threats, cyberespionage,
TOP 5 INFLUENTIAL
IAL
mobile malware, the entry of portable,
ERS
IT SECURITY THINKERS
handheld devices (smartphones, tablets)
into the enterprise environment...these are
just a few of the most prominent
challenges security professionals must
contend with each day. This year-end
special section focuses on people who
represent the highest degree of
professionalism in the security space,
individuals who stand out for their technical skills, managerial prowess, insight and
advocacy. As well, interspersed
are some of the highlights in the year’s
strongest trends, including top breaches
and threats, merger and acquisition
activity and legal developments, as well
as some of the nuttiest news stories in the
cybersecurity world.
SAMEER BHALOTRA
Age: 35
Occupation: White House deputy cybersecurity coordinator
inator
Personal: Married, two children
College: B.S., chemistry and physics, Harvard University;
ity;
Ph.D., physics, Stanford University
Recent accomplishments: executive branch development
ment of
cybersecurity legislation proposal, National Strategy for
or Trusted
Identities in Cyberspace, and cybersecurity management
ent reform
T
he three weeks from the end of April to the m
middle
iddle of May
he White
was a memorable time for Sameer Bhalotra, the
halotra,
House’s deputy cybersecurity coordinator. Bhalotra,
or Howard
along with his boss, White House Cyber Coordinator
ajor initiaSchmidt, oversaw the release of not one, but three m
major
tives on cybersecurity. For Bhalotra, who signed on in July 2010,
hy meetings
this was the outcome of long days facilitating lengthy
with two dozen executive agencies.
the adminisAlong with Schmidt, Bhalotra is the architect of the
tration’s cybersecurity legislative proposal, released on May 12.
nternational
But there was more. Four days later came the first International
s
Strategy for Cyberspace. Previously, on April 26, his office
released its National Strategy for Trusted Identities in Cybercy rules and
space (NSTIC), which seeks to establish clear privacy
m.
greater security within a proposed identity ecosystem.
Accolades abounded for the 35-year-old Bhalotra, whose meteoric rise has taken him from a doctorate in physics att Stanford
urrent post.
into the intelligence community, the Senate and his ccurrent
REBOOT
18 SC • December 2011 • www.scmagazineus.com
He achieved what no one in the Department
Dee
of Homeland
l to do before by bringing
Security or the White House was abl
able
m to work harmoniously,
the players together and getting them
Alan Paller, research director for thee SANS Institute, says of
blu
u
Bhalotra’s work on the legislative blueprint.
Bhalotra was sought for that mission.
misss
Soon after his
Lead
d Harry Reid, D-Nev.,
appointment, Senate Majority Leader
asked the administration to weigh in
n on cybersecurity considering the 50-plus bills floating ar
r
around the Hill. With this
golden opportunity, Schmidt’s office decided on a comprehensive approach. It was a minefield
d – within the executive
branch, as well as between government
governm
m
and industry – but
Bhalotra navigated it skillfully.
But, Bhalotra prefers to deflect attention from himself.
“I’m proud to be yet another hard
d
hard-working
member of the
“Th
h was a team effort. Our
White House staff,” he says. “This
k cybersecurity seriously.”
leadership in the West Wing tak
takes
“He’s a little publicity shy, actually
act
more than a little,”
d of Bhalotra’s and the
says Robert Rodriguez, a friend
Innovaa
founder of the Security Innovation
Network. “He likes to
work under the radar. But he’ss the man behind all of it…
accomp
p
Those were three huge accomplishments.”
On the legislative proposal,, Bhalotra coordinated
massive intergovernmental co
o
collaboration
among such
agencies as the FBI, National Security Agency and
departments of Defense, Com
m
Commerce,
Justice and Homeland Security.
“Managing that process was
waa a great experience,”
Bhalotra says. The goal was to
o come up with recommendations to give Congress, of which
w
securing America’s
critical infrastructure and information
info
o
sharing between
t release “was a great and
DHS and industry stand out. IIts
o
clear end to a very rigorous pro
process,”
he says.
Photo by Aaron Clamage
Reboot 2011
2011
www.scmagazineus.com
m • December 2011 • SC 19
Reboot 2011
TOP
3
weirdest news items
Taste of one’s own medicine: A
hacker in October who received a scam
email had the last laugh when he took
control of the phishing page and turned
it into a public service announcement
around phishing awareness.
Happy ending: Ivan Kaspersky, who
was kidnapped for a ransom of $4.3
million, was rescued following a police
operation. He is the son of IT security
mogul and Kaspersky Lab founder Eugene, one of the wealthiest businessmen
in Russia.
Mean streets: The YouTube channel
for Sesame Street was briefly hijacked
by hackers who swapped out educational
videos with X-rated pornography. Not
ng after,
aaft
fter
er, Microsoft’s
Microsoft’s
long
YouTub
Yo
ubee channel
YouTube
was al
aalso
so comwas
p omised, but
pr
promised,
not to display
not
erotic video.
information on important issues and
visits to security companies. What began
with a half-dozen people grew to more
than 30, Bhalotra says.
In the Senate, Bhalotra gained many
admirers, among them committee chairs
Jay Rockefeller, D-W.Va., Kit Bond,
R-Mo., and Dianne Feinstein, D-Calif.
His reputation led to Schmidt’s call. And
he brought this knowledge of how Congress works to the White House.
“He knows where the money is spent,”
says Paller, who calls Bhalotra brilliant
and catalytic in his influence. “He’s a
wonderful bridge between the two.”
From a young age, Bhalotra, who
grew up in New England, worked with
computers. He’d tinker with electronics in his home, taking apart computers,
VCRs and telephones. His parents were
“amazingly tolerant,” he says. “I was
lucky I didn’t burn down the house or
electrocute myself.”
Bhalotra carried this passion to
his undergraduate years at Harvard,
where he studied physics and chemistry
and even taught classes on laboratory
electronics as an upperclassmen. His
graduate school thesis covered optical sensing in electronics. At Stanford,
where he earned a doctorate in physics,
his research was funded by the secret
Defense Advanced Research Projects
Agency (DARPA).
Bhalotra returned east to accept a position with the CIA, where he was assigned
to the director’s staff. Next, he moved
to the office of the director of national
intellige
intelligence,
where he was again involved
Cabin
in Cabinet-level
policy discussions. His
work on cybersecurity “exploded” after
move to the Senate.
he moved
“I’m a technologist by training,” he
says. “A
“And I find cybersecurity so sophisticated, complicated in an interesting
way, and important to the country.”
There little time to rest for BhaThere’s
l
lotra,
who is already meeting with
C
Congress
on the administration’s
legislative proposal. In addition,
he is also focused on bringing
others into public service to meet
cybersecurity’s fresh challenges. He has
mentored many young staffers on the
Hill. With his distinguished résumé, Bhalotra has cut the model. He hopes others
in academia and industry will follow.
“One of my personal interests is trying
to bring new people into government,” he
says. “We need to tap into the best minds
in the country to solve these problems
and move forward.” – Ryan Goldberg
ERIC COWPERTHWAITE
Occupation: chief information security
officer, Providence Health & Services
Age: 44
Personal: Married, four children
College: B.S., computer engineering,
California State University-Sacramento
S
omething of a perfect storm for
privacy and security is converging in the health care industry.
As part of last year’s Patient Protection
and Affordable Care Act, companies are
now required to digitize their medical
records, but with this push come greater
threats and challenges.
Eric Cowperthwaite, the chief information security officer of Providence
Health & Services, which employs 54,000
people in Washington, Oregon, California, Alaska and Montana, is facing
these challenges proactively. Providence,
which operates 214 physician clinics, 27
hospitals, a health plan and many other
services, has cut a model for other Catholic health care organizations in protecting
patients’ information from an increasing
number of breaches.
This was borne out of necessity: in
2008, Providence was the first organization to enter into a resolution agreement
with Health & Human Services (HHS) to
resolve allegations of violating the Health
Insurance Portability and Accountability
Act (HIPAA) privacy and security rules.
Cowperthwaite, 44, has overseen the successful implementation of that agreement.
“They have the most mature program
that I’m aware of in health care delivery,”
says Gartner analyst Paul Proctor. “Eric
has a program that rivals those in financial services.”
T
Th
federa government and business
Thee federal
side
de o
off the in
industry, Cowperthwaite says,
are “pus
ushi
hing
ng us down the road of 100
“pushing
percent elec
ect
electronic
records. All patient
information h
has to be in accessible, open
systems.” Th
These systems “will be a
one-st
one-stop shopping center for all
in
the information
you could want
abo a single person.”
about
H
However,
confidential informa
mation – personal and financia in nature – is incredibly
cial
v
valuable
for those who want
t steal it. Breaches cost the
to
h
health
care industry $6 bill
lion
a year, according to the
P
Ponemon
Institute, and the
m
majority
of those intrusions
cu
currently
come from insiders. At the same time, HIPAA
er
an
nd 22009’s Health Information
and
T ch
Te
chn
Technology
for Economic and
Clini Health Act, or HITECH
Clinical
Act, levy heavy fines for the loss
of patients’
p
information.
A Providence, protection of
At
th data begins with recognithat
tio and emphasis. By design,
tion
Co
Cowperthwaite reports to
the ch
chief risk officer instead of
the chief
ch investment officer. He
believ he’s the only one among
believes
his pe
peers at Catholic health organizati
nizations
who does this.
t
“I think
it’s a recognition that
info
in
f rm
information
security is a critical
funct
function
of the business,” he says.
n just an IT issue, but it
“It’s not
touch the whole business.”
touches
Pr
Providence
did not have much
of a ssecurity program to speak
of be
before Eric, Gartner’s Proctor
says. “They brought Eric in to
build that program up.”
Wh began with six employees
What
we versed in information
not well
security has become a staff of 19
who re
report to Cowperthwaite
directl and another 33 people
directly,
assigg
assigned
in a matrix role. He is
TOP 3
breaches of 2011
(by impact)
DigiNotar
On Sept. 20, the Dutch-based certificate authority (CA) was “declared bankrupt” after it emerged that the company
issued hundreds of counterfeit SSL
credentials after hackers breached its
systems. At least one phony certificate,
for Google.com, appeared in the wild,
presumably so Iranian users could
be spied on the government. Authentication solutions provider Vasco,
the parent of DigiNotar, expects the
bankruptcy to cost it between $3.3 and
$4.8 million.
Comodo
In March, another CA revealed that
hackers gained access to its system and
fabricated nine certs for some top-tier
sites. Experts believe the Iranian government carried out the Comodo, and more
recent DigiNotar, attacks to spy on
private communications.
RSA SecurID
In March, the security company
revealed that sophisticated hackers
launched a spear-phishing attack that
exploited an Adobe Flash zero-day
vulnerability to successfully infiltrate its
systems and steal information related
to its SecurID products. Such products
include hardware token authenticators,
software authenticators, authentication agents and appliances. Millions of
customers worldwide use SecurID to
protect access to sensitive assets, such
as web servers, email clients and VPNs.
Subsequently, hackers leveraged stolen
information about SecurID in an attack
on U.S. defense contractor Lockheed
Martin. RSA President Art Coviello
issued a warning for customers to be
more vigilant and issued a list of recommended actions.
www.scmagazineus.com • December 2011 • SC 21
Photo by Ron Wurzer
Bhalotra’s training for this process
came during his nearly four years in
the Senate. In 2007, he was brought
onboard in a unique bipartisan role
as a top staffer for the Senate Select
Committee on Intelligence. He quickly
seized on cybersecurity as a major issue
and became an expert among Beltway
staffers on the topic.
Bhalotra found few colleagues there
dedicated exclusively to cybersecurity.
So he began an informal group, where
he gathered Senate and House staffers
monthly to discuss cybersecurity and
their work. These “cyber jams” allowed
his peers to get briefings from officials,
Reboot 2011
(by records)
10. Eisenhower Medical
Center 514,330
9. Sony Pictures
1 million
8. Sega 1.29 million
7. Nemours
1.6 million
6. New York City Health
and Hospital Corp.
1.7 million
5. Health Net
1.9 million
4. Texas Comptroller’s
Office 3.5 million
3. Tricare
4.9 million
2. WordPress.com
18 million (blogs)
1. Sony,
PlayStation Network
(PSN), Sony Online
Entertainment (SOE)
Source: Privacy Rights Clearinghouse
101.6 million
22 SC • December 2011 • www.scmagazineus.com
the single point of contact from the security side to those managing the electronic
medical record rollout, with multiple
teams of auditors, managers and privacy
and compliance staff asking questions
about access controls and complying with
federal regulations.
Cowperthwaite has set the first line of
defense for Providence with its employees. All of them must undergo privacy,
security and compliance training every
year. Cowperthwaite also customizes
training for different business units.
If, for example, his staff notices emails
being sent that contain confidential
information, they will educate that particular unit rather than send a companywide email blast.
A leading area of focus for Providence
has been with its employees in the field.
As a Catholic entity, home care and hospice are significant parts of the mission.
The laptops and mobile devices being
used hold vital patient information.
Cowperthwaite has established several
policies to mitigate potential threats:
Employees are required to activate
security controls and keep their computers within sight, the amount of data on
them is limited to that day alone, and
they are shut down while in transit and
cable-locked in employees’ trunks. Above
all, employees are made aware of why all
these safeguards matter.
These measures stand out following
Providence’s previous slip-up. According
to published reports, HHS investigated
the company after it fielded more than 30
complaints from people whose information was compromised after unencrypted
laptops, optical disks and backup tapes
went missing, having been left unattended between September 2005 and
March 2006. In all, 386,000 patients were
opened to potential identity fraud.
Providence agreed to settle the allegations for $100,000, and successfully
implemented a systems improvement
plan. Cowperthwaite says the organization had already decided to make significant changes to its security program
before the deal. He says HHS recently
notified them that they have met all of
their mandates.
“I’m proud that we are the first organization to come out of that in a really
good way,” he says. “We went above and
beyond what they required of us.”
For Cowperthwaite, this has been the
validation of an unlikely path. He joined
the U.S. Army out of high school and
his 10-year service included deployment
in operations Desert Shield and Desert
Storm. In 1996 he enrolled at California
State University, Sacramento to study
computer engineering. He graduated
two years later and went to work for
Medi-Cal, the state of California’s Title
XIX Medicaid Insurance program.
Information security came onto his radar
gradually over the years. “I call myself
the accidental security guy.”
When Providence called, he foresaw
challenges in health care information
security that have come to fruition and
still animate his work.
“I knew that the explosive growth
in the storing of patient information,
and needing to do it as effectively and
efficiently as possible without expanding
costs, would make for a dramatic and
innovative field to be in,” he says.
– Ryan Goldberg
SUZANNA SCHMEELK
Occupation: teaching at University of
Maryland and a teaching assistant in
New York
Age: 32
College: B.S. in computer science at The
University of Richmond; M.S. in computer
science from William and Mary; completed
a doctorate in mathematics education at
Rutgers, and pursuing a M.S. in technology
management specializing in cybersecurity
at NYU
Recent accomplishments: worked on
numerous research projects (some sponsored by NSF) in networking, compilers,
grid computing, security and education;
numerous papers for academic journals
and the IEEE; president of the New York/
New Jersey Chapter of Graduate Women in
Science (GWIS)
S
uzanna Schmeelk is a woman on
the frontlines of computer science, attempting to tear down the
ants of an old system that, she says,
remnants
hasn’t been updated to meet the needs of
today’ss new computing environment. Her
sm is that students nowadays are
criticism
eing taught to think independently.
not being
vergent thinking is being lost,”
“Divergent
ys. “The ability to assert innovashe says.
onceptual ideas is stifled in favor
tive, conceptual
cedural exercises.” As an example,
of procedural
oints
she points to the evolution in attack vechere an engineer has to think about
tors where
he next criminal entryway might
what the
he future of protecting online combe. The
merce depends on encouraging this type
en questioning, she says.
of open
For Schmeelk, thinking conceptually
began early. Her grandfather and father
were both math professors. Her dad, she
says, was a “liberal” math person who
raged her efforts “within ethical
encouraged
daries.” Her mom provided vision.
boundaries.”
aid everything is going to be com“She said
puterss some day,” Schmeelk recalls.
ile Schmeelk believes computer
While
e,
science, as it is currently taught, is too
wly focused, there are shining lights
narrowly
manage
to think outside the box.
who
oints
to
She points Apple’s recently deceased
under Steve Jobs, and Joseph
co-founder
n, a professor of management of
Nadan,
ology and business innovation at
technology
echnic Institute of New York UniPolytechnic
versityy (NYU-Poly), a research institution
ted with NYU, where she is curaffiliated
rently teaching. What she admires about
them is their ability to see the big picture
mbining engineering acumen with
by combining
ess needs. It’s a matter of being
business
riented and being able to envision
goal-oriented
d result. “It’s more about the value,
an end
not thee process,” she says.
At NYU, Schmeelk is working as a
security consultant on a number
cybersecurity
rt-up projects, including colof start-up
ating with a number of hospitals
laborating
aming companies. She serves as
and gaming
urce as these incubating projects
a resource
pt to build websites, focused on
attempt
cations-related challenges, such as
applications-related
www.scmagazineus.com
www
scmagazineus com • December 2011 • SC 23
Photo by Andrea Fischman
TOP 10 breaches of 2011
Reboot 2011
In what was termed the largest
identity theft takedown in U.S. hiswere charged for
tory,
their involvement in a New York-based
organized crime operation responsible
for more than $13 million in losses.
Six men believed to be behind a
massive click-fraud scheme, all of
whom are Estonian nationals, were
arrested last month following a twoyear, international police investigation,
dubbed Operation Ghost Click. The
racket led to the infection of more than
four million computers in 100 countries
with malware.
Running an online business that
sold counterfeit credit cards
embedded with stolen account information led to a 14-year prison sentence for
Tony Perez III, 21, of Indiana.
The U.S. point person for one of
the largest phishing rings ever to
be brought down, Kenneth Lucas II,
27, of Los Angeles, was sentenced to 11
years in prison for his part in stealing
more than $1 million from victims.
Scammer Tien Truong Nguyen,
34, of Long Beach, Calif., was
sentenced nearly 13 years in prison for
orchestrating a phishing operation that
duped at least 38,500 people.
Using stolen credit card numbers
to conduct fraudulent transactions
totaling more than $36 million resulted
in a 10-year prison sentence for Rogelio
Hackett Jr., 25, of Lithonia, Ga.
Former IT employee Jason
Cornish, 37, of Smyrna, Ga., faces
10 years in prison for crippling his ex-employer’s network and causing hundreds
of thousands of dollars in damages.
A nine-year sentence was handed
down to former Dallas hospital
guard Jesse William McGraw, 26,
after he broke into hospital computers, planted malicious software, and
planned a DDoS attack.
1 111 individuals
2
3
4
5
6
7
8
24 SC • December 2011 • www.scmagazineus.com
ker of information to the community.
But, it’s not just a matter of transmitting
data and details. While she’s reluctant
to discuss gender issues, she does admit
that being that she was often the only
female in her computer science classes,
she enjoys her new role encouraging women in the sciences. “There’s a
choice a teacher makes,” she says, “to
either encourage or discourage.”
Before her present activities, she
interned at The Team for Research in
Ubiquitous Secure Technology (TRUST).
She has high praise for the consortium of
academic and industry partners funded
by the National Science Foundation to
address issues affecting security, privacy
and data protection.
“They’re not average people,”
Schmeelk says. “Working there, you
realize these are people who are making the impossible possible.” A similar
consortium is now being formed within
NYU, she says.
She is also a prolific writer of research
papers, which often focus on how one
can manage a project by developing
a prioritization schema. Here too she
envisions how a project can build to an
end result. Schmeelk presented papers
on prototype tools for testing open
source coding at security conferences for
Yahoo! and eBay.
“I like thinking about a lot of different
problems,” she says. – Greg Masters
JOHN STREUFERT
Occupation: chief information security
officer, U.S. Department of State
Age: 55
Personal: Wife, three children
College: Maxwell School of Public
Affairs, Syracuse University, M.P.A;
St. Olaf College, B.A.
Recent accomplishments: Reduced
measured risk on PCs and servers by a
factor of 20; his tools guided critical patch
coverage to the 84-percent level in seven
days and 93-percent in 30 days at State;
gives away software and speaks widely to
promote continuous monitoring across
the economy; served in 17 federal civilian
roles across military, civilian and foreign
affairs organizations
J
ohn Streufert doesn’t like threering binders. Not because they
remind him of a cold-hearted
teacher, but because of what their
presence has come to symbolize in the
government security world.
As chief information security officer
of the U.S. Department of State since
the summer of 2006, Streufert has seen
more notebooks fi lled with compliance
paperwork than he cares to remember.
Indeed, between Federal Information
Security Management Act (FISMA) mandates and the Office of Management
and Budget-required risk studies, the
dprinters at the Harry S. Truman Buildd
ing in Washington, D.C. have worked
overtime.
But not long after joining State,
ncy
Streufert realized that while the agency
was dutifully feeding the compliance
beast, the process was doing almost
nothing to improve security and miti-ogate risk. In fact, it was quite the oppong
site. The number of exploits impacting
State meteorically rose from 2008 to
d
2010, from 2,104 to nearly 8,000. And
when it came to FISMA report-card
des
time, State often received failing grades
for its ability to protect sensitive data..
“The network was changing
faster than you could print out the
results,” he says. “The three-ring
binders don’t really help you that
g.
much if your exploits are quadrupling.
We had to do something else becausee
nt
it wasn’t working. Was the government
ing
getting any value doing these three-ring
binder reports?”
Streufert and three others decided
an overhaul was the answer. Instead of
relying on snapshot-in-time images off
its compliance, the agency would be
better served by continuous network
monitoring of the Microsoft computers and servers at its 400 embassies,
he
consulates and offices spread across the
ove,
globe. Not only would security improve,
ng
but the agency would get a better bang
as
for its buck. (Consider: The agency has
TOP
3
hacktivist attacks
The victim: Sony Pictures
The motive: The company has pursued
The victim: PBS
The motive: LulzSec sought revenge
legal action against alleged copyrighters.
The victim: HBGary Federal
The result: The now-disbanded LulzSec
(now defunct)
group exploited a SQL injection vulnerability
to gain access to internal Sony networks and
websites. The hack yielded the passwords,
email addresses, home addresses, birth dates
and other account
information belonging to more than one
million users.
against the network for airing what they
considered an unfair documentary about
WikiLeaks.
The hack: The intruders compromised thee
ry
website of PBS NewsHour to post a fake story
that rapper Tupac Shakur was still
alive. In addition, they published the
usernames and passwords to staff
at the public TV station, as well as
those working at other networks
affiliated with PBS.
The motive: CEO Aaron Barr threatened to out members of Anonymous.
The hack: The Anonymous group
published tens of thousands of emails,
including a plan to smear whistleblower
site WikiLeaks and its supporters, apparently at the behest of the U.S. Chamber
of Commerce and Bank of America.
www.scmagazineus.com
w scmagazineus com • December 2011 • SC 25
Photo by Aaron Clamage
TOP
8
legal actions
how best to protect health care data and
online privacy.
“I am more geared to management
and understanding the computer science
aspect of online efforts,” she says.
This involves more studying of human
nature. “A lot of this needs to be analyzed
from a perspective of motivation: Why is
this person doing this?” she asks, referencing hackers and cyberbullying.
“Suzanna is someone who makes a difference,” says Marjory Palius, associate
director of The Robert B. Davis Institute
for Learning at the Rutgers Graduate
School of Education in New Jersey,
where she teaches mathematical reasoning courses.
“I think she does it by bringing
outstanding personal qualities to bear
upon her work,” Palius says. “Suzanna is
bright, worldly, compassionate and highly
creative. She is an innovative thinker
who eagerly explores novel situations and
applies focus, imagination and perseverance to solve problems and develop new
techniques.
Schmeelk was writing her doctoral dissertation at Rutgers as Palius and her colleagues were launching the Video Mosaic
Collaborative (http://videomosaic.org/), a
portal to enable teachers and researchers
to analyze and use classroom videos in
math education. Schmeelk’s dissertation
was the first to incorporate multimedia,
inserting video stills in support of her
findings of children’s mathematical learning as they built understanding of rational
numbers as fourth graders, says Palius.
“The videos she analyzed for her
research were among the earliest video
clips for which we prepared metadata,
with the help of Suzanna, in order to
catalog and make them freely accessible to educators worldwide to support
math learning, teaching and research,”
Rutgers’ Palius says.
Schmeelk brings these qualities as
well to her efforts as president of the
New York/New Jersey Chapter of
Graduate Women in Science (GWIS),
where she trains women in computerrelated areas, serving, she says, as a bro-
Reboot 2011
TOP mergers and acquisitions activity
Company
Purchased
Gains
Terms
Dynasec
adds GRC software to help with regulatory
requirements
undisclosed, but estimated at $10 million
to $20 million
SecureWorks
adds managed security and consulting services
undisclosed
NetWitness
adds network security analysis solutions
undisclosed
Autonomy
adds infrastructure software
$10 billion
Q1 Labs
adds security software and services
undisclosed
Platform Computing
adds cluster and grid management software
undisclosed
Algorithmics
adds risk management
$387 million
i2
helps clients harness data to combat fraud and
security threats
undisclosed
IronKey’s secure data storage
hardware business
augments position in data storage and device
management
undisclosed
NitroSecurity
will boost the SIEM capabilities in McAfee’s Security
Connected Framework
undisclosed
Sentrigo
adds database security and compliance products
undisclosed
RightNow
bolsters its cloud computing portfolio
$1.5 billion
Endeca Technologies
adds software for unstructured data analytics
and business intelligence
up to $1.075 billion
Gluster
adds open-source software for cloud storage
$136 million
Astaro
delivers combination of endpoint protection with UTM
undisclosed
Clearwell Systems
adds e-discovery solutions
$390 million
Shavlik Technologies
26 SC • December 2011 • www.scmagazineus.com
adds traditional and cloud-based management products for SMBs
undisclosed
spent between $30,000 and $2.5 million
on each individual compliance report
since 2004.)
In making this decision, Streufert
drew on evidence: 80 percent of
exploits rely on known vulnerabilities
and configuration management settings.
So in 2008, he and his team stood up a
new program, known as iPost, which
borrows a page from the fi nancial markets to “monetize highly disparate risks
into a common currency.” Dashboards,
much like one might fi nd on a trading
floor, detail the “hottest risks” as if they
were shares of Apple or Google.
“The relative risk becomes variables
which we increase or decrease based
on vulnerability, threat or impact that
is posed to the organization from a
particular problem,” he says.
In layman’s terms, that means affi xing a risk score to each vulnerability
and patching the most pressing issues
first. That runs counter, Streufert says,
to how most commercially available vulnerability management products handle
the problem.
“Most people treat every risk like it’s
$1,” he says.
Since the model was implemented,
the results have been nothing short of
stunning. Streufert says State found that
by automating the process, it was able to
reduce its risk by a factor of 10 within
the first 11 months and by a factor of 20
within two years.
“There’s almost nobody on earth
that can patch as quickly as the State
Department,” he says. “And it’s due
to the monetization of relative risk for
critical problems, which allows unparalled speed and patching of known
vulnerabilities.”
James Lewis, a senior fellow and
director of the Technology and Public
Policy Program at the Center for Strategic and International Studies, has been
closely following the State Department’s
progress. Lewis is a big believer that
more agencies – and the private sector
– should get away from a compliance
focus, though he admits there is much
TOP 5 threats
Duqu: An information-stealing trojan
that shares much of its code with the notorious Stuxnet worm, and has impacted
roughly five Europe-based manufacturers of industrial control systems.
Zeus: The insidious banking trojan,
which continues to be used to siphon
millions of dollars from U.S. bank accounts, became even more prolific this
year when its source code was leaked on
at least two underground forums.
DroidDream: The malware, which is
capable of harvesting data, was discovered this year in more than 50 apps offered in Google’s official Android Market,
and illustrates that cybercriminals are
focusing more of their efforts on mobile
platforms.
Operation Shady RAT: A five-yearlong advanced persistent threat and
cyberespionage offensive that plundered intellectual property from some
72 organizations across 14 nations,
including the U.S. government.
Mac OS X scareware: While still
much-less prevalent than those seen
in the Windows world, rogue anti-virus
malware scams targeting the Mac
platform grew increasingly nefarious this
year, leading to a significant uptick in
infections.
resistance to this because organizations
have become far too complacent in
checking off boxes as a means of verifying security.
“[State’s model] moves from the
shot-in-the-dark [mentality] we had for
years to something more quantifiable,”
Lewis says. “And John was sort of a
path-breaker in doing this. Since then,
they’ve been able to close down the
number of opponent successes and have
been able to upgrade response time.”
That is especially important for the
nation’s lead foreign affairs agency.
“They had a huge number of penetrations,” Lewis says. “A former State
official said in 2007 they lost three or
four terabytes of information. That’s
a huge outflow not that long ago, and
that’s what drove them.”
With the program now comfortably
in place, Streufert has spent much of
2011 investigating how he can extend its
essence to other areas of network weaknesses, notably applications, routers and
switches. And when he’s not focused
on State, Streufert serves as an industry
advocate for the agency’s model. He
often spends hours before and after
work, fielding phone calls and emails
from hundreds of private sector security
professionals interested in adopting a
similar initiative.
Streufert tells them: “If we’re going to
step up to the plate and fi x our security
challenges, this is a set of techniques
that are not disruptive to the organizational structure and, dollar for dollar,
you’re going to get a higher return than
a lot of investments in this space.”
And while iPost was home grown at
the State Department, Streufert is not
keeping anything secret.
“It seems like valuable information to
share,” he says. “It seems easier to adopt
continuous monitoring than to persuade people to stop doing the threering binder studies. My belief is that the
merit and efficiency of doing it this way
will [become] more widely understood
and adopted.”
– Dan Kaplan
www.scmagazineus.com • December 2011 • SC 27
Reboot 2011
TOP
5
research revelations
BIOS fuel Researchers discovered
the first in-the-wild rootkit that targets
BIOS, the built-in software responsible
for booting up a computer. The discovery of Mebromi, the root kit, should not
induce panic, though, as the complexity
of a successful attack on the motherboard is high.
CA, MIA Moxie Marlinspike released
Convergence, an add-on for Firefox,
which essentially inverts the
ex
existing (and much
maligned) certificate authority (CA)
system, giving more
power to users. They
take their pick of soca
called “trust notaries,”
which authorize their web
communications by default.
Pumped up Jay Radcliffe demonstrated at Black Hat how he is able to
send commands to and wirelessly disable the insulin pump he has been wearing since he was 22, when he was
diagnosed with the autoimmune disease
after dealing with extreme weight loss
and an unquenchable thirst.
In control In an effort to prove that
SCADA hacks don’t require deep pockets, Dillon Beresford took the stage at
Black Hat to describe how to infiltrate
Siemens industrial control systems. He
uncovered replay attack bugs in programmable logic controllers, or PLCs.
Baby ginger Xuxian Jiang, assistant
professor at North Carolina State
University in Raleigh, found the first
malware that uses a root exploit, known
as GingerMaster, against Android
version 2. The discovery is a sign that
cybercriminals are keeping pace with
the evolution of mobile devices.
Occupation: Program manager at the
Defense Advanced Research Projects
Agency (DARPA)
Age: 40
Personal: Married
College: The Berklee College of Music
Recent accomplishments: Founding
member of hacker think-tank, L0pht,
pioneer of buffer overflow vulnerability
research, leader in the “full disclosure”
movement, author of numerous security
tools, developor of DARPA’s Cyber Fast
Track program, referenced in the board
game Trivial Pursuit.
A
sk Peiter “Mudge” Zatko when
he first realized that he wanted
to turn hacking into a career
and he’ll tell you he didn’t really have
a choice in the matter. His passion for
computers and technology was, after
all, fostered all the way back to when he
was a baby. Back then, he had a mobile
hanging over his crib, not made of
stars or animals, but constructed by his
father out of circuit boards.
“He wanted me not to be afraid of
technology,” Zatko says.
And afraid he was not. As a young
child, tinkering with computers and
helping his father write operating
systems became a game. In fact, he first
started hacking at the ripe old age of 5.
He’s quick to point out, though, that
when he uses the word hacking he’s
referring to the act of getting a system
or device to do something it wasn’t
intended to do. Using an Apple II
computer, which first appeared in 1977,
Zatko and his father would reverseengineer floppy disks to understand
the copy protection schemes used to
prevent software from being pirated.
Years later, during his time at Berklee
College of Music, Zatko turned to his
father for advice because, like many
young adults, he didn’t know what he
wanted to do with his life.
“He said, ‘Don’t worry, the field
you’re going to go into just doesn’t exist
yet.’” He was right, Zatko remembers.
28 SC • December 2011 • www.scmagazineus.com
Now, at 40 years old, Zatko can truly
say he had a hand in helping to create
the now-thriving IT security field.
Around 1992, he came together with
a group of like-minded individuals, who
were “curious and enthralled with the
notion of security,” to form the hacker
think-tank L0pht (pronounced loft). At
the time, there were very few resources
available to those wanting to learn
about the burgeoning field, he says.
L0pht members set out with the goal
to document their research and build
up a body of knowledge about the
subject so that others wouldn’t have to
replicate their work. Doing so was controversial, however, since their research
often exposed flaws in products and
systems.
But it was also extremely important.
During his time at L0pht, Zatko conducted and documented early research
about buffer overflows, a now wellknown coding vulnerability that is still
prevalent.
“It’s been rewarding for me to see, in
graduate classes, ideas I pioneered are
part of the curriculum now,” he says.
Looking back at his career so far,
Zatko says he’s often had to dispel the
belief that products are secure just
because a company’s marketing department says so.
“He’s a bit of a contrarian, he doesn’t
accept conventional wisdom,” says
Richard Clarke, former cybersecurity
czar for President George W. Bush.
“You’re almost guaranteed to get a
different perspective [from Zatko] than
you would from anyone else.”
Since he was in his early 20s, Zatko
has been Clarke’s unofficial adviser on
cybersecurity issues.
“When I was at the White House,
every time there was a major cybersecurity incident, I would call him,” Clarke
says of Zatko. “I always learned more
from him than I did from anyone else.”
After being asked several times over
the past few years, and turning down
the offer every time, Zatko last February accepted the role of program man-
ager at the Defense Advanced Research
Ag
Projects Agency
(DARPA), the U.S.
Defense D
Department’s central research
develo
and development
(R&D) organization.
po Zatko has led the developIn this post,
ment of Cyb
Cyber Fast Track, a new initiative
sma hacker groups and indeto fund small
pendent res
researchers in the development
cutting-e
of cutting-edge
solutions that can be creshor intervals for a low cost. Hisated in short
torically federal security funding has
torically,
been awarded to large contractors
that often have whole teams dedicate to crafting proposals. In the
cated
pas it was next to impossible for
past,
a sm
small group of researchers to
rec
receive
such funding due to the
tim and cost of the application
time
p
process
alone.
Cyber Fast Track will
a
allow
talented researchers
to compete for government
fu
funding
and bring DARPA’s
cy
cybersecurity
R&D efforts
t speed with the rapidly
up to
evolv
evolving
cyber landscape, he says.
The goal
g
of the undertaking is to
fund between 20 to 100 cyber
R&D programs each year, or the
sam amount of time it would
same
nor
normally
take to run just one.
“A too often in the past,
“All
by the tim
time the project was fi nished
nobody cared
ca
about it anymore
th technology had moved
because the
Clark says.
on,” Clarke
Launch in August, the initiative
Launched
alread garnered interest outside of
has already
Z
DARPA, Zatko
says. The U.S. milicon
tary is considering
adopting such an
approach for its own R&D contracting
processes
processes.
Lookin into the future, Zatko says
Looking
con
he’ll continue
working for as long as
necessar to educate people about
necessary
compute security.
computer
“Secu
“Security
is about trying to solve
p
and fix problems,”
he says. “The definition of success is to put myself out
w
of a job, which
is what I’ve always said
alwa have been striving to do.”
and always
– Angela Moscaritolo
4
WAYS
to prevent breaches
Companies spend a lot of time and
money to protect their data from hackers, thieves, and other malfeasants—
and for good reason. But when it comes
to the causes of data breaches, don’t
forget human goof-ups. The irony about
these true stories is that organizations
try to do the right thing and they still
experience data breaches.
Garage sale bargains: Patient
data files. Garage sales are great
places for a deal. You might discover
a treasure, as did one customer who
purchased a filing cabinet chock-full of
personal data, including Social Security
numbers and home addresses. Thankfully, this bargain shopper left the contents safely with the owner to destroy.
Leaving personally identifiable
information (PII) in a car. One organization held an annual drill to assess
its preparedness in the face of a data
breach. Instead of using “test” data, an
employee transported actual data tapes
offsite that contained client accounts
payable information and left them
overnight in his car. A thief got details on
every payout ever made to people who
had sued the company.
Lost keychain with a flash drive.
Flash drives are great portable devices,
but they don’t belong on key rings. The
data on that drive is probably more valuable than your Honda.
Private patient records spill
from a shredding truck. A shredding truck containing an organization’s
patients’ records overturned while driving on a street. Paper records spilled out
and flew all over town.
– Christine Arevalo, director of healthcare identity management, ID Experts
www.scmagazineus.com • December 2011 • SC 29
Photo by Aaron Clamage
PEITER “MUDGE” ZATKO
9-11 NOVEMBER 2011
Take your computer security
to a whole new level with ESET.
! !
" "!
&'$ ! !
%
!#!!
!$
!! "!$$
!!!$!
!
www.eset.com
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
=ifdk_\:fe]\i\eZ\:_X`idXe
=ifdk_\8M8I:_X`idXe
@knXjX^i\Xkgc\Xjli\
Xe[_feflikfn\cZfd\
k_\8M8I:fe]\i\eZ\kf
?fe^Bfe^X^X`e%
IfpBf#`e_`jb\pefk\
jg\\Z_#i\gfik\[fek_\
\]]fikjf]8G:<IKkf
Zi\Xk\XjX]\#Zc\XeXe[
i\c`XYc\ZpY\ijgXZ\#Ylk
k_\[\gk_f]gifYc\dj#Xj
\m`[\eZ\[YpjkXk`jk`Zj
]ifddXepjg\Xb\ij#dXb\jk_XkX[Xlek`e^
kXjb%Lj\ijjk`cc]Xccgi\pkfj`dgc\jfZ`Xc
\e^`e\\i`e^ki`Zbj#n_`c\gfk\ek`Xccpi`Z_
g`Zb`e^jXkkiXZk_`^_cpdfk`mXk\[Zi`d`eXcj%
K\Z_e`ZXccp#XkkXZb\ijXi\^\e\iXk`e^dXcnXi\
`ecXi^\hlXek`k`\jXe[[\m\cfg`e^efm\c
XkkXZbjXe[e\nmlce\iXY`c`k`\jn_`c\n\
X[Xgkkfe\nk\Z_efcf^`\j%
@k_\i\]fi\nXekkf\ok\e[Xm\ipjg\Z`Xc
k_XebjkfXcck_\:fe]\i\eZ\jg\Xb\ij]fiefk
fecp\ogcX`e`e^k_\Z_Xcc\e^\j#YlkXcjf]fi
f]]\i`e^jfclk`fejXe[Xm\el\j]fi]lik_\i
gif^i\jjXZifjjXn`[\iXe^\f]kfg`Zj]ifd
jfZ`Xckfk\Z_e`ZXc%:fe^iXklcXk`fejkf;i%@^fi
Dlkk`b#n_fnXjXnXi[\[9\jkJg\Xb\i]fi
_`jgXg\iÈDXcnXi\`e<ok\ej`Yc\=`idnXi\
@ek\i]XZ\É%=`eXccp#k_Xebpflkfk_\[\c\^Xk\j#
n`k_flkn_fdk_\:fe]\i\eZ\Zflc[efkkXb\
gcXZ\%@_fg\kfj\\pflXcce\okp\Xi%
@knXjfligc\Xjli\kf_fjk8M8I:fe]\i\eZ\
]fik_\k_`i[k`d\`e?fe^Bfe^#n_\i\8M8IËj
_`jkfipY\^Xe%9fk_f]k_\kiXZbjXkk_\
:fe]\i\eZ\n\i\i`Z_`eZfek\ek#Xe[Xcck_\
j\jj`fejd\kk_\[\dXe[jf]k_\j\Zli`kp
\og\ikj]ifdXifle[k_\>cfY\%@_Xm\efk`Z\[
hl`k\XkiX]ÔZY\kn\\ek_\kiXZbj[li`e^
`ek\id`jj`fej#Xe[k_`j`jXe`e[`ZXk`fef]\XZ_
j\jj`feËjXgg\Xckfk_\[\c\^Xk\j%
N\n`ccdXb\jli\e\okp\XiËjZfe]\i\eZ\
_Xj\m\edfi\\ek`Z`e^Zfek\ek#Xe[`jdfi\
Zfem\e`\ekXe[XZZ\jj`Yc\]fiXcc%
@nflc[c`b\kfk_Xebk_\fi^Xe`j\ij#N\jk
:fXjkCXYj#Xjn\ccXjjgfejfij#d\[`X
gXike\ijXe[#f]Zflij\#Xcc[\c\^Xk\jn_f
^Xm\k_\`ik`d\]fifli:fe]\i\eZ\%K_Xebpfl
feZ\X^X`e#Xe[j\\pfle\okp\Xi`edX`ecXe[
:_`eX%
8ccXe;p\i
:fe]\i\eZ\:_X`i
AVAR 2011: Conference Review
J\`a`DliXbXd`
8M8I:_X`idXe
AVAR Chairman Seiji Murakami conversing with
AVAR 2011 delegates
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
9-11 NOVEMBER 2011
Malware Data From Over
600 Million Systems Worldwide
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
AVAR 2011: Themes and Speakers 1
Allan Dyer introduces AVAR 2011.
ONE SECURITY REPORT
The Security Intelligence Report (SIR) is an analysis of the current threat landscape
based on data from internet services and over 600 million systems worldwide to
help you protect your organization, software, and people.
View the Security Intelligence Report at www.microsoft.com/SIR
| Security Intelligence Report
The 25 main papers presented
at AVAR 2011 ranged widely
over the subject of malware,
but running through them
were certain significant
themes.
The keynote speech by
Roy Ko of Hong Kong
Cert discussed different
approaches to creating
a safe, clean and reliable
cyber-space in the AsiaPacific region through global
cooperation, the new vision
of the Asia Pacific Computer
Emergency Response Teams
(APCERT). In one way or
another, this was the goal of
all the presentations.
Online Payments
Many presenters focussed
on the spectacular growth
of online payment and other
transactions over the past
few years. Alfons Tanujaya
of Vaksincom asked the
worrying question ‘Is twofactor authentication really
secure?’ Although online
banks may use a security
token instead of a static PIN,
malware exists to create
bogus internet banking sites.
Cao Yang and Zou Shihong
of Netqin focussed on the huge
volume of mobile payments
in China and the security
challenges this brings when
different providers issue unique
kinds of mobile payment and
do not take enough account of
evolving malware.
With his paper on online
shopping Trojans, Jeff Li of
Kingsoft highlighted specific
threats to the enormous
increase in online payments in
China. Li discussed common
ways for Trojans to get to
users’ computers and how
a particular Trojan (NetPay)
worked by modifying payment
pages.
Security Consultant Jeffrey
Ma also considered the
interface between electronic
commerce networks, and
the actual transactions of
electronic commerce. His
presentation focused on the
security threats for both sides
of the industry, with specific
examples.
Mobile Malware
More and more malware
is exploiting vulnerabilities
on mobile devices. Itshak
Carmona of HCL Israel gave
many examples of malicious
attacks, some from Android
apps but also targeting
jailbroken iPhones. Staying
safe not only involves technical
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
9-11 NOVEMBER 2011
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
Yu Guo Liu, Tencent
solutions but better educated
users.
“Paranoid Android?” was
the title of the presentation
by V. Dhanalakshmi of K7
Computing, discussing the
increased risks to systems that
come through the open nature
of Android and the ability to
download apps outside the
Android Marketplace.
AVAR 2011: Themes and Speakers 2
suggested all platforms should
have security written into the
OS and CPU. Similarly, Jim
Wang of Microsoft spoke on
Easy Programming Language
(EPL), which makes it easy for
an application to be written in
Chinese instead of English but
is difficult to reverse engineer.
Wang’s presentation gave
concrete examples of code to
enable better understanding
of the techniques used.
Xue Yang of Websense also
highlighted vulnerabilities
when he spoke on exploit
kits, which can be bought
on black market forums. The
presentation discussed the top
ten exploit kits, their methods
of attack and some of the
consequences, before going
on to make suggestions to
counter them.
Malware seeks to survive
by deflecting attempts to see
what the code is actually doing
Raymond Roberts of Microsoft
demonstrated obfuscation
methods by showing
Specific Threats
A number of presentations
looked in specific detail at
particular technologies.
Igor Muttik of McAfee
demonstrated how it is
possible to use the powerful
Extensible Firmware Interface
(EFI) to control a system and
Dr Igor Muttik, McAfee receives the award for Best Speaker from
Conference Chair Allan Dyer.
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
9-11 NOVEMBER 2011
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
AVAR 2011: Themes and Speakers 3
Macs are more popular, there
is bound to be more malware
created for it.
Countering the Threats
Discussion Panellists (L to R) Alan Dyer, Conference Chairman; Jianfeng
Lu, Qihoo; Scott Wu, Microsoft; Benny Czarny, OPSWAT; Andrew Lee,
ESET.
techniques such as junk code
loops and encryption.
Users have learned to be
wary of certain types of web
pages, but a new form of
malware takes the form of
“Google-image poisoning”,
where pictures on a Google
image search page are hotlinked to an infected site.
Lukas Hasik and Jan Sirmer of
AVAST demonstrated how this
was done, usually with the use
of fake ftp credentials.
Similarly, writers of spam
are constantly changing the
way it is presented so that
it keeps up with new ways
of using the internet. Darya
Gudkova of Kaspersky Lab
showed many examples of
spam, from a few years ago
and today, to demonstrate
this point.
Traditionally, most malware
has been targeted at the
Windows OS, but it is no
longer the case that the Mac
OS is free from it. Trend Micro’s
Marco De la Vega and Jeffrey
Bernardino gave a technical
analysis of MACDefender,
a fake antivirus. The paper
pointed out that now that
As one would expect from a
gathering like AVAR, there
were both presentations on
specific technologies and
those which looked at broader
issues of security.
As is well-known, web
browsers and their plug-ins are
a popular choice for launching
attacks. In recent years
browsers have introduced a
variety of means to increase
security; Rajesh Nikam
of Quickheal put forward
the case for web browser
sandboxing. This could provide
Raymond Roberts, Microsoft
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
Can you be sure the security
products you use have a high
enough level of independent
performance validation?
9-11 NOVEMBER 2011
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
AVG, HCL, Kaspersky,
rsky M
McAfee,
c
Microsoft and Webroot
are taking certification to the next level.
Testing with
KI7>[WZgkWhj[hiJ[ij<WY_b_jo
O]kl;gYklDYZk$).0,*NgfCYjeYf9n]fm]$Kmal])*-$Ajnaf];91*.(.MK9ØL]d]h`gf]2#) 1,1!0/(+*-(3>Yp2#) 1,1!*-))-0.
;khef[>[WZgkWhj[hiJ[ij<WY_b_jo
O]kl;gYklDYZk$Mfal1GYcLj]];gmjl$EmdZ]jjq<jan]$;Yj\a^^?Yl]:mkaf]kkHYjc$;Yj\a^^;>*+0JK$MCØL]d]h`gf]#,, (!*(0*./0*0(3
>Yp2#,, (!*1*(-,0,()
7i_W>[WZgkWhj[hiJ[ij<WY_b_jo
O]kl;gYklDYZk$9*'1Dgo]j?jgmf\>dggj$KY^\Yjbmf_=f[dYn]$EYaf9^ja[Y9n]fm]JgY\$F]o<]d`a))((*1$Af\aY
L]d]h`gf]2#1) (!)),.(*(.**3>Yp2#1) (!)),.(*(.++
>mdd\]lYadkg^O]kl;gYklDYZkhjg\m[ll]klaf_$[]jlaÕ[YlagfYf\h]j^gjeYf[]nYda\Ylagfk]jna[]k[YfZ]^gmf\Ylooo&o]kl[gYkldYZk&[ge
Malware Data From Over
600 Million Systems Worldwide
ONE SECURITY REPORT
View the Security Intelligence Report at www.microsoft.com/SIR
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
an important layer of defence,
which should be transparent
to the user.
Jianfeng Lu of Qihoo
showed how his company’s
Cloud Security System was
using mass data mining with
a self-learning algorithm
to model the threats from
China’s fast-growing computer
networks. These give speedy
feedback to enable the
company to deal with Trojan
and phishing attacks.
Collaboration is an
important issue. Malware URL
Tracking and Exchange (MUTE)
is a partnership between four
Richard Thomas,
West Coast Labs
AVAR 2011: Themes and Speakers 4
organisations with a mission
to “to minimize the exposure
of end users from computing
threats through timely
tracking and exchanging of
URLs”. The presentation by
Tony Lee of Microsoft and
Philipp Wolf of Avira set out
the challenges this presents
and why it is so beneficial.
Also focusing on
collaboration was Yu
Guo Liu of Tencent. By
combining a variety of
technologies and partnering
with mobile carriers and
handset manufacturers,
as well as security solution
providers, they are helping to
establishing a well-developed
security ecosystem.
Benny Czarny of OPSWAT
started his presentation with
a statement: there are no
clear answers as to which
AV engines actually detect
malware most correctly and
consistently. He went on to
discuss the advantages of
multiple engines, while giving
an overview of the technique’s
challenges and limitations.
When determining how an
Jeff Li, Kingsoft
anti-malware product works
it is important to adequately
test it. The presentation from
Richard Thomas of West
Coast Labs discussed this
problem. He pointed out that
a good product needs not only
different types of tests (realtime and static) but feedback
and good communication so
that the final results can help
make the product better.
The Human Angle
Social engineering attacks
try many different methods.
AHNLAB’s Young Jun Chang
and Ho Jin Park presented a
paper with specific reference
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
9-11 NOVEMBER 2011
1 4 T H A S S O C I AT I O N O F
ANTI VIRUS ASIA
RESEARCHERS
AVAR 2011
HONG KONG
www.aavar.org/avar2011/
I N T E R N AT I O N A L C O N F E R E N C E
RENAISSANCE HONG KONG
HARBOUR VIEW HOTEL
to the way malware has
used Korea’s unique culture
and social phenomena to
target attacks. The problem
in countering this is that
such attacks need more
than technology to prevent
them and increased security
awareness training for
everyone is needed.
Kazumasa Itabashi of
Symantec’s paper presented a
case study of a malware attack
exploiting vulnerabilities
which specifically applied to
a Japanese language word
processing program. Such
AVAR 2011: Themes and Speakers 5
targeting attacks with regional
factors are not well known
and may differ from the more
common global attacks.
Apart from the technical
aspects of malware, to
properly understand it, it is
crucial to focus on the humans
behind it. By analysing the
targets of number of malware
families Andrew Lee and
Pierre-Marc Bureau of ESET
were able to show something
about those responsible.
Both independent security
consultant Randy Abrams
and Cameron Camp of ESET
began their presentations by
pointing out that society had
always developed skills to deal
with new threats, but would
our current generation be able
to develop security skills in
time to deal with the wave of
cyber-security threats? Adams
then considered the need to
educate people in this new
form of defence, emphasising
that while technology can do
something, social solutions
are vital. Camp discussed how
current technologies need to
be changed for the future and
practical ways to secure data.
AVAR 2011 Delegates at the end of the Conference
H O S T E D B Y AVA R , O R G A N I S E D B Y W E S T C O A S T L A B S
Financial Services Roundtable
PAYING
DIVIDENDS
Among CEOs, security pros and legislators,
information protection is center stage, said one
speaker at the SC Financial Services Roundtable.
Financial institutions’ leaders must come together to deal with data
security risks and compliance requirements, says Illena Armstrong.
C
EOs, government regulators and
IT security pros sometimes may
have disparate views on information security planning for fi nancial
institutions, but their ultimate end goal
seems the same: Secure customer data.
Still, varying strategies can rankle
even the best laid plans. For the information security leaders who recently
attended SC Magazine’s 2011 Financial
Services Roundtable, C-level executives and government regulators often
confound the most ideal data security
outcomes and the methods used to
achieve these.
Especially among CEOs, concerns
about compliance and regulation rule,
said Leigh Williams, who spoke at the
30 SC • December 2011 • www.scmagazineus.com
event as CEO of BITS, a division of an
umbrella organization called the Financial Services Roundtable, which is made
up of about 100 various fi nancial organizations, including banks, insurance
providers, investor firms and others.
(Williams has since left BITS to serve
as the director of the Office of Critical
Infrastructure Protection and Compli-
ance Policy at the U.S. Department of
Treasury. Paul Smocer, former technology risk manager at Bank of New York
and CISO at Mellon Financial, who
first joined BITS in 2008, is now the
organization’s president.)
Because the fi nancial crisis led to
everything from the creation of the
Consumer Financial Protection Bureau
(CFPB) to myriad regulations, CEOs
want assurance from IT and executives
that data security and data reporting
standards put forth in these rules are
upheld, Williams explained during the
SC Magazine Roundtable, sponsored by
HP Enterprise Security.
“Foremost in their minds, for better
or worse, is this avalanche of regulation,” he said. “You can argue about
whether that’s a good thing or a bad
thing, but it absolutely crowds out
some of their thinking about opportunity and customer service, and I know
they’re frustrated about that.”
Many SC Roundtable attendees
agreed, noting that while their CEOs
don’t necessarily get into the detail of
how they’re keeping compliant with
regulations, they do have firm expectations.
“From a compliance and risk management perspective, they’re very, very
tuned in, and I think it’s generating a
lot of the push down in terms of action
amongst our teams…” said one attendee who asked to remain anonymous.
Multifactor authentication is of
particular interest, agreed many
SC Roundtable participants, especially
given the updates earlier this year to the
Federal Financial Institutions Examination Council (FFIEC) guidelines, which
pushed for use of such technologies in
2005 to combat such attacks as phishing.
Revisions specifically address corporate
bank account takeovers, which have
more recently plagued financial services
organizations of all sizes.
The new guidance directs financial
institutions undertaking these high-risk
transactions to implement a layered
security approach, which might include
detection and monitoring systems to flag
suspicious transactions; dual customer
authorization that requires employee
sign-off on some transactions before
completion; out-of-band verification
that prompts the bank to ask customers
to approve transactions; or the bank’s
procurement of a list of approved payees
from customers.
Another SC Roundtable participant
– working for a large bank and who
asked for anonymity – said mobile
security was proving exceptionally
tricky given the variety of devices traders and other executives use. Because
of Federal Communication Commission (FCC) regulations, which mandate
that exchanges via these devices be
monitored, the time and costs currently
dedicated to this task is high. And,
currently, he has found little help from
security vendors.
Indeed, the monitoring and protection of confidential data, ultimately
resulting in preventing its exfi ltration,
is yet another employee-related concern
for SC Roundtable participants.
“Since the fi nancial crisis, I’m hearing a lot of stories about how people
leave companies and take the data with
them,” said the Roundtable participant,
reviewing legal options to address the
loss of data through mobile devices.
When considering customer security,
issues become even more convoluted –
especially again considering widespread
use of mobile apps, said Ryan Kalember, director, solutions marketing at HP
Enterprise Security. Citing the example
of technologists earlier this year using
Bluetooth-enabled devices to hack into
a car’s computerized system to stop it
mid-drive, he said to the SC Magazine
group: “If they can change fuel ratios
with Bluetooth, imagine what they
could do with your banking application
that has no security.”
He explained that his division is
working with banking customers to
understand how their clients access
systems through different channels,
including mobile, web or ATM, so that
they can get a more holistic view of
these activities. Through these efforts,
not only would they be able to build
profi les on what customers are doing
and what channels they prefer, but
there could be large security benefits.
For instance, when customers login
to their bank accounts online, the
application connects the action to their
online identities. When using credit
cards as a physical location, that system
records the transaction using the
card number. To correlate those two
different actions together, the overall
corporate system must be able to assign
these varying identity attributes to a
particular customer, he said.
To support organizations in addressing the countless ways data could be
compromised and to tie together the
sometimes contrasting viewpoints on
ways to get there, Williams said BITS
has created some 17 working groups
to address data security and the many
other requirements put forth in legislative mandates, such as the Dodd-Frank
Wall Street Reform and Consumer
Protection Act.
He further noted that whatever the
differences of opinion concerning data
security among CEOs, security professionals and legislators, information protection is center stage. It’s imperative,
then, that budgets and associated risk
management plans must stay focused
on this objective.
“There are enormous amounts of
data being reported to every agency
now, to every examiner, to every banking agency,” he said. “It’s important
that we safeguard them. This creation
of the CFPC is a reminder that we’re
not just talking about the safety of our
organizations and institutions, but
we’re talking about the safety of and
service to customers, too. That’s an
important piece to senior execs. They’d
like to ensure that customers are being
well served.” ■
A more extensive version of this article is
available at www.scmagazineus.com.
www.scmagazineus.com • December 2011 • SC 31
Q&A
OVER THE HORIZON
We asked a few of our most trusted sources to peer into the crystal ball
and formulate some predictions for what we all can expect in 2012.
OUR PANEL OF PROGNOSTICATORS
Craig Spiezle, executive director & president of Online Trust Alliance (OTA)
Randy Sanovic, owner of RNS Consulting; former general director,
information security of General Motors
Rich Mogull, founder of Securosis
Gerhard Eschelbeck, CTO & SVP at Sophos
Daniel Kennedy, research director, TheInfoPro, a division of The 451 Group
What threat vectors will be
most prominent? Why?
Spiezle: I expect to see continued
targeting of the trusted supply chain, such
as certificate authorities, content providers and the ad-supply chain and others.
For example, Epsilon is just the tip of
Q
the iceberg. Email marketers are being
attacked at increasing velocity. If they can
compromise these trusted providers, it is
game over downstream.
downs
I also expect a
continued focus o
on the compromising of
ad servers to serve malicious ads, which
are unknowingly served by high trafficked websites (a
(aka “malvertising”).
Sanovic: My first
r worry would be malicious hackers and bots. The environments that conce
concern me most are mobile
computing and so
social technology. For
some
example, to somewhat
secure Facebook could requi
require at least 105 clicks,
and most people, including the more
technical-oriente will not get it done.
technical-oriented,
pe
Because of the pervasiveness
of mobile
t fact that technologicomputing, and the
cont
cal advances continue
to outpace reason-
able and prudent security fixes, I feel
we will not be able to get “user friendly/
capable” security solutions implemented
in a timely fashion.
Mogull: What’s prominent in terms of
attacks? The same stuff as today: email
and web phishing/social engineering.
In the press releases? Whatever the vendors want to sell that you probably don’t
need: a lot of mobile device and cloud
hype. I expect a lot of iOS headlines
this year, and a lot of Mac hype. Not
that Macs are immune, but the hype
will far outweigh the number of people
being compromised. And, while cloud
security is important, most of what
you’ll see is “cloudwashing” of traditional security stuff. People will really
have to keep hunting for the innovation
(which is there, just not from your usual
vendors).
Eschelbeck: The web is today’s
platform of choice for communication
and interaction, and will undoubtedly
continue to be the most prominent vector
of attack. Cybercriminals tend to focus
where the weak spots are, and use a technique until it becomes far less effective,
as we saw with spam mail (which, while
Cloud security services will be
more in demand.”
still present, is less popular with cybercriminals, as people have deployed highly
effective gateways). The web remains the
dominant source of distribution for malware – in particular malware using social
engineering or targeting the browser and
associated applications with exploits.
Social media platforms and similar web
applications have become hugely popular
with the bad guys, a trend that is only set
to continue over 2012.
Kennedy: Enterprises are concerned
about trends associated with IT consumerization – personnel bringing in their
own devices – and how to handle that in
all of its manifestations (smartphones,
laptops, etc.) while still protecting custodial and intellectual property data.
What security solutions/
services will see increased
adoption? Why?
Spiezle: Email authentication and
hard blocking will gain, as will walled
garden/blocking of unprotected PCs.
Sanovic: I think cloud security services
will be more in demand, and that will
help determine the extent of security
technologies applied. The main issue will
be cost, and how onerous the computing
overhead of such technologies will be.
Mogull: Mostly things we’ve been
spending on for the last five years, which
Q
still don’t work like they should. I’d like
to say we’ll see increased spending on
tools better suited to today’s targeted
attacks, but I suspect only the leading
edge of the market will actually drop
cash on those.
Eschelbeck: The rapid inflow of consumer-owned smartphones and devices
is causing significant security challenges
for many organizations. IT departments
are being asked to connect devices to
corporate networks and to secure data
on these devices, over which they have
very little control.
Due to the high degree of mobility,
security requirements are plentiful,
including enforcement of use policies, corporate data encryption, secure
access to corporate networks, productivity/content fi ltering, and, of course,
urity
malware protection. Mobile security
and management solutions will likely
see significant adoption in 2012.. The
ecurity
global nature of these mobile security
andichallenges makes them prime candidates for solutions delivered as services
in the cloud.
Kennedy: Both flavors of data leakage
prevention (DLP), endpoint and netations
work, top the in-plan implementations
h for
we see in our user-based research
t-genera2012. Application-aware, or next-generation, firewalls are a close third.
Which will see declining
adoption rates? Why?
Sanovic: I think we will see an increasing adoption rate based primarily on the
above noted factors.
Mogull: Nothing. We’re too scared to
drop even worthless products.
Eschelbeck: In 2012, we will continue
to see the evolution from traditional
Windows-based endpoints to a new generation of form factors, including very
lightweight endpoints and tablets. While
some development will be incremental,
part of this will also come at the cost
of traditional desktops, notebooks and
laptops. Security technology will follow
the same paths, and traditional endpoint
security mechanisms will reach their
physical limits on these new platforms.
The unique nature of these modern form
Q
The web...will continue to be the
most prominent vector of attack.”
—Randy Sanovic, owner of RNS Consulting
– Gerhard Eschelbeck, CTO & SVP at Sophos
Q&A
factors requires rethinking of security and defense mechanisms, whereby
cloud-based delivery models will play an
important role.
Which security lesson will
organizations be forced to
learn this year? Why?
Spiezle: I see more focus on looking
at security and privacy by design in
a concerted effort, with a mindset of
completing a security impact statement
for every business process. Further,
data minimization efforts will increase,
and data incidents will be required
to be reported by the U.S. Securities
and Exchange Commission and the
Sarbanes–Oxley Act, increasing C-level
accountability.
Sanovic: Organizations will be forced
to concern themselves with true data
protection mechanisms/technologies
versus the more current focus on application protection measures/technologies.
Eschelbeck: Security really is about
more than Microsoft. While a majority
shareholder in the volume of malicious
Q
code out there, the PC is not alone
anymore, as demonstrated by some of
the effective fake anti-virus programs
for the Mac. Mobile devices will also fall
into this category as we experience a new
set of operating systems with different
security models and attack vectors.
Kennedy: I think virtualization/cloud
offerings – and the rapid provisioning
they provide for server deployments – is
going to catch some security managers
by surprise. Even if the public cloud
has not taken off in an enterprise sense,
both external and internal private cloud
deployments are gaining traction. A
number of security managers are stating
they will use existing security vendor
tools to manage this. However, many
of these tools are not prepared for the
east-west direction of data traffic that
will occur in virtualized environments.
Further, they may or may not run well
in a virtualized offering or may be tied
to an appliance, and may not react well
to the rapid provisioning capabilities
now available either from a licensing or
agent perspective.
What will be the most
surprising security-related
development?
Sanovic: The focus on mobile security
will force and drive security solutions in
the mobile and social media arenas.
Mogull: If I told you it wouldn’t be a
surprise. It would also be wrong, so I try
not to predict the unpredictable.
Eschelbeck: We are currently seeing
daily news of security incidents and
exposure of corporate data, whereby
the even-more-troublesome security
issues could be in critical infrastructure
systems. This could easily create alarming surprises in the coming year. We saw
attacks on the critical network infrastructure, as well as control systems, but
there are many other types of systems,
including aviation networks, which
could come under focus of cybercriminals. We also continue to integrate and
connect technology more and more
into our lives – for example, smart grid
infrastructure – and such systems could
yield attacks that have a new “personal”
impact on us. ■
Q
I
Craig Spiezle
Randy Sanovic
Rich Mogull
Will any significant
security-related
legislation
become law?
Will cyberthreats
play a role in
the presidential
election?
What “emerging
threat” will finally
break out and become a real risk?
Will we be more
any more secure by
Dec. 31, 2012?
Increase.
Yes.
Yes, misinformation
and leaks.
n/a
No.
Stagnant.
Stagnant.
None that I’m sure of.
Yes, but it won’t help.
Yes, I think they may.
No.
SCADA systems are
still subject to severe
damage.
The election. I have
money on that one.
We will still be lagging
in our capabilities to
suitably secure our
technologies.
No.
who’s plotting the next
cyber attack on your
business. But with F5,
you’re protected.
Unlike traditional
or so-called “next
AM
Rapid fire: What’s ahead in 2012?
Will security
budgets increase,
stay stagnant or
decrease?
You’ll never know
CHA OS
generation” firewalls,
F5’s award-winning
security solutions
identify the nature
and source of digital
traffic and quickly
adapt to threats.
Attacks are blocked
without shutting down
the works. Your
precious applications
and data remain
untouched, and your
defenses evolve as
new threats appear.
Learn more at
f5.com/smartersecurity.
Gerhard Eschelbeck
Increase.
Yes.
Yes.
Mobile.
Yes.
Daniel Kennedy
Increase, but at a
lesser percentage.
No, though some
lesser legislation
might go through.
Marginal, a subject
that will be given lip
service.
Mobile device spyware/malware will
continue to grow.
Yes, the ball moves
forward a little every
year.
34 SC • December 2011 • www.scmagazineus.com
Case study
F
or a company that supplies vending
machines and arcade games across
the southeast United States and
South America, it’s far from amusing
when a “tilt” alert goes up on its network operations.
When the Brady Distributing Co.
began operations in 1944, delivering
Wurlitzer jukeboxes involved some
paperwork, a few trucks and strong
backs. Now after 70 years, it has added
pool tables, vending machines and
pinball and video games to the mix – all
operated out of a 84,000 square-foot
facility in Charlotte, N.C., with branch
offices in Memphis, Tenn., and Miami
and Orlando, Fla. Brady works with
more than 70 manufacturers, making it
the second largest distribution company
in the amusement games and vending
machine industry. There are about 120
employees throughout the organization.
But, a new game came to town that
threatened the day-to-day operations of
the enterprise and its branches: malware
and distributed denial of service (DDoS)
attacks. And despite an IT staff consisting of only one person, infrastructure
support must reach all of its far-flung
offices, as well as its customers – who
span from Texas to Oklahoma to the East
Coast and into the Caribbean and South
America, says Rick Baird, the company’s
IT department manager.
“Our remote offices are not very large,
so we use a multiprotocol label switching (MPLS) network and Citrix gateway
to route our satellite branches into our
main network where we host our business software and applications,” he says.
Baird had installed a firewall on the
company’s MPLS network and a contentfi ltering appliance to block undesirable
websites, but these just didn’t provide
enough security, he says. In particular,
content fi ltering by domain name was
inadequate. As soon as he would block
a site containing malicious content,
another one would pop up. Brady has
anti-virus software, but its desktops –
Keeping the network operations going at an
amusement game company takes more than
a roll of quarters, reports Greg Masters.
GAME
PLAY
36 SC • December 2011 • www.scmagazineus.com
especially the ones in the remote offices
– were still getting infected.
“We rely on technology to connect
our offices and service to those customers around the world,” he says. “As
well, malware and viruses could result
in a customer information breach, and
reduces our employee productivity by
creating a lot of extra work for our IT
staff, which has better things to do than
deal with infected PCs.”
Baird also was concerned that a
DDoS attack could disrupt the business,
especially as it expands its online presence. Brady had experienced SYN flood
attacks [wherein an attacker attempts to
overload a system by repeatedly sending
SYN requests], but its network firewall
can’t stop everything, Baird says. Taken
together, Baird decided another defensive layer was needed to block malware
on the network and mitigate against
DDoS attacks.
He and a team of executives considered a number of intrusion prevention
systems (IPS). The choice was a solution
from Corero Network Security, based in
Hudson, Mass.
“Corero was the only solution we found
that provides true, three-dimensional
protection – from malware defense to
firewalling to anti-DDoS,” says Baird.
He says he was thrilled with the
deployment. Within an hour, Corero
had the solution set up, and then
customized the configuration to meet
Brady’s environment and specific needs.
Within days the system was tweaked
and running by itself.
“They walked us through the entire
process, and continue to support us from
soup to nuts,” Baird says. “That has made
all the difference.”
The IPS includes hardware and
software components that are shipped to
the customer’s data center, where the IT
department deploys it as an inline network device, says Mike Paquette, chief
strategy officer at Corero (formerly Top
Layer Security). “A few quick configura-
tion steps later, their clients and servers
are protected against remote exploits,
malware and other network-borne cyberattacks that might occur.”
What differentiates the Corero solution from the competition, says Paquette,
is that its IPS provides network- and
application-layer DDoS defense, policybased stateful firewall filtering, and
two-stage protection and immunity to
advanced evasion techniques, in a reliable, integrated, “green” platform.
Baird says that at Brady, he continues
to apply the updates and advisories that
Corero distributes, but beyond that no
other changes have been needed. “Since
we installed the solution, securing the
network has gotten so much easier, and
I can focus on work that helps the business rather than firefighting things, like
malware infections,” he says.
Corero provides Brady with the
protection it needs, and regular updates
keep the game distributor ahead of the
curve, says Baird. “Our network is more
secure than ever.”
Further, the solution assists with
compliance requirements. The
company’s online transactions and
personal information handling fall
under the Payment Card Industry Data
Security Standards requirements, as well
as multiple state data breach notification laws. “Corero provides a reporting
and audit trail to help us document the
protection we have.”
Brady expects to expand its use of
the product as the company grows its
operations. To achieve that, it soon will
be hosting a new website to handle more
orders. Currently, five percent of its business comes from online orders, but that
will grow to 15 to 20 percent once the
new site is in place, Baird says. “This will
be worth millions of dollars to us, and
if something like a DDoS attack were to
disrupt our business, we could lose a lot
of revenue.”
And as the company relies more
heavily on the internet, and threats grow
more frequent and represent an increasingly greater threat to the business,
“good-enough security isn’t good enough
anymore,” Baird says.
Corero’s IPS provides significant
out-of-the-box attack protection,
says Paquette. In addition, customers
subscribe to the company’s SecureWatch threat update service to receive
Protection Packs that include new and
updated rules and signatures to protect
against new vulnerabilities, or detect
and block the latest exploits. The packs
also include internet topology and IP
address-based fi ltering information.
Because IPS sits inline, Baird says
he was concerned about latency and its
impact on employees and the business, particularly since all of Brady’s
offices are connected through the main
corporate network. “It’s absolutely
critical that we have the
internet connections
and all security systems
up and running as
fast as possible so that
everyone can work as
smoothly as possible,”
he says. “With Corero,
we have experienced no
slowdowns or delays on
the network.” ■
ADVERTISEMENT
ADVERTISEMENT
Technology Report
UTMs – Defense in Depth
Imagine yourself as a burglar choosing a target
to enter. You have a variety of structures before
you: some tremendously large buildings with
vast stores of valuables within them, others
smaller outposts with slightly fewer rewards for
your efforts. Most of the places with the biggest
treasures are going to be better guarded than
those in the smaller buildings, so common sense
might tell you that the smaller places are a better
place to start. Fewer security measures to break
through or to outsmart potentially means more
bang for your burglary buck.
“UTMs can
help improve
network
performance
by taking
out hostile
or unwanted
traffic.”
In addition to the dangers presented by malware,
vulnerable systems and social engineering
attacks, cost-cutting measures themselves
may be a way some businesses invite additional
danger. When one is trying to make a budget
stretch further, pirated software can be a great
temptation, rather than paying hundreds or
thousands of dollars for licensed copies. Malware
authors know this, and it is now common to find
trojans included in pirated versions of many
popular software packages.
The obvious advice to any owner of the smaller
premises would be to increase their security, so
taking that metaphor and applying it to network
security means considering what can be done to
maintain a perimeter that is secure enough to put
off the more casual thief or criminal. This is where
unified threat management systems (UTMs)
come in – they seek to increase the firepower of
the protection used in those smaller outposts,
making them less vulnerable.
Small to medium businesses in particular have a
unique set of circumstances, as they may have
fewer monetary and personnel resources than an
enterprise business. These business owners can
feel a false sense of security, as they consider
themselves to be lower-profile and less valuable a
target than larger businesses. But this is not how
cyber-criminals view the situation. The stakes
of loss of reputation and, therefore, business
for SMBs can be significantly higher, given
their smaller customer base and profit margins,
compared to enterprise businesses.
VP US Sales: Scott Markle - smarkle@westcoast.com
US Sales: Rochelle Carter - rcarter@westcoast.com
UK/Europe Sales: Sebastian Stoughton - sstoughton@westcoast.com
China/Japan Sales: Jesse Song - jsong@westcoast.com
India/ROW Sales: Chris Thomas - cthomas@westcoast.com
1 Technology Report
poor return on investment. Odds are, if you’re
reading this magazine, you don’t need to be
“sold” on the importance of having a complete
security solution to protect a business of
any size. You know the magnitude and the
complexity of the threat which faces businesses
of all sizes and home users alike.
Having a central security and protection device
can be an ideal tool for businesses which have a
small or non-existent staff dedicated to security.
In the early days of these types of solutions, this
took the shape of simple anti-virus offerings.
Having your security infrastructure reside on a
separate device operating at a gateway allowed
security to be managed centrally so that all
updates and settings changes could be done
in a single location rather than having to apply
them to each endpoint. The evolution of these
solutions has led us to the point where UTMs,
which can offer a balance of speed, ease of use,
transparency and manageability, for a variety of
sizes of businesses, are prevalent.
not be blocked. By putting these devices in
simulated real-world environments, including
malicious and unwanted, as well as innocent
activity, their effectiveness can be accurately
assessed across the whole spectrum of
functionality.
As we have seen with the anti-malware space,
the purchasing process has become more of
a pure business decision than in the past. Yes,
security is the main function and needs to be
evaluated. However, it should also be tested
in the environment to determine the overall
effectiveness specific to total cost of ownership
and return on investment.
Modern UTMs now comprise a wide toolkit of
different security features beyond just antivirus. At its most basic, a UTM should feature,
alongside the anti-malware components,
a firewall and virtual private network (VPN)
capabilities which means they offer a good
range of functionality for smaller businesses.
Even when purchasing decisions are wholly
legal and from trusted sources, many people
don’t avail themselves free things which could
improve their security, presumably because
they are considered too complicated, too
time-consuming or too low priority. Software
patching certainly falls into this category, along
with others like network policy decisions and
enforcement, and proper network architecture.
UTMs were designed to deal with precisely
these concerns. Security is not something that
can be postponed because it seems to be a
www.westcoastlabs.com
More full-featured devices can contain various
additional modules, such as intrusion detection
and prevention systems (IDS/IPS), and spam
and URL content filtering. By grouping these
tools in a device at the gateway, they can help
improve network performance by taking out
hostile or unwanted traffic before they reach
the internal network. Certainly, having these
things centrally located makes it easier to apply
updates to network settings and policy changes
across an organization.
Because there are so many complex features
at play here, all interacting with each other,
independent testing plays a vital role in finding
the device best suited to a company’s individual
needs. A UTM must not just protect a business
and its users, it must also not act as a hindrance
to doing day-to-day business. Legitimate email
must get through. Innocent websites need to be
accessible. Clean, non-malicious files should
www.westcoastlabs.com
Technology Report 2
ADVERTISEMENT
ADVERTISEMENT
Technology Report
Secospace USG2250 and USG5560
Secospace USG2250
Huawei Symantec
DEVELOPER STATEMENT
The Secospace USG2250 (targeted at SMB and SOHO users)
and 5560 (targeted at Enterprises and data centers) series of
appliances developed by Huawei Symantec provide a wide
range of security defense capabilities, including firewall, VPN,
anti-virus, IPS, application control and anti-spam technologies,
along with routing features. Going from small, cost-effective
multi-service gateways up to the 10 gigabit unified security
gateway level, they help to build fast, efficient and secure
networks whilst maximising ROI.
OVERVIEW
The Unified Security Gateway (USG) range
of appliances was developed by the joint
venture company, Huawei Symantec. All
of the appliances tested in this report are
part of the USG series which are tailored to
meet the needs of various company sizes
– the USG2200 series for SMBs and the
USG5500 series for enterprises.
In order to test the full range of security
technologies contained within the
appliance, Huawei Symantec enrolled
both devices into the Checkmark UTM
Certification program by West Coast Labs
(WCL). This certification has been designed
to test the core components of any UTM
device with a focus on the following key
functions: firewall, VPN, and anti-virus
as the baseline and anti-spam, IPS, URL
filtering, and anti-spyware as optional
components. To demonstrate confidence
in their products' security capabilities,
Huawei Symantec opted to test the
baseline and all optional components.
During testing, both products were found
to perform to the high level of standards
expected of a dedicated security appliance
and demanding requirements of securityaware businesses. As such, both the
USG2250 appliance and the USG5560
were awarded the Checkmark UTM
Certification, one of the industry’s most
highly regarded certification systems for
information security products and services.
3 Technology Report
TEST NETWORKS AND
METHODOLOGY
Initial configuration of each appliance
is performed by using the product’s
Quick Access Wizard which guides the
administrator
through
configuration
of standard networking tasks, such as
internal, external, and DMZ IP addressing,
virtual private tunnelling, and the operations
and management agent.
Once the setup is complete, the final stage
is the application of the various module
licenses. Huawei Symantec offers greater
flexibility by employing licenses for each
of its core technologies so companies that
are content with their existing anti-spam or
URL filtering solutions can continue using
them.
The first technology tested in the
Checkmark scheme was the anti-virus
capabilities of Huawei Symantec’s USG
series, which were tested over the SMTP
protocol. Before testing could begin, the
appliances were configured to forward all
SMTP traffic to an internal postfix server.
Following this, an anti-virus policy was
created and deployed according to the
forwarding rule. With this short setup
complete, the appliances immediately
began detecting the incoming virus and
spyware attachments. Using a separate
policy system for the anti-malware
protection provides the administrator with
a central point of management for all anti-
virus based protection.
Next were the anti-spam and URL filtering
features. Anti-spam protection is provided
through the use of Huawei Symantec’s
Registered Blacklist (RBL), which offers
administrators
various
configuration
options, including the ability to completely
block any spam emails.
Secospace USG5560
URL filtering on the USG series monitors
over 65 million domain names and
provides administrators with hundreds of
pre-defined categories. It also enables the
administrator to create their own custom
filtering policy lists and user-defined
blacklists and whitelists along with HTTP
access logging.
During testing, several collections of web
content were processed through the
appliance, which was able to accurately
filter and classify the large number of URLs
used in the test.
The firewall feature of Huawei Symantec’s
USG solutions offers a wide selection
of configuration options to guide policy
deployment. Some of the firewall
capabilities include packet filtering,
application protocol identification, network
address translation, port forwarding, and
access control. Policies for any feature of
the UTM can be quickly created and easily
deployed within the proper access control
list.
The appliances have a number of options
for setting up virtual private networks
with specific configuration for IPSEC
tunnelling through the Quick Access
Wizard. Configurations for other modes
include GRE, SSL, L2TP, and MPLS VPN.
For testing purposes, SSL VPN was
implemented and tested.
As part of the VPN testing, engineers
examined the overall security of the
www.westcoastlabs.com
tunnel between the internal and remote
machines, as well as looking at the level of
privacy afforded by the secure connection.
The connection itself, in terms of speed,
appeared consistent during testing.
Intrusion prevention (IPS) in the appliances
is addressed by use of a signature-based
system and policy deployment. At the time
of testing, there were more than 8,000
detectable attack types in the signature
database, which is constantly being
updated.
During each of the these three network
security tests - namely firewall, IDS/IPS,
and VPN - the USG appliance was able to
correctly identify and block the incoming
attacks, while allowing authentic, genuine
traffic to continue as would be expected.
Given that these network security
technologies are the raison d'etre of UTM
appliances, protection in these areas
without hampering workflow is key, and the
USG appliances deliver on both fronts.
RESULTS REPORTING
In testing the firewall, IPS and VPN
features, West Coast Labs (WCL) used
various commercial, open-source and
custom tools to validate the overall integrity
and performance of each feature. Huawei
Symantec’s USG series yielded impressive
results at high thresholds within the WCL
Checkmark Certification.
Reporting and monitoring for the
appliances is handled in multiple ways.
There is a dashboard that provides an
immediate, high-level overview of the
solution. Information within this page
is displayed through the use of visual
data such as charts, “speed dials”, and
short tables, providing an accurate and
instantaneous appraisal of the system
status without the need to study text-heavy
logs.
For a more in-depth analysis of the system,
a separate log mechanism called eLog can
be setup on a standalone PC. The eLog
logging system contains more detailed
information on incoming traffic, such as
source IP address and port, the respective
security zone (e.g., trusted or untrusted),
and the security policy responsible for the
log entry.
WEST COAST LABS VERDICT
The Huawei Symantec USG2250 and USG5560 are comprehensive, well-rounded security solutions. Each of the
package’s security technologies is well designed, with the anti-virus, IPS and anti-spam technologies benefiting
from the combined expertise of the joint venture of Huawei Symantec. Firewall, URL filtering, VPN and antispyware features have also been well implemented and there is strong commitment to deliver a quick and easyto-learn user interface. Huawei Symantec has delivered feature-rich and user-friendly UTMs. West Coast Labs
recommends Huawei Symantec USG2250 and USG5560 for excellence in both performance and functionality.
www.westcoastlabs.com
Technology Report 4
CONNECT
to the latest knowledge in
CYBERSECURITY
Bellevue University offers
these degrees in the IT field.
LEARN what it takes to lead in Cybersecurity today.
Master’s Degrees
What you’ll learn in this ultra-current master’s degree program will put you in
demand in the private and public sectors.
s #YBERSECURITY
s #OMPUTER)NFORMATION3YSTEMS
s -ANAGEMENTOF)NFORMATION
3YSTEMSWITHACONCENTRATIONIN
)NFORMATION3ECURITY
s -"!WITHACONCENTRATIONIN
)NFORMATION3ECURITY
Bachelor’s Degrees
s #OMPUTER)NFORMATION3YSTEMS
WITHANEMPHASISIN)NFORMATION
3ECURITY
s 3YSTEMSAND.ETWORK !DMINISTRATION3.!0
s )NFORMATION4ECHNOLOGY
s0ROTECTYOURORGANIZATIONSINFORMATIONANDTECHNICALASSETS
s%XPANDYOURKNOWLEDGEOFCYBERPROTECTIONTECHNIQUESTOOLSANDTECHNOLOGY
s&OCUSONNETWORKANDSOFTWARESECURITYBUSINESSCONTINUITYPLANNING
ETHICALHACKINGRISKMANAGEMENTANDMORE
Our curriculum is developed and continually updated
with leading security experts.
Bellevue University makes it possible.
We give you accelerated bachelor’s degree completion (accepting the credits you’ve
ALREADYEARNEDCONVENIENTONLINELEARNINGTHATFITSINTOYOURBUSYLIFEENGAGING
INTERACTIVELEARNINGAFFORDABLETUITIONANDADEGREETHATOPENSDOORSFORYOU
Learn more about this and other degrees in the IT field
offered by Bellevue University 100% ONLINE.
CONNECT NOW
Read Professor Ron Woerner’s
interview in this magazine.
SUCCEED
IT.Bellevue.edu
Product Section
Entering a new era of cybersecurity innovation
I
’ll begin this month by stating the obvious: The title of
this month’s column uses the term “cybersecurity.” That
is not the accepted term for what we do. We have, over the
years, called our discipline everything from computer security
to information assurance. I usually dislike the hackneyed,
over-hyped terms that start with “cyber.” It was, after all,
introduced into our vernacular in a science fiction novel, and
what we do is anything but fiction. But the world is turning
“cyber,” so I succumb.
I interpret “cybersecurity” to address the protection of all
things in cyberspace. It subsumes data, information, systems, computers, the cloud,
etc. Thus, like it or not, I think the term pretty well covers the bases, which is a good
segue to this year’s Innovators issue. Good because the remarkable companies that
we highlight in this issue are blazing the trails in their respective market segments
through pure creativity and market understanding. And they cover the bases too. In
fact, if we were to create a dream system using all of the products these companies
offer, we’d likely have a home run.
One of the things that makes writing here so exciting for me is watching small
companies – often the spawn of an entrepreneur’s imagination – carve out niches in
a marketplace that can become quite crowded, and where small companies often are
gobbled up by bigger fish and then disappear in that fish’s innards never to be seen
again. For example, one of our Hall of Famers from last year – Nitro Security – has
been acquired by McAfee. We couldn’t be prouder of them. They had a very smart
product and a business plan putting them right at the forefront of their market. This
year’s companies are just as creative, just as innovative, and just as likely to attract
those big fish.
Further, while we tend to focus on the technology, if the business is not run well
and the products don’t make it to market so they can be monetized, all the technology in the world is not going to save the company. But it’s hard times, and start-ups
are struggling for survival even more than they traditionally have. The clever and
creative companies using innovative business practices and cost-effective stealth
marketing make it. Others don’t.
That does not mean buying the most advertising either. All of the companies we
talked to limited their marketing budgets in favor of more direct ways of communicating with potential customers.
What then does all of this mean for you, the consumer of security products? It
means you have a choice. It means we can guide you toward companies that have a
real upgrade when they announce it, not just the same old box painted a new color.
But, that also means you take a small risk: Will the company survive? We’re betting
on all of these companies. One, in fact, entering our Hall of Fame this year recently
announced it was being acquired – so cheers to Altor for joining the Juniper family.
Now, let’s get on with the show!
–Peter Stephenson, technology editor
Contents
Access control ....................... 45
Lighthouse Security Group .............45
Insightix ...........................................46
EyeLock ...........................................46
Encryption ..............................47
WinMagic ......................................... 47
Forensics ............................... 48
Niksun..............................................48
AccessData ......................................49
Infrastructure ....................... 49
Edgewave.........................................50
Mobile Device Protection ..... 50
Mobile Active Defense ......................51
Perimeter Defense ................. 51
M86 Security ................................... 52
Trustwave......................................... 52
UTM .........................................53
Cyberoam ........................................53
Virtualization ....................... 54
Catbird .............................................54
Vulnerability Testing .............55
Saint ................................................ 55
Hall of Fame ........................... 56
Juniper .............................................56
800-756-7920
ʘœ˜‡«ÀœvˆÌÊ՘ˆÛiÀÈÌÞ]ÊiiÛÕiÊ1˜ˆÛiÀÈÌÞʈÃÊ>VVÀi`ˆÌi`ÊLÞÊ/…iʈ}…iÀÊi>À˜ˆ˜}Ê
œ““ˆÃȜ˜Ê>˜`Ê>ʓi“LiÀʜvÊ̅iÊ œÀ̅Ê
i˜ÌÀ>ÊÃÜVˆ>̈œ˜ÊœvÊ
œi}iÃÊ>˜`Ê-V…œœÃÊUÊÜÜÜ°˜V>…V°œÀ}ÊUÊnää‡ÈÓ£‡Ç{{äÊUÊiiÛÕiÊ1˜ˆÛiÀÈÌÞʅ>ÃÊÀiViˆÛi`ÊëiVˆ>ˆâ>̈œ˜Ê>VVÀi`ˆÌ>̈œ˜ÊvœÀʈÌÃÊ>V…iœÀʜvÊ-Vˆi˜Viʈ˜Ê
VVœÕ˜Ìˆ˜}]Ê>V…iœÀʜvÊ-Vˆi˜Viʈ˜ÊÕȘiÃÃÊ`“ˆ˜ˆÃÌÀ>̈œ˜]Ê>˜`Ê>ÃÌiÀÃʜvÊÕȘiÃÃÊ`“ˆ˜ˆÃÌÀ>̈œ˜Ê`i}ÀiiÊ«Àœ}À>“Ãʈ˜ÊLÕȘiÃÃÊ̅ÀœÕ}…Ê̅iʘÌiÀ˜>̈œ˜>ÊÃÃi“LÞÊvœÀÊ
œi}ˆ>ÌiÊÕȘiÃÃÊ`ÕV>̈œ˜Ê­
®]Ê">̅i]Ê>˜Ã>ðÊiiÛÕiÊ1˜ˆÛiÀÈÌÞʈÃÊ>ʓi“LiÀʜvÊ
-ʘÌiÀ˜>̈œ˜>Êq
Ê̅iÊÃÜVˆ>̈œ˜Ê̜Ê`Û>˜ViÊ
œi}ˆ>ÌiÊ-V…œœÃʜvÊÕȘiÃÃÊUÊÜÜÜ°>>VÃL°i`ÕÊUÊiiÛÕiÊ1˜ˆÛiÀÈÌÞÊ`œiÃʘœÌÊ`ˆÃVÀˆ“ˆ˜>Ìiʜ˜Ê̅iÊL>ÈÃʜvÊ>}i]ÊÀ>Vi]ÊVœœÀ]ÊÀiˆ}ˆœ˜]Ê}i˜`iÀ]ʘ>̈œ˜>ÊœÀˆ}ˆ˜]ʜÀÊ`ˆÃ>LˆˆÌÞʈ˜Ê̅iÊi`ÕV>̈œ˜>Ê«Àœ}À>“ÃÊ>˜`Ê>V̈ۈ̈iÃʈÌʜ«iÀ>ÌiðÊIÃÊÀ>˜Ži`ÊLÞÊSecurity Magazine]ÊÓääÇ°
www.scmagazineus.com • December 2011 • SC 43
PRODUCTS l Industry Innovators
2011
Innovators
Cutting edge is alive
and well again, says
Peter Stephenson,
technology editor.
t’s time for our “Innovators” issue again.
Every year at this time, we roll up our
sleeves and start digging for those companies that have the vision, imagination and
creative management to become the leaders
in our industry through their innovation.
The fi rst time we did this – four years ago
– leading-edge changes were in short supply. Since then, we have seen mergers and
acquisitions, severe economic woes and
business failures. Happily, all of that seems
to be behind us, but the industry does not
look anything like it did four years ago.
Last year, we had several companies pass
into our Hall of Fame. This year, we have
one, but it is a real success story. The Hall
of Fame is reserved for the most innovative
of the innovative. That means that we have
vetted the winners several years in a row.
We perform that due diligence in a variety
of ways. We look at how many times they
have been chosen as Innovators. We look at
how they fared in our monthly Group Test
reviews. And we talk to them and look at
how they have performed against the plans
they offered in earlier years, and how they
scrambled when things got tough.
This year’s Hall of Famer was a hot pick
for us, as well as for other organizations
I
that prognosticated about up-and-comers.
The company was successful in the marketplace and it had leading-edge technology.
So, in the true spirit of our industry, another innovative – but much larger – company,
bought them. It remains to be seen what
will happen next, but knowing both of
these fi rms, I’m betting each will continue
their winning streaks, together now.
Innovation is not something that comes
from sales or marketing alone. It is comprised of the technology, plus the way the
business is conceived. We found some
interesting trends this year. For example,
we found that the majority of our Innovators are stealth marketers. They prefer to
use public relations and word of mouth
instead of spending bundles on advertising.
That doesn’t mean they don’t advertise. It
means they advertise smart. For example,
some told us they use online banner ads
and trade shows instead of paying big
bucks for display ads.
Another major factor in our business has
been the emergence of old wine in new
bottles. Those of you who follow my writing know I am not a fan of the hype that
surrounds “the cloud” and “Web 2.0.” Both
of these are, pure and simple, figments of
some marketer’s pipe dream. That said,
they are with us even though nobody seems
to recall that back in the day we were sharing computing resources from time-share
services through crude dial-up modems.
Web 2.0 is nothing more than the same
old stuff married up with active content.
The product equivalent of this is a “new
44 SC • December 2011 • www.scmagazineus.com
release” that really is nothing more than a
different color box.
So, given this reality, how have these
“new” market areas affected us? Depending on your perspective, I think we’d have
to admit that they have changed everything,
at least for now. They have introduced an
entirely new computing paradigm when
taken in context with today’s enterprises.
A contradiction to my comments above?
Not really. Back in the day, we did not have
the distributed computing platforms that
we do presently. And, most important, we
did not have the kinds of virtualization that
we do currently. If there is a single true
generational innovation, it is virtualization.
Clouds and webs notwithstanding, without
virtualization, these things would never
have been economically feasible. So, we
may have old wine in new bottles, but that
virtualization bottle is a game changer.
The combination of the wine and the
bottle is a serious challenge for security and
forensic investigation. The real Innovator
companies are those that have come up with
viable technology, have the business foresight to monetize it and the marketing savvy
to get the technology to customers. This
month, we have, as we used to say in Indiana
way back when, a whole passel of ’em.
Though the picture has changed – and
radically from four years ago – we believe
you’ll fi nd that this issue is a harbinger of
what to expect. Things in the computing
world have started moving again and they
will never be the same as years past. So,
hang on… it’s going to be quite a ride!
»
» PRODUCTS l Industry Innovators
ACCESS CONTROL
ccess control is an old
standby. As long as we
want to allow some users
access and deny others, these
products will be with us. The
trick is finding one that is, clearly, an Innovator in a rather stale
category. What more can one do
after determining that someone
knocking at the door should be
allowed entry or not? It turns
out that there is quite a bit one
can do. Actually, the magic is
less in what one does than in
how it is done.
The two companies in the
category this year have really
taken a deep look at the problems associated with controlling
access to computing resources.
They have opted for new
approaches they believe will be
sustainable over a protracted
A
period of change in how we use
those resources.
One Innovator has tackled
the problem of determining
what users may need access. In
an environment of exploding
resources, before one can control access to those, one needs
to identify what they are. That’s
the starting point for one of
our Innovators.
The other one begins by
addressing the other end of the
spectrum – SMB customers –
and makes large-scale enterprise
resources available at a good
price and with the management
simplification these smaller
companies need. How? Well, of
course, they took their solution
to the access control problem
into the cloud. How they did
it, though, was the key to their
innovation.
These two companies have
taken very creative approaches
to solving the challenges of their
respective marketplaces. That is
really saying something because
access control, as boring a topic
as it may seem on the surface,
is the key to securing the enter-
prise. Controlling who can and
cannot enter is a challenge.
There are a lot of pieces to the
problem, and those have been
addressed in a large number
of ways. Typically, though, the
methods are birds of a feather.
We were looking for something
different. What we found merits
your consideration, regardless of
the size of your organization.
By the way, we also addressed
that old bugaboo of identification. We found a really good
example of creative use of biometrics. So, read on….
Access control is the key to
securing the enterprise.”
Lighthouse
o out and get a topdrawer identity and
access management
(IAM) product and make it
available to the SMB market.
Good idea, right? Except for
one thing: SMB companies cannot afford enterprise-class IAM
products, no matter how much
they need what those products
do. Along comes this Innovator
who lights the way to a solution.
Lighthouse took the core
IAM technology from partner
IBM, added its own shell to
make it accessible and confi gurable to users in SMBs that do
not have quite the resources
that big enterprises do, and
provided a system-style IAM
application customized for
SMBs.
Next, Lighthouse put the
whole thing in the cloud and
delivered it as a service, but, as
G
AT A GLANCE
VENDOR: Lighthouse Security
Group
www.DiscoverLighthouseGateway.com
FLAGSHIP PRODUCT: Lighthouse
Gateway
COST: $2,995 per month
INNOVATION: Making IBM “big
Iron” capabilities in IAM available to smaller organizations
at an affordable
price and within
their means to
support.
GREATEST STRENGTH:
The vision to see
what the market
needs and figuring
out a creative way
to provide it.
the visionary to whom I spoke
emphasized, not a managed
service. The customer still is
in control. Only, due to the
layer that Lighthouse adds, the
product – called Lighthouse
Gateway – provides big system
capability scaled to an SMB’s
needs.
What is the vision for Lighthouse? Most companies are
not in IAM, but have a need
for it. Regulatory requirements
are broad and getting broader
every day. So, even smaller
companies are being forced to
adopt mature IAM. They have
two choices: Put it in the data
center (high cost), or acquire
the same best-of-breed capabilities using Lighthouse for
a much lower entry cost and
overall cost of ownership.
When I asked the visionary
from Lighthouse what
he thought made the
company innovative,
he answered that the
key is not trying to
build technology from
the ground up, but to
add value to/leverage
existing technology.
Mid-market and SMB
companies deserve the
same capabilities that a
big company does.
www.scmagazineus.com • December 2011 • SC 45
PRODUCTS l Industry Innovators
Insightix
nsightix is an Israeli company
that has experience – especially
in consulting – in what they
refer to as the “jungle problem.”
By that it means that the enterprise is a jungle, and nobody
really knows everything on the
network. The implication is that
there is a need for complete,
real-time, contextual network
intelligence in order to secure the
network.
Insightix is seven years old
with 120 employees. The company is well-balanced between
marketing and technology,
but is focused on technology
to support the customer and
integrate with vertical applications. To make that work, it
seeks technology partners and
provides a platform for that
partners’ products.
The Insightix tool – called
Insightix Business Security
I
ENCRYPTION
AT A GLANCE
VENDOR: Insightix
www.insightix.com
FLAGSHIP PRODUCT:
BSA Visibility
COST: starts at $30
INNOVATION: Solving the
“jungle problem.”
GREATEST STRENGTH: Providing
a holistic closed-loop access
control tool.
Assurance (BSA) product suite
– is designed to detect, identify,
profi le, audit and control all
devices connected to the network in real time. That’s a pretty big order. But, that is what
BSA is designed to do. And this
provides first-rate support for
compliance.
From the business perspective, Insightix understands
where it brings value to the
marketplace. That value could
be an end-user or technology
partner. Because it provides the
total intelligence in real
time to the appropriate
delivery target, it addresses
the business need directly.
Because this is an agentless
approach, it is more efficient and lightweight at the
endpoint. From a features
delivery perspective, the
product does discovery of
all network assets, audit, compliance, risk analysis, user identity
profi ling, remediation, control
and enforcement. That makes
BSA a full, closed-loop access
control tool. Closed-loop means
that the testing, remediation
and re-testing cycle is under the
complete control of the tool.
Closed-loop systems are efficient
because they automate the process of looking for and addressing flaws. Trouble is, one first
has to know where the flaws are.
What value does Insightix
bring to the table? According
to the visionary with whom I
spoke, “The BSA solution suite
provides a 360-degree view into
the actual state of your network
security, effectively bridging the
network security gap that exists
between the actual security state
of enterprise networks and what
is known to IT.”
Couldn’t have said it better
myself.
EyeLock
iometrics tools – real biometrics of the kind that
one can use reliably in a
high-security environment – are
relatively rare. Add the need for
rapid and reliable identification
and one has a requirement for a
very rare bird indeed. EyeLock
enters the picture here with its
approach and we would present
them with “The Better Mousetrap Award” – if such a prize
existed.
EyeLock was founded five
years ago in response to several
factors. First, iris-matching systems have been around for a
while, but have not reached the
mainstream because owing to iris
matching they are not scalable to
millions of customers. Existing
systems were too difficult to use
and too expensive. Additionally,
they did not work well and so
were used in small deployments.
B
»
» PRODUCTS l Industry Innovators
ncryption, arguably, is the
mainstay of information
protection. We would
be hard-pressed to find many
product categories in the security space that did not have some
encryption component associated with them. Whether it is
raw encryption – file and folder
or whole disk, for example – or
some form of public key infrastructure (PKI), encryption
makes the information-protection world go round.
Also, it is pretty hard to find
anything new under the encryption sun. But, we’ve done that
this year. Again, as with many of
our Innovators, it is not so much
what they’ve done that impresses, but how they’ve done it.
Addressing a problem that
we all know about, but don’t
E
think about – the complexity of encryption from the
perspective of the end-user
– poses a problem that may be
greater than those posed by
the mechanics of encryption.
This year’s Innovator focused
on solving a problem with a
technology that people actually
can use. The company got there
first and it never looked back.
Many of us can remember
when Phil Zimmerman introduced the early versions of
Pretty Good Privacy (PGP).
Great stuff, to be sure, but like
many products of the time,
PGP required a proficiency
with the command line, and it
came from a *nix world – not
the average user’s bailiwick.
I recall many years ago, telling a client that he needed to
employ encryption for sensitive
emails. What did I suggest?
PGP, of course. My client just
laughed and asked me who I
thought would be able to use
the product? He got me there.
Once you leave the IT shop,
users who could make it work
were few and far between.
However, times have changed.
Today, encryption is commonplace, and this year’s Innovator
played a significant role in
achieving that status. Happily,
it still is innovating and bringing encryption ever more into
the mainstream for users who
need to employ their computers, not tinker with them to
make them work.
And, while encryption is
about mathematics and technology, our Innovator believes
that it also should be usable by
the broadest possible audience.
Encryption, arguably, is
the mainstay of information
protection.”
WinMagic
Nobody focused on image acquisition, so EyeLock – formerly
the Hoyos Group – did, and the
result was a suite of products that
solved those problems.
EyeLock focused on accuracy and speed (50 people per
minute), ease of use and low
cost. It offers its own matcher
to avoid difficult integration.
Enrollment is simple. There is
no change to the existing access
control system. Applying this
approach, EyeLock systems have
been proven to work in highvolume situationss where there
are up to 100,000
0 users and one
million transactions.
ons. Its
own on-board database
atabase
can enroll 30,000
0 users
alone.
This Innovatorr took
a unique approach:
ch: It
focused on the user
ser and
not the device. Today’s
46 SC • December 2011 • www.scmagazineus.com
om
AT A GLANCE
VENDOR: EyeLock
www.eyelock.com
FLAGSHIP PRODUCT:
Eyeswipe Nano
COST: $2,495
INNOVATION: Moving from
retinal scans to image
acquisition allowing highvolume identification.
GREATEST STRENGTH: Finding
a way to build a genuinely
better mousetrap that solves
a real problem.
competitive devices focus on the
technology, but it is difficult for
the customer to use the technology. From a business perspective,
the company’s ability transcend
verticals, and its impact in realworld situations – often in hightransaction environments – are
not just for the sake of a “big
idea.” Finally, an extraordinary
relationship with EyeLock’s
channel, and some early outreach
to the banking press, which sees
this as a game-changer, helped
seal their success.
What advice did the visionary with whom we spoke have?
“Great innovation is only realized if it can be delivered to
the user, productized
and
pro
monetized.”
That makes
mak sense, and
it certainly has worked
in a very tricky
product
tri
space for this
th Innovator.
t all started in 1997. A little
start-up named WinMagic,
based in Mississauga, Ontario,
entered the encryption arena
with a whole-disk encryption
product. But, it was not just any
full disk encryption product.
The company was, in fact, the
first full disk encryption (FDE)
provider to introduce true key
I
management by using a keylabeling design. Not satisfied
with that, WinMagic introduced the client design using
[cryptographic token interface
standard] PKCS#11 from the
ground up. The following year,
it became the first FDE provider
to introduce encryption for floppy, ZIP drives and USBs. And
AT A GLANCE
VENDOR: WinMagic
www.winmagic.com
FLAGSHIP PRODUCT: SecureDoc Full-Disk
Encryption
COST: $99 per license (100+)
INNOVATION: Very creative application
of encryption technologies in full-disk
encryption applications.
GREATEST STRENGTH: Creativity and imagination coupled with the follow-through
to bring those traits to market.
since those years, this Innovator
never has looked back.
Over the years, it has introduced secret-level encryption
for the U.S. government by
means of hardware encryption
via the Fortezza card, provided
FDE for the U.S. National Security Agency, and received the
first-ever NIST certification for
advanced encryption standard
(AES), among many other
accomplishments.
WinMagic’s PBConnex is
based on the premise that
typical encryption technology
is too complicated and disruptive. It should, in fact, behave
as if it were not encrypted.
That calls for an emphasis on
ease of use, as well as effective
protection. Encryption done
wrong can cause too many
disruptions, and that is a weakness that needs to be overcome.
Further, response to customer
needs, including customization,
brings value to the customer.
That is something we almost
never hear. The idea of customization strikes terror in the hearts
of companies in the production
software business. However,
this Innovator uses requests for
customization from customers
as a way to introduce general
improvements into the product.
From a marketing perspective, WinMagic forms strategic
relationships within specific
geographic regions, watches
industry trends carefully, and
develops partnerships with
OEMs [original equipment
manufacturers] that are preloading WinMagic products.
It’s a good strategy and one
we’ve heard before, but in the
hands of WinMagic, it does
seem to work quite well.
www.scmagazineus.com • December 2011 • SC 47
PRODUCTS l Industry Innovators
AccessData
FORENSIC TOOLS
his is my favorite section. Each year, we look
at the burgeoning field
of digital forensics and try to
figure out which companies are
doing the heavy lifting in terms
of innovation. We have had
several excellent teams in this
section in the past, and some
moved on to the Hall of Fame
last year. This year, we have
picked two exceptional forensic tool innovators: One from
the world of computer and
small devices, and one from the
network.
Digital forensics is a difficult
field to analyze because there
are a couple of philosophies to
which reviewers must pander.
First, there is what I refer to
as the “Swiss Army Knife”
philosophy. This is the “every-
T
tool-in-one-box” approach.
Everything forensic is in a
single program. There are some
advantages to that in terms
of cost and ease of use, since
everything the analyst needs is
integrated together.
There are some disadvantages, as well. For example,
it is unlikely that a computer
forensic tool will have all of the
capabilities needed all the time.
That usually means adding
third-party tools into the mix.
The second philosophy is
an individual tool for each
function. Besides the obvious
impact of cost, there also is the
problem of analysts becoming
proficient in all tools needed to
conduct a digital forensic analysis. On the other hand, one
might argue that the individual
tools were purpose-built and,
therefore, more appropriate.
This does not take into account
the difficulty of integrating disparate forensic findings into a
coherent investigation/report.
The two Innovators we
selected this year in our forensic category take a middle-of-
the-road approach. Both have
extensive product lines, but
those solutions integrate their
outputs well for case-level
analysis. Also, both have multiple functions in their flagship
products, with a roadmap for
increasing that functionality.
We anticipate that at some
point there will be some overlap in these two products and,
naïve though it may seem, they
will be able to form the core of
one’s digital forensic tool box.
To a certain degree, they do
that now.
Digital forensics is a difficult
field to analyze...”
NIKSUN
hese guys, in the vernacular
of some in the right-hand
coast, are wicked smart. To
be sure, there is a lot of technology in what they do, but what
makes them Innovators is not
so much what they do, but how
they do it. Their flagship product,
NetOmni Alpine, is delivered on
a hardware platform (up to 2U
form-factor) that is deployed in
a customer’s network or security
operations center, or a similar
central location.
All distributed NIKSUN
appliances deployed in the
customer network need
to be accessible from the
NetOmni system so data
can be exchanged. With this
approach, the user achieves
pervasive network forensic
captures that can be analyzed
in real time or after the fact.
That is a very important
T
»
» PRODUCTS l Industry Innovators
ere’s another one of the
forensic good guys. But,
they are substantially different from some of their competitors. For starters, they are
one of the oldest companies in
the game with a pedigree going
back more than 20 years. Last
year, we recognized AccessData
as a mainstay in the forensic
business and, to be sure, they
H
are. But when one has been
around a long time, it gets harder
and harder to come up with new
things. Nowhere is that more
obvious than in the digital forensic marketplace.
True, there are some fine
companies that are doing very
interesting things. Some are
quite small. Others are larger,
but have focused on continuous
AT A GLANCE
VENDOR: AccessData Group
http://accessdata.com
FLAGSHIP PRODUCT: Forensic
Toolkit (FTK)
COST: $2,995
INNOVATION: Vision to see what
the forensic tool industry really
needs, and developing a holistic
suite of products to provide it.
GREATEST STRENGTH: Vision,
creativity and drive.
improvement in what they have
– a notable approach. But true
innovation is a tough beast to
find, and the folks at AccessData
seem to have found it. More and
more, they are creeping up on a
more comprehensive approach
to digital forensic analysis.
One of the powerful things
about the AccessData strategy is
its view of digital forensic data.
It always is about the case at
hand. Data collected using
other AccessData tools usually slots right into the case so
that the analyst can consider
the whole picture. We have
found that view to be most
useful when using the AccessData suite of products.
So, where do you go when
you need to develop innovation in what looks like
a mature market? First, you
acknowledge that it is anything
but mature, no matter how other
vendors treat it. Then you set
about to prove the thesis. One
starts by identifying weaknesses
in the current crop of products.
One major weakness is how
relationships between digital
forensic data may be visualized.
These can be seriously important
because they point out subtleties
that help solve the case.
Malware analysis always has
been delegated to third-party
tools, and some very good ones
at that. But what if one could
add that analysis into computer
forensics directly? OK, add that
to the list. Finally, we’d like to
be able to access computers over
the network like some other
folks do. We can do that. Add
it to the next release. And on it
goes. Find the problem by listening to the customer, and go find
a solution for it.
INFRASTRUCTURE
point, by the way. Some forensic
tools may claim to be network
AT A GLANCE
VENDOR: NIKSUN
www.niksun.com
FLAGSHIP PRODUCT: NetOmni
Alpine
COST: $46,580, basic list price
INNOVATION: The first, serious,
real-time network forensic
analysis tool.
GREATEST STRENGTH: Pure, raw
creativity and drive to be the
best no matter what.
48 SC • December 2011 • www.scmagazineus.com
forensic tools when they mean
that they are network aware and
can capture platform data over
the network. True network forensic tools, however, must be able to
capture and analyze network traffic, reconstruct network sessions
and provide tracing capabilities
for attribution purposes.
All that is interesting, and it
certainly has made NIKSUN an
innovator, but what comes next?
To be an innovator, a company
must continue creating better
products. When we asked the
visionary to whom we were talking, what’s next, he told us
that the next challenge is to
have a global view of data
presented in a user-friendly
manner. That means one to
two clicks to the data. Also
high on the list is improving
the efficiency of workflow,
looking at how users attack
problems, and seeking to make it
smoother and more intuitive.
It takes curious and knowledgeable people to get these
difficult tasks accomplished, so
NIKSUN relies on a motivated
staff. It doesn’t spend a lot of
money advertising, rather it
focuses on doing the products
right.
Its next step is to make workflow more efficienct through
automation. The company needs
to handle lots of data and leverage lower-level people in the
customer’s operation. This is a
more efficient way to do network
forensics than forcing all of the
analysis to be performed manually by experts.
Next step is to leverage the
data to be predictive and then
feed that back into the cycle.
Sounds pretty ambitious, but I’m
betting this team will pull it off.
he infrastructure of a
computing enterprise
is a tricky thing with
which to deal. It’s tricky to
protect because it’s tricky to
define. What do we mean by
infrastructure protection? Is
this some sort of a product
that is ever-present throughout
the enterprise? Is it something
that defines and manages
what other products do? The
answer to both these questions
is “yes.” The infrastructure is
everything about the enterprise
that supports the applications
and, therefore, protecting the
data means protecting the
infrastructure.
The problem is that the actual
protecting becomes part of the
infrastructure itself. That makes
it subject to the same potential
T
compromises to which those
things it is protecting are. So
the logical way to protect the
enterprise at the infrastructure
level is to pull the protection
outside of the network. Capable
systems are doing exactly that.
Slowly, security services are
moving to the internet in shared
environments. These shared
environments are special-purpose clouds, to use the current
vernacular.
The second issue is compliance. If the infrastructure protection is not policy driven, it
will fail in its purpose. The
infrastructure is exactly that. It
is not just the server farm. It is
the servers, the endpoints, the
communications devices and,
today, it could, for example, be
the organization’s telephone
system running on VoIP. Coordinating protection of all of
that is a formidable challenge,
and our entry this year meets
the challenge in spades.
In prior years, we focused on
policy and configuration management tools and other similar
solutions for the infrastructure-
protection problem. But, when
we started to examine the
field this year, we found those
approaches, while good enough
for now, were not forwardlooking enough. In fact, we
found they had not progressed
materially in the past year or
two. So, we scratched our collective heads and re-examined
the problem.
Only one product – actually
more of a service – popped out
for us, and that company is our
sole Innovator in the category
this year.
...protecting the data means
protecting the infrastructure.”
www.scmagazineus.com • December 2011 • SC 49
PRODUCTS l Industry Innovators
EdgeWave
s the company’s website says: “EdgeWave
develops and markets
on-demand, on-premises and
hybrid secure content management (SCM) solutions for the
mid-enterprise and service provider markets.” And, while that
certainly is accurate, it really is a
very innocuous description of a
truly innovative company. Formerly St. Bernard, EdgeWave
became focused on web filtering
for small- and medium-size businesses. Its product was easy to
use and deploy, and the cost was
relatively low.
About 2½ years ago, EdgeWave refocused on its new
product, iPrism, and web filtering. Because it felt itself getting
a bit stale, the management team
decided to make solid upgrades.
The result was an overwhelming
response from eager users.
A
Mobile Active Defense (M.A.D.)
One of the smartest things
this Innovator has done is
recognize that while “cloud”
is the buzzword on everyone’s
lips, not everyone is going to
the cloud. At least not yet. So
EdgeWave has offerings that can
be installed on-premise, in the
cloud, or via a hybrid model.
The second smart thing EdgeWave did was assess where the
so-called “pain points” are for
most companies and provided –
through acquisition or in-house
development – solutions to
those problems. Finally, they fit
those solutions together so that
customers could
d have a holistic
suite of solutions
ns to a holistic
suite of challenges.
ges.
When we asked
ed
the EdgeWave visionary why he
thought the
AT A GLANCE
VENDOR: EdgeWave
www.edgewave.com
FLAGSHIP PRODUCT: iPrism Web
Security
COST: $2,495
INNOVATION: Comprehensive
web filtering for small- and
medium-size businesses.
GREATEST STRENGTH: Listening
to its customers when they
are not happy and providing
solutions to the things that
made them unhappy.
company was special enough
to be one of our Innovators,
he told us that the answer was
easy. EdgeWave has morphed
its technology into services with
one easy-to-use and manage
platform. Its portal, he said,
is the secret sauce. Moreover,
they found real value in listening to its customers (now 8,000
SMBs) to establish strategy and
delivery. That meant improving
communication with customers.
“Listen to your customers when
they are unhappy,” he told us.
“That’s when you get the most
useful feedback.”
To top it off,
EdgeWave
focused on marketing/distribution, and established
tion
a channel
chann strategy and
focus and, where necessary,
created top partners.
p
MOBILE DEVICE PROTECTION
f there is anything that characterizes today’s computing
environment – beyond virtualization and the techniques
that has fostered – it is the
pervasiveness of mobile devices.
These units, from smartphones
to tablets, have introduced to
the enterprise a whole batch of
new intrusion – and extrusion
– vectors.
The challenges include new
and very different operating
environments, as well as the
pervasive nature of mobile
applications. Many of these
are not vetted for malware,
backdoors and just plain bad
programming. There are limited
protection tools for many of
these environments and, probably worse, sometimes there
is no way to know who is on
I
»
» PRODUCTS l Industry Innovators
the network. Moving between
Wi-Fi and the wireless telecom
network provides opportunities to exfiltrate data from one
network onto another without
authorization.
Demand for mobile devices
within the organization is
reaching epic proportions,
often precluding proper policy
development, testing and configuration of gateways. With
all of that in mind, solutions
to these challenges become a
major challenge in itself. Managing everything from policy to
50 SC • December 2011 • www.scmagazineus.com
enforcement poses huge challenges by itself. These are the
types of challenges that require
creative solutions, and they
require those solutions quickly.
It takes both experience and
innovation to step up to the
emergence of a new and very
disruptive technology.
Returning for the moment to
the subject of disruptive technology, this year our interviews
have uncovered the interesting premise that addressing a
disruptive technology, such as
the explosion of mobile device
ere’s a radical concept:
Treat all of the mobile
devices on the network
as if they were computers. If
one does, and secures them the
way one secures computers,
there will be no mobile device
problems. Unfortunately, that
is not quite as easy as it sounds.
If it were true, there would
be a lot of M.A.D. companies
around. There aren’t because
it isn’t.
The principals at Mobile
Active Defense (M.A.D.) met
while working at a consulting
company. In 2008/09, they
started looking at how to hack
smartphones and, thus, how to
protect them. Subsequently, the
important issue is the app store
and that increases the threat
significantly. In early 2010,
M.A.D. started developing
its MECS (Mobile Enterprise
H
Compliance and Security)
Server Solution and launched
the offering later that year.
Taking a certificate-based
authentication approach, fi ltering everything through the
MECS server and developing
a strongly defi ned philosophy,
MECS prevents a user from
turning off protection. That
means that the product is targeted at compliance, as well
as security, rather than being
focused exclusively on mobile
device management.
The MECS solution is offered
as either a fully hosted service
or on a dedicated appliance that
can be installed in the enterprise environment. If the fully
hosted service is chosen, a siteto-site VPN typically is confi gured to extend access to private
corporate resources and intranets. Customers choosing to
AT A GLANCE
VENDOR: Mobile Active Defense (M.A.D.)
www.mobileactivedefense.com
FLAGSHIP PRODUCT: Mobile Enterprise
Compliance Security (MECS) Server Solution
COST: $120 per device per year for one to 100 devices.
INNOVATION: Treating the mobile device as a computer and protecting it as if it is.
GREATEST STRENGTH: Vision to see that there are better ways to
secure the mobile environment.
host their own appliance simply
install the MECS server appliance in a DMZ outside of their
existing corporate fi rewall. This
is the most secure installation,
and traffic can undergo multiple points of inspection before
entering the corporate network.
Treating mobile devices like
computers on the network, with
the fi rewall and IPS specifically
built for the server manage-
ment component is either in
the cloud or data center. By
partnering with security valueadded resellers (VARs) around
the world, M.A.D.’s line-up
of products are localized, and
channel partners can help them
grow quickly.
“What is MECS,” we asked?
“Easy,” came the reply. “It’s
a next-generation IPS for the
mobile world.”
PERIMETER DEFENSE
use in all quarters, requires an
equally disruptive technological
solution, along with the creative
business and go-to-market
approaches to monetize it.
This year’s Innovator is all
of those things: experience,
creativity, vision and a solid
business approach. Taking the
framework for security in the
mobile environment, adding
the dimension of compliance
and considering the technological issues all play important
roles in successfully addressing
smartphones and tablets.
Demand for mobile devices within
the organization is reaching epic
proportions.”
efending the perimeter
increasingly is becoming
an ambiguous concept.
The hard, knife-edge perimeter
of the past is dead and gone.
Long live the sort-of-fuzzy,
kind-of-gray area, not-quite-aDMZ perimeter of the future.
This notion begs the question:
“Who cares about the perimeter
anyway?” After all, it’s all about
the data, and we are interested
in sharing a lot with the world at
large, so why not just protect the
data and let the rest go?
Well, that’s barking up the
right tree, but as my grandpappy was fond of saying, “Ya
ain’t got the coon treed yet.”
To tree the coon, we really do
need to be concerned with both
the data and the infrastructure
since it is the poisoning of the
D
infrastructure that puts our data
at greater risk.
Being able to address problems at the application layer
– before they can infect devices
and other applications, move
about the enterprise collecting sensitive data and phoning
home to deliver the booty – is
a key aspect of protecting the
ever-fading perimeter in the
enterprise of the future. That
said, it would be good if such
a device could work handin-glove with a data leakage
product so that interdiction of
malware phoning home with
a payload could become a
defense-in-depth proposition.
That is where this year’s perimeter defense Innovator comes
into the picture.
Should the perimeter defense
system also be the data leakage
prevention tool? That’s an open
question in our view. We can
make a pretty good case that
it should, but then we would
lose the defense-in-depth.
That, of course, is the primary
argument against the unified
threat management (UTM). The
answer has been that the depth
becomes what is done at the
client level. One layer of protection goes to the perimeter and
one to the endpoint. For this
year, however, we did include
an independent data leakage
prevention (DLP) product.
When the perimeter is especially fuzzy, having endpoint,
DLP and perimeter protection
is a very good idea, indeed.
And, making all three of these
pieces work together will, for
certain, tree that pesky, enterprise-compromising coon.
Should the perimeter defense
system also be the data leakage
prevention tool?”
www.scmagazineus.com • December 2011 • SC 51
PRODUCTS l Industry Innovators
M86
couple of months ago, we
recommended the M86
product to some friends
in the banking industry. We had
the opportunity to give the product a thorough shake-down, and
the results were impressive. First,
malware defines the M86 product. And the malware engine
defines its innovation. M86
focuses on distinct capabilities
that are holistic, rather than any
one single capability. Regardless
of what the organization is, M86
has deployed its anti-malware
tools from small enterprises up to
the very large. Read the market,
respond and move the product
fast. Listen closely to customers and anticipate. That is what
makes M86 tick. And it shows in
its products and support.
M86 has a very long history.
The founders created the current company by merging several
A
UTM
world-class companies together.
Each was an innovator in its field.
Together, they looked for a problem to solve in the market. Over
a very short time, they developed
a vision of applications that will
be a problem in the future. Then
they attacked the management of
those applications.
M86 capabilities are available
through the company’s appliance,
software or software-as-a-service
(SaaS) for web and email security.
M86 works with organizations that have a vested interest
in keeping its customers safe,
so it provides the technology to
ensure that safety. These partners
become M86’s salesforce, taking
its products to their customers,
keeping the customer safe and
not spreading malware around
the web.
M86 products use patented,
real-time code analysis and
AT A GLANCE
VENDOR: M86 Security
www.m86security.com
FLAGSHIP PRODUCT: M86 Secure Web Gateway
COST: starts at $4,980/$9.38 per user license for 10,000+ users,
including one-year standard support.
INNOVATION: A comprehensive defense gateway with the ability to
work with associated products to protect the internal network
from the perimeter.
GREATEST STRENGTH: Technological know-how, experience and
creative problem solving.
behavior-based malware detection technologies, as well
as threat intelligence from
M86 Security Labs to protect
networks against new and
advanced threats, secure confidential information and ensure
W
remember when we were still
trying to figure out what a
unified threat management
(UTM) tool was. We tried
for consistent definitions. We
sort of got one. But no sooner
did we have the UTMs sorted
out from the multipurpose
appliances than the ballgame
changed again and it became
the mainstay. However, even
with that, we began to see all
sorts of point solutions being
subsumed by the UTM to the
point where, once again, it has
become difficult to define.
I
regulatory compliance. A tall
order, but certainly within the
realm of M86’s capability. The
strong merging of premises
products and cloud services
gives M86 customers access to a
lot of power.
From our perspective, that
was good because it showed
progress and creativity in
addressing a difficult problem:
knowing what is happening on
one’s enterprise and acting on
that knowledge. There is an
adage about eating an elephant
a bite at a time. Our winner this
time is eating the entire enterprise elephant. And it’s doing
that without getting a bellyache.
A next-generation UTM
developer needs to learn from
and then forget the past. The
new paradigms emerging as
alternatives to the traditional
enterprise demand new ideas in
protecting the enterprise. That
means looking for a platform
that can provide an infrastructure for accomplishing a lot of
security tasks. The UTM is just
the ticket. But it needs to be the
new and improved UTM.
This year’s UTM Innovator
took an interesting approach to
solving the problem. Probably
the biggest challenge, though, is
not technical. It’s cost. To realize a relatively universal market,
cost barriers need to be over-
...disruptive technologies...
foreshadow real creativity
in the market space.”
come. There are lots of ways to
do that by reducing capability.
How our Innovator did it may
ruffle some feathers, but it
worked, and the end result is
well worth looking at.
About that feather-ruffling:
Another trend I observed this
year was that many of our
Innovators are developing disruptive technologies. That, we
believe, is the best news of the
year. Doing that successfully
foreshadows real creativity in
the market space. When enough
companies disrupt the status
quo with true solutions to serious – and emerging – challenges, the entire tone of the market
changes. That is what we see
happening this year, especially
in this category.
Cyberoam
Trustwave
e’ve said it before,
but here we go again:
Trustwave is without
a doubt the finest example of a
well thought-out cybersecurity
product going. It is intuitive,
has well-constructed menus and
capabilities, and does exactly the
job for which it is intended.
Trustwave was the result of a
merger in 2005. The predecessor company was founded in
»
» PRODUCTS l Industry Innovators
the 1990s by ex-NSA employees
and was mostly a consulting
practice focusing on PCI compliance. The current company
still does consulting and assessment, plus it has a portfolio of
more than 20 products, which
it either built itself or has
acquired. Trustwave has built
a comprehensive security portfolio by actively integrating
everything
AT A GLANCE
VENDOR: Trustwave
www.trustwave.com
FLAGSHIP PRODUCT: Trustwave DLP
COST: $10,000
INNOVATION: Data leakage prevention
on
for the rest of us.
GREATEST STRENGTH: Intuitive organizanization, strength and depth of technology
ology to
support users no matter who theyy might be.
52 SC • December 2011 • www.scmagazineus.com
in its kit into a holistic security
management system.
The Trustwave strategy is
to build and acquire leading
products from multiple sources
and integrate the mix into what
the customer needs, whether
on premises or as a managed
security service. The company
actively applies both consulting
ac
expertise and research. That
ex
provides a platform of knowlp
eedge and experience. The team
aalso has a unique ability to combine compliance management
b
with compliance enablement
w
by providing all the necessary
b
sservices and components to
aallow one-stop shopping. From
the beginning, it has established
th
rrelationships with large banks
aand consortia to provide products and services in bulk. Using
uc
its partners to leverage sales,
Trustwave has over time established a base of more than one
million clients by selling to the
customers’ customers and leveraging those relationships.
Recognizing that customers
grapple with complexity and
compliance, Trustwave set out to
simplify this through a comprehensive suite of security products
and services. When we asked the
visionary what makes the company tick, he answered: “Trustwave
is committed to identifying and
protecting sensitive data in every
form in every environment. Our
vision is for a global community
in which transactions are safe,
and information flows freely and
securely.”
That global vision has gone a
long way toward putting Trustwave in this year’s Innovators
designation.
yberoam is a
brand of Elitecore
Technologies, an
Indian company that
started 11 years ago with
10 employees. With all
the uproar about offshoring, this company is a real
success story. The visionary we
spoke with was the founder of
the company and spent a lot
of time talking about working
with American employees and
learning the cultural difference
so that his Indian employees
could make a global success out
of Cyberoam. And a global success it is.
In 2004, the Cyberoam
product was born and now is
globally strong with 5,000 sales
partners and 70 distributors
worldwide. It always has been
profitable, selling mostly to
SMBs. With about 700 employ-
C
AT A GLANCE
COMPANY NAME: Elitecore
Technologies
FLAGSHIP PRODUCT: Cyberoam
CR1500ia
VENDOR: Cyberoam
www.cyberoam.com
COST: $16,999
INNOVATION: Developing a
UTM product line that covers
all customer types, and applying unique technology and
business practices to do it.
GREATEST STRENGTH: Powerful, positive application of
globalization to a universal
UTM product line.
ees, half are dedicated to
Cyberoam and most of the
company’s revenue comes
from Cyberoam. The visionary told us that transparency
(strategy always is clear) and
collaborative culture around
the world (business) are hallmarks of its corporate personality. It is cautious on marketing
spending. It makes sure that its
products are established in all
other markets before the United
States to ensure the credibility
of the product in what it considers the most important market
in the world. The key, we were
told, is brand recognition.
Cyberoam is one of two largely
foreign Innovators this year, the
other one being based in Israel.
The Cyberoam product
line is quite broad, consisting
of 19 models. These can be
fully customized to meet the
security requirements of enterprises across verticals. And, the
company recently launched a
network security product targeting the home segment, called
NetGenie-Home.
“So, what really makes
Cyberoam stand out?,” we asked
the visionary. “What one, single
thing defi nes the Cyberoam
value statement?” The answer
was clear, and it explained why
this precocious start-up, which
began with only 10 employees
now has a global operation
with more than 700. “Value for
money,” he told us. “Add strong
research and development,
strong company commitment to
innovation, many features – all
while the cost stays reasonable
– and then maintain hardware
compatibility without requiring
new hardware.”
Yep. That should do it.
www.scmagazineus.com • December 2011 • SC 53
PRODUCTS l Industry Innovators
VULNERABILITY TESTING
VIRTUALIZATION
e began 2011 with
the most significant
change to computing
since the introduction of clientserver computing: virtualization. Virtualization has been
with us in one form or another
for a long time, but now that it
is a staple of the systems world,
it really has come into its own.
Virtualization not only has
changed the way we build
our data centers, it has gone
beyond that to change the way
we do computing. All sorts of
companies are competing for
W
specialized niches, coining new
buzzwords and addressing new
problems – mostly economically
related – by providing the computing power in a centralized
data center reached securely
(one hopes) over the internet.
Some of the offerings are solutions looking for a problem, but
a significant number – an everincreasing number – are legitimate business opportunities.
It is important to recognize
that there are at least three
important trends driving the
explosion of cloud offerings:
cost, green initiatives and
compliance. Serious computing power costs money. Pulling
together several customers who
are willing to share a community
resource is one way to address
that. The catch is that these
several customers don’t want the
others sniffing out their business.
So, the concept of sharing this
way could not progress without
adequate security. That has
opened serious opportunities for
innovative companies.
Our two companies – one is
in the Hall of Fame section –
Virtualization has...changed
the way we do computing.”
this year are visionaries. They
have seen the future and, in
true paranoid security fashion,
have sought out and addressed
challenges. These companies
model their solution to virtual
problems after similar paradigms in the non-virtual world.
Their premise is: If it works
in the physical data center, it
should work in the virtual one.
That, of course, requires
significantly different technology, a business model that is
sustainable, and a go-to-market
plan that can foster confidence
in potential customers. The
virtual world is a scary place
when one starts thinking about
security in the context of the
cloud – public or private – and
compliance.
I
ulnerability testing
has changed markedly
over the past few years.
Hall of Famers in this space
have contributed mightily to
these changes, which largely
deal with redefi ning what we
mean by vulnerability assessment (VA) in the fi rst place.
This year’s Innovator has been
in the thick of this evolution
since the fi rst vulnerability test
tool was invented in the open
source community.
While there have been numerous prequels to the current
V
state of vulnerability assessment
(VA) tools, the Big Kahuna has
been combining traditional VA
with traditional penetration
testing to get a sort of super tool
that covers the entire vulnerability management waterfront.
That term – vulnerability management – is a Holy Grail for
this product space. There are
good vulnerability management
tools available. Some even do
both automated VA and pen
testing. However, as a genre,
these tools have a way to go to
be fully baked.
What we have now, in addition to some capable vulnerability management tools, are
some very capable VA and pen
testing tools. What we don’t
yet have is everything in a
single kit. This year’s Innovator is approaching that Nirvana from the VA/pen testing
perspective.
VA is not rocket science to
perform automatically. VA
scans, after all, are pretty
automated from the beginning. The scan starts and then
reports back its fi ndings in the
Vulnerability assessment is
not rocket science to perform
automatically.”
form of a report – and that’s
it. Done. Pen testing can be
automated, and there are times
when that is useful, but it usually doesn’t work as well as
automating VA does because
there always is the necessary
human intervention.
But what if one wanted to
combine VA and pen testing,
automate the process, and
make the human less necessary? That would approach the
pot of gold and, if one could
add the right workflow for
remediation and retesting, the
goal would be attained. That’s
where this market needs to go,
and this year’s Innovator has
played a key role, along with
other Hall of Famers, to get to
this promised land.
Saint
Catbird
t’s good to be in the Catbird
seat, and this Innovator certainly is. This 10-year-old company has an interesting history.
Its original business was doing
security monitoring from the
cloud, even though there wasn’t
a cloud yet. It solved a problem
for banks by remotely checking
websites to see if they had been
hacked. Then its customers
wanted them to check inside
the data center, so it put sensors
inside so it could do both internal and external monitoring.
Then came virtualization and it needed to
see inside the virtual
host. That defined the
problem.
Catbird vSecurity has
two components: a virtual machine appliance
and a control center with
a web-based interface.
»
» PRODUCTS l Industry Innovators
AT A GLANCE
VENDOR: Catbird
www.catbird.com
FLAGSHIP PRODUCT: vSecurity
COST: $1,995 per socket
INNOVATION: In-depth compli-
ance monitoring while
providing useful functionality
for virtual security, especially
in cloud environments.
GREATEST STRENGTH: Experience from the data center to
the virtual center.
54 SC • December 2011 • www.scmagazineus.com
There is a virtual appliance (sensor) that sits on the hypervisor
and reports back to a cloudbased monitoring center so that
either the customer or Catbird
can monitor. Sensors are free, but
Catbird charges for the control
center that does monitoring and
analytics, and then quarantines
virtual machines, based on user
definitions. The product suite
includes a firewall, access control, intrusion prevention (IPS),
vulnerability assessment and
what the company believes is
most important, compliance based on the user’s
selection of regulations.
Why does this company position itself as an
innovator? Its technology provides in-depth
compliance monitoring
in a virtual environment.
This leads to helping its
customers as trusted advisers in
the virtual security space. Catbird sells through a value-added
reseller (VAR) channel and its
market strategy is to put virtualization security on the map by
educating the market and being
seen as thought leaders. Since
people who purchase Catbird
are already comfortable with
security experts – the VARs –
Catbird adds the tools for those
experts.
There is no doubt that Catbird
has taken a decade of experience
and morphed it into a viable virtual security suite of capabilities.
Does the company still do the
external monitoring? Certainly,
although that is not its mainstream business anymore. But,
just think of its mix of monitoring. We did, and we made them
our Innovator in virtualization
security this year.
aint is back this year for
its second bite at the Innovator apple. This is only
proper since Saint has a very
long history – one of the longest,
in fact, of all of the vulnerability
assessment tools. Over that history – which began formally in
1998, although Dan Farmer and
Wietse Venema actually released
the open source version of its
predecessor, Security Administrator Tool for Analyzing
Networks (SATAN), in 1995 –
Saint has won numerous awards,
innovated in many ways, and, in
general, helped change the
way we test our enterprises
for vulnerabilities.
The Saint website gives a
good view of what drives the
company: “Since its inception
in 1998, Saint Corp. has been
developing software products
to make network security easy
S
AT A GLANCE
VENDOR: Saint
www.saintcorporation.com
FLAGSHIP PRODUCT: Saint
Professional
COST: $8,000 (roaming Class
C, one-year subscription)
INNOVATION: Combining
vulnerability assessment and
penetration testing in a single
application.
GREATEST STRENGTH: A holistic
view of the vulnerability
testing process and a keen
ear for customer needs.
and affordable.” Ease of use and
affordability have been the company’s hallmarks since its inception. However, that has not been
an easy road. First, Saint started
out running in a *nix environment, rather than on a Windows
box. Many novice penetration
testers had some difficulty with
that, but Saint persisted.
Linux is the primary tool for
system hacking. All of the best
scripts run on it, and developing
new tools is easier than in Windows. The code also tends to be
more compact. Today, Saint has
added the Mac to its arsenal and
that, too, should be no surprise.
With its *nix roots, the current
Mac operating system is so good
for system testing that Macs
are slowly becoming the tool of
choice for pen testers in general.
One of Saint’s major innovations was the integration of
penetration testing and vulnerability assessment. Since the
network assessment process
usually begins with automated
or semi-automated vulnerability scans, and progresses
to attempting to exploit weaknesses found by those scans, a
product that does both – and
integrates both results and
reporting – is a powerful tool
indeed.
Overall, the company’s objectives are to develop technology
that is more useful for the customer. Saint’s vision is to be a
leader. That’s what drives them:
Striving to figure out what the
next need is going to be and
then producing it. The company is small and agile enough
to run with something new very
quickly, achieving a speedy
turnaround on new products
and ideas.
www.scmagazineus.com • December 2011 • SC 55
» PRODUCTS l Industry Innovators
HALL OF FAME
he 800-pound gorilla in
the room, Hall of Famers
go through a rigorous
evaluation, not once, but over
a space of years. They have
to be creative, well-managed,
forward-looking and successful. Don’t forget that last one,
either. Success is the yardstick
by which we measure the worth
of these creative companies.
We pick our Innovators each
year based, in part, on our
experience with them during
the intervening year between
December issues. After two to
T
three years, depending on the
company and how it fares in
our Group Test reviews and
First Looks, its road map for
the future, and its performance
against its earlier road maps
(including turn-on-a-dime
responses to unavoidable
changes, such as market conditions or the economy), we push
the best of the best into the Hall
of Fame.
Getting to the Hall of Fame
requires innovation, staying
power and demonstrated success. Last year, we inducted
several companies into our
inaugural Hall of Fame. This
year, there is only one, but it is
an interesting story because it is
the amalgam of two companies,
both of which have, over time,
demonstrated the characteristics that we look for in Hall of
Fame candidates.
There is a notion that getting votes in the Reader Trust
Awards, part of the annual SC
Awards, equals Hall of Fame
status. Because of the way the
Reader Trust Awards are granted, however, they only count for
Organizations are learning that
meeting regulatory requirements
usually isn’t enough.”
part of the total picture. Reader
Trust Awards, for example, may
equate in part to market share,
which, in turn, may equate to
company size and age.
There are a couple of Innovators this year that might very
well win a Reader Trust Award.
That would be a very good
thing given that the designation
bestowed by us would tend to
validate the kudos presented the
winner by our readers. And that
sums up the whole idea nicely.
It is the well-rounded company
with appropriate products in
the right place at the right time
that wins Hall of Fame honors.
Today’s technology companies
ought not to win by brute force,
but, rather, by a combination of
attributes that define excellence
in their respective fields.
Juniper
his is the third year that
we have looked at Altor,
the company that burst on
the scene with the first product
to firewall individual virtual
machines in a VMware environment. At the time, we asked the
company’s visionary what the
company was going to do when
VMware decided to build its
own similar product. “That’s
not going to happen” was the
answer.
Altor’s approach is still hot,
but it’s not Altor anymore.
This year, Altor became part of
the Juniper family. We cannot
think of a better marriage. Both
deserve to join other Hall of
Famers as the cream of the crop.
As it happens, Juniper was
not really an outside choice for a
suitor. Juniper, in many regards,
incubated Altor, so it was predictable that the company would
T
come inside. Juniper has a leading place in physical firewalls
and the vGW, Altor virtual
firewall’s new name, works at the
wire speed of the virtual system.
With the acquisition, developers
focused on adding additional
layers of security. Being hypervisor-based makes the vGW efficient. Then, with new resources
available, the team was able to
add things like contiguous monitoring, integrated compliance,
anti-virus and virtual machine
image enforcement.
The big bonus, though, is the
connection between the physical firewall and the virtual one.
The net result of that capability
is total firewall protection for
the virtual data center and its
physical hosts. Layered protection means defense in depth, and
that is just the ticket for a virtual
environment.
56 SC • December 2011 • www.scmagazineus.com
sav e
$400
Register before
Friday, January 27!
To ether we are strong.
Unite with us at RSA® Conference
As we increase our social connectivity, we also increase our exposure to an ever-changing array of
exploits by criminals seeking to steal personal information via active online communities. By banding
together to protect and defend ourselves we can stop enemies in their tracks. At RSA® Conference 2012,
you will tap into the power of the collective as you learn from the best and brightest in the industry,
exchange effective and valuable strategies with your peers and become stronger in the face of
persistent security threats.
AT A GLANCE
VENDOR: Juniper Networks
www.juniper.net
FLAGSHIP PRODUCT: vGW Virtual
Gateway
COST: $3,000 per CPU socket
INNOVATION: A total firewall that
marries the physical and the
virtual to protect everything from the data center to the virtual
machine.
GREATEST STRENGTH: Ability to work in physical and virtual worlds
with an understanding of the strengths and weaknesses of both.
The vGW Virtual Gateway is
Juniper’s positioning for securing virtualized data centers and
clouds. The centerpiece is a
hypervisor-based stateful firewall
that secures inter-VM traffic at
wire speeds. Layers of defense
include application monitoring,
integrated intrusion detection,
VM compliance assessment,
image enforcement and now
integrated, high-performance
anti-virus. This functionality
makes the vGW much more
than a virtual firewall. It really
is a true gateway that joins the
physical and virtual environments for generalized security.
And that is worthy of a spot in
our Hall of Fame.
RSA Conference 2012 is the premier event where you will find the insights and resources you need to
thwart socially engineered attacks and keep your kingdom safe from threats.
BUILD YOUR STRENGTH
REFINE YOUR STRATEGIES
Connect with cutting-edge solutions.
Participate in over 220+ expert-led sessions.
CONQUER YOUR CHALLENGES
SHARE YOUR KNOWLEGE
Get insights on today’s hottest topics.
Create networks with industry experts and peers.
Re
ister Now!
www.rsaconference.com/scmag
LastWord
We are our own worst enemy
To avoid past
mistakes, one
should appeal to
outside experts,
says Kyrus CTO
Michael Tanji.
I
t is tough being in cybersecurity. Defense is a cost
center, and it’s hard to
find meaningful metrics to
demonstrate success. Interest
in security is also cyclical:
Major breaches stir action,
but as time passes, interest
and resources wane, though
the threat is still there. Yet
the biggest problem with
cybersecurity is ourselves.
Before we can succeed, all of
us must agree to change.
We can start by getting
a handle on our language
and defining our terms. Just
about every adjective applied
to malicious activity or code
is subjective. There are no
widely accepted definitions
for what is “advanced,” “dif-
ficult,” “sophisticated” or
“complex.” Why does security get short shrift? Because
it is hard to take people seriously when their words can
mean anything and they’re so
hyperbolic.
Related to our language
problem is the desperate
need to end the use of war
analogies. The stupidity of
phrases like “digital Pearl
Harbor” doesn’t require
further elaboration. “Cyber
deterrence” only makes sense
if there were any meaningful
analog between the lasting impact of using nuclear
weapons versus digital ones.
“Digital arms control” is
such a non-serious idea as to
be laughable. Legacy futures
make for great newspaper
copy and think-tank literature, but proposing solutions
for a world that doesn’t exist
isn’t helping the world that
actually does.
We desperately need to do
more critical thinking. So
much cybersecurity analysis
is pseudo-scientific, sometimes to the point of being
on par with astrology. There
is nothing more intellectually lazy than pointing to an
IP address as “proof” of a
source of evil. It’s not that
others aren’t stealing our
ideas and property, but no
country has a death-grip on
every byte that enters or exits
systems within its borders.
Any country that is advanced
wouldn’t need to steal
58 SC • December 2011 • www.scmagazineus.com
secrets. Yet in every report
about cyberespionage there
is a line akin to “all signs
point to this being the work
of country X” – without any
critical analysis. There are 20
(G-20) “major economies” in
the world, 31 “high income”
Organisation for Economic
Co-operation and Development (OECD) member
nations, and 35 “advanced
economies” per the International Monetary Fund – all of
which could benefit greatly
from the intellectual output
of American engineers and
scientists. But since we’re so
heavily invested in preparing
to fight a conventional war
with just two adversaries,
that’s who we blame.
When presented with the
opportunity to discuss cybersecurity problems, we should
actively campaign against the
The echoes
of history
should inform,
not haunt us,
if we’re to
succeed.”
use of false authorities. Our
world is fi lled with security
celebrities whose Q-scores
are disproportionate to the
breadth of their actual expertise. When we launch people
into space, we seek comments of former astronauts,
not glider pilots. Yet no one
thinks twice about asking an
expert in cryptography what
they think about botnets.
One suggestion: When
asked about an issue outside
of one’s area of expertise,
offer access to a true expert
instead. We need less commentary from the most glib,
and more insight from the
most knowledgeable.
Finally, and I can’t stress
this enough, we need to
appreciate and promote our
history. I have computer
security books that were
printed in the 1970s. If you
didn’t know The Cuckoo’s
Egg [which details a computer hack] took place 25
years ago, you’d think it was
documenting events that
happened last month. In fact,
everything Cliff Stoll did
ad hoc – computer network
defenses, honeypots, publicprivate information sharing – are things we’re still
struggling to get right today.
The echoes of history should
inform, not haunt us, if we’re
to succeed.
Virtualize
more with
WebSphere.
Or pay
more with
WebLogic.
Over 400 highly logical reasons to choose IBM WebSphere® over Oracle WebLogic®:
1. Save 57% on first-year licensing and support.
2. Choose from more virtualization options (including VMware and Xen).
3. Pay only for cores you use (not always true with Oracle WebLogic).
4–404. Be in good company (last year, over 400 Oracle WebLogic clients
chose IBM WebSphere).
ibm.com/facts
Michael Tanji is a former
intelligence officer and the
CSO at Kyrus.
SAVINGS based on publicly available information as of 6/13/2011 comparing Oracle WebLogic Server Enterprise Edition to IBM WebSphere Application Server Network Deployment, both on an IBM Power®
730 Express server (2 chips, 8 cores each). IBM, the IBM logo, ibm.com, WebSphere, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International
Business Machines Corporation 2011.
World’s No. 1
Antivirus and Internet Security
ESET leads the industry in the consecutive number of
”VB100” awards from Virus
Bulletin testing organization.
Success ratio (%)
25
rus
in
50
75
100%
s
75
72
68
Selected Antivirus Vendors (not a complete list)
Source: www.virusbtn.com, May 1998 - August 2011
1 year FREE
Buy two years, get the third free
Offer valid on 25 seats or more of ESET NOD32 Antivirus
Business Edition and ESET Smart Security Business Edition
PROMO CODE: 2011Q4PROMO
10/4-12/31/11. For terms, visit www.eset.com/q4promo
www.eset.com
© 2011 ESET. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET.
All other names and brands are registered trademarks of their respective companies.