One of the things I found with NAC was an ability to see what was unpatched on my network.   Problem is the NAC only works if the computer is on the network.   Even if I was using a software NAC agent such as the one in Symantec Endpoint Protection, that provides enforcement only.   It can’t report back to my management server inside my firewall.

As a Microsoft SCCM user, I looked at their configuration options to allow internet based computers to connect to a computer.   It seemed expensive, complicated and hard to implement.   Native mode requires digital certificates.   Our security policy would result in a duplicate SCCM environment on a border network.

I looked at Bigfix, but its seems they would require an inbound connection from the boundary server.  That violates our company policy, so I had to keep looking.

I wondered if Microsoft DirectAccess would solve this issue.   IPv6, and digital certificate requirements make this one a bit scary.   An always-up VPN into our network is a bit scary as well.

That’s when I received a cold call from Fiberlink a company that offers MAAS360 a product for mobile computer management, reporting, and patching from the cloud.  I’m interested in using SaaS where it can be done securely and will save money.   I signed up for an evaluation.   Even with only a few computers installed, I can see some nice reporting capabilities.   As we get a bit further in the evaluation, I”m going to see if this can solve problems also by deploying patches detected as missing.

Passwords are often kept in text files or excel files (hopefully encrypted).  Most admins here are using a consumer grade password safe installed on their local computer.   This can have issues in cases of sudden staff turnover or when the passwords aren’t adequately backed up.   For Disaster Recovery purposes passwords are stored in a safe in a sealed/signed envelope.   There isn’t adequate access control and logging on the use of those passwords.

Cyber-Ark is extremely complicated to implement.   It’s so complicated that you really need professional services.   Since the product isn’t cheap to begin with, that seemed like an insult.   I typically prefer products that are either straight forward enough to work  without professional services, or products that once implemented during the evaluation are ready to go.    I decided to bypass professional services.   Unfortunately for various reasons the virtual environment we had set up during the evaluation was deleted so I had to start from scratch.   Just over a year after buying the product, I ate crow and purchased four days of professional services.   Even now, I find implementing Enterprise Password Vault is so complicated that I wont be getting everything I’d like out of the vault right away.   And more $$$ for professional services may be needed.

There is a lot you can do with Cyber-Ark but its better to start out slow.  If I think it’s of interest, I”ll blog about what I’m doing as it moves from proof of concept to full implementation.

Cyber-Ark is really expensive and excessively complicated in my opinion.   However, the potential is there to do great things.   I’ve also enjoyed my dealings with sales (now gone from the company), the pre-sales engineer, and professional services.   I only hope I find support as cool when I end up having to work with them.

If the auditors were a bit slicker, I”d believe them when they said they were testing our controls for unauthorized computers.   (trust me, this guy was busted cold)  After Alanis, I hesitate to call something ironic, but it sure seems ironic that the people verifying our security policies routinely violate our security policies.

The monitor is a touchscreen so I checked the history to see if anyone had been accessing something other than WTOP.com.   While that wasn’t a in-depth check I think its safe to say that yet again WTOP served up a banner advertisement that contained Fake AV social engineering.

That normal sites will could attempt to send you malware via banner ads is not surprising to most people reading this site.   Using URL filters and antivirus is necessary.   A dose of common sense when the attack is trying to trick you into installing the virus rather than performing an exploit.

Friday, I tried to submit the false positives to Authentium using the instruction on their site but received to reply.   Today I followed up and was told since I wasn’t a customer, they had no interest in fixing their false positive.   I could however report the false positive to Microsoft who would then report it to them.    Going to argue with Authentium support a bit more.

[update:]
This will be fixed in an update later today.   Frustration relieved.   Probably partially self-inflicted.

Version 11.5.8.612 fixes multiple vulnerabilities that could be used for code execution.

Because its encrypted users bypass protections in place for HTTP to download viruses, access forbidden sites and leak confidential information.  This is limited only by the availability of SSL sites.     In recent years webmail like GMail has gone to full SSL sessions.   Bad guys can easily set up SSL as well.  Without a SSL proxy, all you can do to address these concerns is block by IP address.   IP addresses change frequently and are less likely to be categorized in a URL block list.

When you use a SSL proxy, the web traffic is terminated at the proxy server and a new request is made to the remote server.   The client browser uses a certificate from the proxy to secure data during the first leg of this transaction.   This will result in a certificate error if you don’t deploy the proxy’s self-signed certificate as a trusted root.   Because the client never sees the certificate of the remote server, the user does not get information about the trustworthiness of that certificate.  For this reason it is necessary to either block all bad certificates or make sure your SSL proxy can pass on that certificate info when the certificate is expired or does not chain to a trusted root.

The SSL proxy can use the hostname (CN) in the server certificate to make a  URL categorization decision to intercept or tunnel the traffic. 

Because you can intercept based on URL categorization, you could choose to intercept (and block) only websites that are in your blocked categories.  This is the simplest implementation of a SSL proxy.    It blocks site that wouldn’t have been blocked before and it doesn’t interfere with anything else.   If a computer doesn’t have your certificate in their trusted root, it’s not that bad because the site would have been blocked anyway.

A slightly more intrusive step is to also intercept webmail sites.   Webmail sites have the potential to download malware although the site itself is valid.   By intercepting the site the download is scanned by the antivirus layer.   A related idea is intercepting all uncategorized sites so they can be scanned.

A full implementation involves intercept everything not categorized as a financial site.  It is not recommended to intercept financial websites for obvious reasons.
Intercepting everything allows you to scan all downloads for viruses.  The main drawback is you’ll have more issues with web applications not conforming to HTTP standards.  

I think the simplest option of only intercepting websites classified in categories on your block list is best.   It provides additional security without potential for complications.  You’d have to make a security decision for your own environment.

There are security considerations to intercepting traffic.   When you only intercept a site to block it you don’t have sensitive data but as you intercept other categories, you must take care.  Sensitive data may now be exposed in clear text.  You may want to think twice about what you are logging and caching.  If any offbox analysis is performed you need to encrypt the connection and make sure nothing is on the remote box. 

A lot of attacks occur over the web and its important to provide the best defense.  It’s no longer good enough to ignore 443/TCP.

I read a couple interesting blog entries on Friday.  John Pescatore asks “Are Security Professionals Like Stephen Slater.”  In another blog, Foilball asks us to look in the mirror and see if we’re more Sullenberger or Slater.

Slater is the air-raging flight attendant who let the frustrations of life take over, stole a couple of beers and headed down the emergency slide.  He made Joanna’s method of quitting Chotchkie’s in Office Space look quite reasonable.

Pescatore  doesn’t actually compare Slater and information security personnel.   Rather than anything specific to this situation, he compares infosec people to the typical condescending flight attendant who does not explain the rules and only gives you a half can of Pepsi.

Is it really necessary for the flight attendant to explain that you need to leave the seatbelt on so you don’t become a human projectile mid-flight.   Or that your laptops need to be stowed not just for dubious electronic interference problems but so they don’t smack someone in the head during take off and landing.   Why does the sun visor need to be up during take off and landing.  I don’t know, but I have enough sense to know that having that discussion as we’re first in line for take off isn’t a good idea.  

You can get 20 years for interference with flight crew attendants and members.  Don’t even think of disabling the smoke detector.   I wonder if I can arrange similar penalties for disabling the antivirus or interference with infosec personnel.

The foilball article caused deeper thought.  Going through life, there are days when you’re hit in the head by luggage or cursed out by  a passenger.  There are days when you want to escape down the slide and it takes every ounce of control not to.   I’ve heard it said you can’t control your circumstances, but you can control how you react to them.   I look in that mirror and I see more Slater than I’d like to admit.   But I’m trying real hard to be a Sullenberger.

Companies that don’t want to use ActiveSync but still feel pressured into making the iPhone an option are looking to Good to do so.  

From the release notes:
• Complete landscape view – Including email list view, calendar, contacts and attachments.
• Conference dialer – quickly and easily dial into a conference bridge without having to memorize the conference pass code.
• Maps integration – quickly find the location of your meeting on a map and even get driving directions.

A change not mentioned is that when I receive a signed message instead of no indication the message is signed, I now get a message:

The sender has digitally signed the message with a personal certificate.  To verify the signature you can read this message on your desktop computer.

I can still read the message on the device, as I could before the update.   Without signature verification, I feel like this update only provides a false sense of message source identity verification.  

Its my understanding that full S/MIME support is on the roadmap.

Additionally Adobe released updates for Flash and Adobe Air. Acrobat and Reader updates expected for this week will occur next week.

Apple patched the iPhone and released an update for QuickTime.  iTunes users were not given the QuickTime update as of this post.

To stay up on all these updates, home users should install something like te Secunia Personal Software Inspector. Sysadmins should wave the dead chicken and hope for the best make plans to deploy these updates if the software is present in the work environment.