Hand-held device security

Hackers like to go where they can cause the most pain. As 3G rolls out in the US, you can bet that hackers will go there as well. There was a great article last Friday in the New York Times about viruses and other security issues on cellphone and hand-held devices in Japan(free site but registration required). It is clear that we should look at how Japan is dealing with this issue as their wireless infrastructure is much more advanced than ours at this point. At the same time, it seems that not many people in the US are dealing with the issue now. Having suffered attacks in the past, NTT DoCoMo has gotten proactive and not only put security software on its servers but also on its handsets. We should learn from this and prepare our infrastructure accordingly. Spam is not the major problem on these devices; think viruses that can jam the 911 emergency response system or denial of service attacks that can bring a wireless network down. What happens when we live in an even more embedded world where chips in cars, appliances, etc. begin talking to a wireless network and becomes infected with a virus?

Many of the companies that I have seen that focus on wireless security are looking at the client or handheld device level. This is the approach that companies like Network Associates and Symantec are taking with handhelds. While I applaud the effort to protect our devices, I do not believe that putting antivirus software on every handheld device is the right solution:

1. Installing antivirus software on every device is not an easy to manage task;
2. While it is much easier to constantly update virus definitions on connected devices, this will increasingly eat up precious memory and computing cycles on your device.

What is needed is smart security on the edge. This will require software that can sit on the network/server layer and in real-time inspect every message being sent from one device to another. It is not easy to sit inline and inspect every message without creating latency. In addition, the software will have to be able to prevent unknown attacks through behavioral analysis and not rely solely on signatures to prevent nefarious activity. This will lessen the need to constantly update every handheld, chew up precious memory and power, and give users an easy way to use their connected devices without headaches.

What Microsoft really needs to secure the perimeter

We all know that there have been a number of issues with Microsoft’s security. We have all been bothered by the daily ‘Windows Update Available’ alert. Steve Ballmer has stated that making their products more secure is their highest priority. In fact, MSFT’s CFO mentioned that security-related issues had a negative impact on its most recent quarter delaying some very large licensing deals. So what is Microsoft doing to fix this? In MSFT’s recently announced ‘Securing the Perimeter’ initiative, the company will place greater emphasis on firewalls and other network security technologies to prevent hackers from reaching vulnerable PCs. What does this mean? Well, first of all MSFT is emphasizing the importance of Defense in Depth. Defense in depth implies that enterprises must have security in every layer of a company’s infrastructure from the edge to the center where all of the data resides. MSFT is also acknowledging that patching systems and installing windows updates as a sole method of security does not work because these methods are all reactive. In fact, most people do not even install updates and patches right away still leaving many computers and servers highly vulnerable. Selling antivirus technology (via their acquisition of Romania’s GeCAD Software) will not make their OS less vulnerable. All of these technologies are all getting better but for the most part will still not catch the newest blended threat, worm, or virus. Antivirus software relies on signature updates of attacks that have already happened and with patch management most of the patches are never installed. So Microsoft is telling us that they need an early warning signal technology to allow its customers to stop an attack at the edge before it hits vulnerable PCs and Servers.

I applaud Microsoft for getting it. Windows is an old, bulky piece of software rife with holes. While security on Windows is a high priority, MSFT has finally acknowledged that a customer needs a defense in depth strategy to enhance security and that they need to push this into enterprises. By the time a worm, virus, DOS attack, etc. reaches the desktop it is too late. If we want real security we have to put proactive defense on the edge and not just in the center. The edge means that MSFT needs to take security out to the network and yes, this is where companies like Cisco dominate. We all know that routers are dumb, and that it is time to put more intelligence in them. Yes, this has not happened yet. Right now, MSFT seems to be looking at firewalls as their perimeter defense. Even if they add Intrusion Detection (lots of false positives, data overload, most technology relies on signatures) via partnership or acquisition, it will still not be enough. In order to fully round out their strategy, MSFT should look at security management software companies like netForensics (full disclosure-i am on currently on the Board of Directors) to provide real time analysis of a company’s total infrastructure from the routers and edge firewalls to the NT and IIS servers residing in the internal data center.

How does security management software help? Most corporations spend millions of dollars buying security products yet they still do not feel secure. It is the equivalent of having a building equipped with numerous cameras (security hardware) without anyone monitoring (security management software) the activity in real time. Therefore, how will anyone really know if they were attacked, by whom, when, and where? Take this concept to an enterprise and you get the same picture-lots, and I mean lots of dollars spent on security (firewalls, intrusion detection systems, antivirus, etc.) to protect a company, but if there is no software to proactively filter all of the reams of data (gigabits upon gigabits of it) from a myriad of heterogenous devices to correlate what happened and when in real time, then a company will never really know it was under attack. Well done security management software does not rely on past events to issue warnings. For example, netForensics was able to catch SQL Slammer while it was happening. It was able to view anomalous network activity gathered from various devices like firewalls and intrusion detection systems and in real time correlate and send an alert to the user who could then shut off the port for Slammer. Of course, if one could shut that data stream off automatically as soon as it detected an issue (prevention), that would be even better. While netForensics can do this to a certain extent, many customers are afraid of having machines completely take over security control without a human filter. There is lots of buzz around prevention these days but most Chief Security Officers I speak with are not yet ready to let machines do all of the work. What happens if an automated security system causes a trader to miss a $100 million trade?

My recommendation is that MSFT should look at partnering with security management software companies so its customers can take control of their security. Adding more firewalls, intrusion detection systems, and antivirus technology alone does not make an enterprise more secure. Without a highly intelligent software layer sitting on top of and providing real-time monitoring of all of these devices and the systems and servers in an infrastructure, a company will be as secure as a building with lots of cameras and no one there to monitor it. One other reason for partnering with companies like netForensics is that MSFT has already taken a step into the management software arena with the Microsoft Operations Manager (MOM), an area they were traditionally happy to let vendors like NetIQ handle on its own.

No more annoying calls at dinnertime!

Court lets ‘do-not-call’ list go forward.

In this fast-paced world, I have to admit that having dinner with my family is sacred time. During dinnertime, the last thing we want is a seemingly endless, annoying barrage of telemarketing calls. We never really had a problem until we moved from the city to the suburbs and got on every credit card list known to man due to our new mortgage. Our name and phone number spread like a bad computer virus. We got 3-4 calls a night for the first few months. The worst calls were the computer-dialed ones which left long-winded messages on our answering machine. So when www.donotcall.gov became available, we were one of the first to sign up. 51 million numbers have been registered since then.

The Telemarketing Services Association is claiming that the registry is a violation of their free speech. I say screw their free speech. The telemarketers’ calls are an obvious invasion of our privacy. I am glad that the judges had the sense to rule in favor of our personal privacy over the telemarketers’ economic interests. Yes, there are exclusions as to who can call, but shouldn’t everyone have the right to a sacred family dinner? Who knows what will happen in the appeal by the telemarketers, but it is satisfying to know that one day in the not too distant future, there just may be no more annoying calls. Now how about that anti-spam list?