HOUSTON, March 2, 2012 – Leading managed security service provider Network Box USA (www.networkboxusa.com) announced today that Info Security Products Guide has declared the cutting-edge Network Box Z-Scan anti-malware system winner of the 2012 Global Excellence Awards in the Security Products and Solutions for Finance and Banking category. A large number of Network Box USA clients are in the financial industry.
More than 50 judges spanning a broad spectrum of industry voices from around the world participated, and their average scores determined the 8th annual Global Excellence Awards finalists and winners, who were announced during the awards dinner and presentation on February 29 in San Francisco.
Network Box's multi-award-winning Z-Scan reacts to zero-day malware up to 4,200 times faster than traditional anti-malware systems. It operates by continually analyzing all threat information obtained in real time (gleaned from a very large number of traps distributed globally in the cloud) against an impressive platform of more than eight million signatures. The Z-Scan network includes spam traps, virus traps, in-house as well as customer submissions, email and http statistics, and suspect samples.
Rather than creating a signature – which can take anywhere from three hours to an entire day to produce – Network Box adopts a revolutionary approach by fingerprinting malware in real time. This is then instantly distributed to its 12 security operation centers globally in under three seconds. In that brief moment, all Network Box unified threat management (UTM) devices are able to identify the code as a threat. Key to the process is the fact that Network Box manages all client UTM devices and receives immediate feedback from them.
“Z-Scan is a truly important weapon in our arsenal in the fight against malware,” said Pierluigi Stella, Network Box USA’s CTO. “We are proud to have been honored with this prestigious award that further validates Z-Scan as a leading-edge security solution.”
If even a small minority of all the hackers out there focused their intelligence, inventiveness and imagination away from malware and into constructive web-based endeavors, we’d all be better off.
That said, don’t hold your breath. Malware is an ongoing problem and scourge to both public and private entities and you need to understand what it is and how to deal with it. It’s a huge topic so I’ll break up the text into multiple posts.
First of all, you need to know what malware is – executable code that runs on your computer and is designed to cause some sort of damage – either by harming your data or stealing it. But the operative word is ‘executable’ – it’s a program, therefore it has to be activated, and in most cases requires someone unknowingly installing the malware and running it.
Hackers are constantly looking for new ways to trick users into ‘clicking’ on something – and that simple one stroke click can activate the software and quickly start wreaking havoc.
Last month, for instance, we decided to test a computer sans any AV/malware protection, went online and started browsing. We checked out Google for Indian flags and clicked on one – suddenly messages popped up that allegedly were from the operating system stating that the disk was broken, partitions couldn’t be found, and other formidable looking warnings. All looked legit.
Then an alleged Microsoft tool popped up offering to ‘scan’ the warnings. I know what the real program looks like – this one was an almost identical clone but there were obvious clues that it was a fake. But since we were running an experiment, we followed along, clicked, and the program claimed to have scanned our entire system in less than two minutes. Of course, it found several issues that required an immediate fix, and up popped another screen requesting gobs of personal information, including a credit card number – to purchase the software and fix the computer.
We downloaded a Kaspersky emergency cleanup tool and cleared the virus, but even when the computer was clean we still couldn’t access our data - the scanning tool had set the hidden attribute to all files on the disk, OS, data, programs – everything was hidden and it appeared that the disk was empty. Once the hidden attribute (attrib-h) was removed, the system was restored.
But you can also get dinged from stealth programs that read what you type – known as keyloggers. Fortunately this is becoming less commonplace as good AV software will become aware of keyloggers by their behavior. There’s also software that functions as a browser add-on that can protect your secure websites – if you try to do online banking, for instance, and you’re not connected to the right IP address, the software will stop you.
Lastly, beware of malware being distributed now via HTTP – rather than hand delivering a nice little virus to you via email, the hacker will place the code on a web server and entice you to go a particular website. In most cases, these are legitimate websites that have been compromised – unbeknown to the site’s owners. A script attached at the bottom of the home page index.html file can add hidden links to this page which the user won’t see. So while browsing, the mouse causes a piece of malware code to start running, it’s installed on the computer, and the hacker’s off to the races and starts pilfering your data.
Getting a bit nervous? Stay tuned for Part 2 where I’ll wax eloquent on malware and email issues.
After a brief summer break, I start again this week with a weekly post; or so I plan.
This week, the topic revolves around antiviruses and the battle that all AV companies are inequivocably losing.
Traditional Antivirus Solutions
Traditional antivirus technologies focus on recognizing the threat, identifying it properly, and then stopping it. They rely heavily on human beings analyzing pieces of malicious code and creating “signatures.” The entire process of finding malicious code, analyzing it, creating the signature, testing it properly and deploying it can take between 4 and 12 hours. Hackers know this and are taking advantage of it by flooding the Internet with new code at a rate that we now calculate to be about 40,000 new pieces of malware per day. This is unprecedented and is causing the traditional antivirus companies to lose their battle against malware writers, by a very large margin.
To give you an idea of how dismal the situation is, we calculate that every day there are at least 80,000 pieces of malware that no one has signatures for. Which means, if one of these makes its way to your computer, not only will your AV not stop it, but it may not even recognize that a malicious piece of code was installed on your computer. Days later, when you perform a system-wide scan, if your AV has a signature, it may recognize that malicious code. Clean up is often out of the question; quarantining is likely the best you can achieve - assuming that code has not spread to other computers around you yet.
Obviously the traditional way of creating signatures is not working and needs to be revised. New approaches need to be invented; new weapons are needed for us to fight this battle and have some chance of turning the tables.
Network Box's Z-Scan
About a year ago Network Box announced a new AV, which we call Z-Scan.
Z-scan takes an entirely new approach, based on statistical observations, which allows us to automate the process of creating and releasing signatures, thus reducing the entire cycle to a few seconds. The idea behind Z-scan is that certain things are malicious in nature and it is irrelevant what they truly are.
Network Box has deployed an extensive network of malware traps around the globe;these are email addresses that do not belong to a person, and there is no reason why they would ever receive a legitimate email. Therefore, anything arriving to these traps is either spam or malware.
How Z-Scan Works
When a piece of code is stopped by one of these traps, it is analyzed with three different traditional antiviruses. If these do not find anything, the assumption is that this code is malware - but it is new, it is a zero day attack, by definition it is something no one has yet seen. Hence, the system automatically creates a unique identifier, a hash, and distributes that via our cloud system to all our regional centers.
When a Network Box customer, e.g. a bank, receives the same piece of code and the antiviruses do not find anything, this box creates the same unique identifier (same file, same algorithm yield same hash) and queries the regional center automatically with that hash. The regional center replies positively with a confidence factor that reflects how many times that same code has been seen. At this point, the bank box will block that code even though it does not know what type of malicious code it is. The reason why it blocks it is that this code was seen in a malware trap a few seconds earlier. The odds that it’d be legitimate are statistically zero and attaching an official name to that piece of code is irrelevant. What is, instead, very relevant is that it needs to be stopped - immediately. And that’s the approach Z-scan takes.
To provide an idea of the relevance of this system, one needs to keep in mind that once the traditional antivirus has the ‘official’ signature for that piece of code, the hash is removed from Z-scan, to ensure this is always running very fast. Therefore, the number of hashes in Z-scan is a measure of the number of pieces of malware in the wild that traditional antiviruses are not yet properly catching. If you click here, you can find the latest measures of the number of hashes. Scroll to item #7 and you will see the number of signatures running in Z-scan in real time. At the time I am writing this post, that number was above 150,000. This means that right now there are over 150,000 pieces of malware circulating on the Internet that traditional antivirus technologies are not yet catching. And hackers are counting on that to be able to bypass your security system(s). Z-Scan remedies that by stopping this malware with its new statistical approach.
Many companies greatly underestimate the security issues in the cloud and end up trying to protect their servers only with a firewall, if even that. Because the cloud is being approached as a way to save money by reducing hardware rather than by improving efficiency, the idea of deploying security in the cloud is too often overlooked as an expensive and unnecessary luxury. This is heaven for the hackers, who couldn’t ask for anything better than an environment full of servers that aren’t protected.
When Network Box started operations 11 years ago, security was generally seen as a firewall and, maybe, antivirus on the workstations. Over the years we have been telling our customers that this is not enough. IDS, IPS, and several other gateway protections have emerged. Network security today can be very strong; but too many companies are not adopting the same at the virtual level.
For one thing, in the virtual world you can’t install your own device. So you need to use what is available as a virtual solution. Some companies have virtualized their systems already; Network Box for example has a completely virtual version of its award winning hardware based solution. The two versions are identical under every aspect, including managing the system.
But most of the other offers, which customers can manage themselves, are just firewalls. And this poses a problem and a risk. A firewall is only a starting point, and definitely not the “entire” security you need to protect a network. IDS, IPS and much more is needed, just as it is in the physical world.
One solution we have seen does not even include the ability to create an IPSEC VPN. You need to install your own open source code, compile it, configure it. Where are the savings when your people need to spend so much time securing everything? And so it happens that security becomes secondary because it is seen as too expensive to be done properly.
What makes matters even worse is the generalized lack of appropriate processes and procedures to deal with the cloud. When you move your data in the cloud, you need to ensure that access controls are as strong as they can be; you also need to reinforce your database even more than when you have it in house; and you need to define very clearly who has access to what and why. The same processes and procedures you use inside your company need to apply to the cloud.
Because most of what is hosted in the cloud is servers running databases or backups, too often we see connections from the company to the cloud made via RDP, without any form of protection. My major concern is RDP exposes a login account to the Internet. And hackers have all the time they want to conduct any form of exploit – this could be a brute force password attack, but most likely it will be some sort of malformed packet that will run arbitrary code on the server. RDP should never be opened to the Internet at large. If no other option is available, it should at least be restricted to well specified source addresses.
The best way to protect your cloud is to adopt an integrated firewall/IPS/VPN solution; this will deliver the best security available in traditional environments, and allow for full protection of the cloud servers and data. Connection from the company’s network to the cloud should never be made other than through a VPN. Inbound access from the Internet to the servers should be tightly controlled, and allowed only from specific IPs if possible, and only if and when necessary.
Access outbound, to the Internet, should be controlled as well by opening only the ports that are really needed, which in most cases will be only domain, http, https and maybe a handful of ports to reach some authorization or authentication server, if really necessary (these should be restricted to the IPs of the remote servers).
The bottom line is that too many companies are adopting lackluster security postures in the cloud because they are trying to contain costs. In doing so they are putting their data in danger. At a minimum, their servers could become either zombies of botnets, or command and control centers of the same. But they could also lose their data and this could compromise the sheer existence of their company.
Do not underestimate the importance of security in the cloud; it is still your data, and it is still your company that could be at risk.
Whether your company is already using the cloud or is planning to do so during the next year, the security of your data is certainly one of your main concerns.
After managed security services, handing off the security of your data to someone else must be the single most important worry for anyone involved in securing a company's data.
Since this topic encompasses several different aspects, dealing with the various issues of security; I will try to offer thoughts around each of them in the weeks ahead, to ensure each topic is examined as needed.
The first topic we will analyze this week is data control.
Many companies are moving their email to cloud based hosted solutions -- Google, Microsoft, and many others offer this. Your workstations will connect to a remote server using an encrypted channel to download emails. Virtually, you have your own server and your own disks. But physically, your data is stored in the same disk with many other companies’ data and emails.
Some consideration must be given to how this data is protected, and not only from hackers.
Assume you have your own server in house. When the email is stored on that server, it’s under your complete control. Assume that one of your employees does something that requires law enforcement investigation and for that reason you need to hand out your data. If a law enforcement officer shows up at your doorstep without a court order, you can (and likely will) decline to hand over any data. You are not obliged in any way until there is a court order.
Assume now that you are hosting that data in the cloud; say your email is hosted with Google. Do you really think that they will take care of your data the same way you would? I would hope so, but I must be skeptical; after all, why would they anyway?
Now think of that same data stored on that same disk, sharing space with another company. Someone at that company is investigated and their data needs to be given to the authorities. Law enforcement does not take "copies". They take originals; so they show up and take the disk. So now your data is on a disk that is being used in a legal case against another company you have no ties with whatsoever; it is no longer stored in the privacy of that data center. You don't even know where it is and who is reading it anymore!
And what if the legal case if coming from another country? What if that disk is being handed over to Scotland Yard? Now your data is not only on a disk used in a legal case that is not yours; but is not even in the US anymore! And you have no control at all!
Is this something you should be worried about? I guess it depends on what type of business your company does, how sensitive that data is, how damaging it would be if it ends up in the wrong ends - be that the competition or the public! The answer can't be the same for every company; this is a consideration each company needs to make based on several parameters, but ultimately the most relevant of all is "what happens if the data ends up in the wrong hands"?
That question is the general question of security and is the reason why we have security in the first place. Moving your data to a hosted solution only adds to the uncertainty surrounding the security of your data, as it adds another layer of possible loss.
UTM seems to have become a misused term; anyone who puts together something more than a firewall in the same box calls it a UTM.
So what are the key elements? Read on:
1) Firewall – of course you want this, but in light of the other features that you will want, a packet filtering and proxy will be very useful as well; so your firewall must be a hybrid.
2) IDS/IPS – this today is a must; you can’t have edge protection without proper IPS, and it is ridiculous to buy a separate one after you have spent all the money for a UTM device. This feature should be fully integrated with the firewall, to achieve a next generation firewall protection, and should be INLINE with the firewall.
3) Email protection – should be much more than just an AV product. Should be policy protection, to block unwanted attachments, hidden, compressed or otherwise. Should be protection for the server, integrated with the firewall and IPS. Should be protection from vulnerabilities that affect the protocols and the servers.
4) Antivirus – protocols to be protected are, at a minimum: SMTP, POP3, IMAP, FTP, and HTTP.
a. AV is too generic a term; one single AV is no longer acceptable as no one can really keep up; best is to have more than one
b. Real time AV – this is an emerging technology; we already have it. But if you want to hope to block emerging threats, you need zero day protection, you need a real time AV
5) Antispam. Hackers use all kinds of ways to get in; you need to have protection against all of them. Antispam should have a proven record of at least 98% protection, should not be using old spam lists but should be based on more modern techniques, such as SPF check and many others. We still see too many systems that use old methods that cause way too many false positives and yield poor overall results
6) Web access policy – a company must be able to control where its employees are allowed to go on the internet, and this in turn enhances protection as it prevents users from landing on dangerous websites.
7) VPNs – modern devices should support IPSEC for compatibility, but should also offer SSL as a full VPN, with roaming AND site-to-site solutions. PPTP is still there, as it is free and inexpensive, but not mandatory at this point.
8) Updates – the Internet moves too fast for updates to be PULLed from the devices. PUSH updates are now a must; Network Box has had this for 10 years.
9) Monitoring/management – this is important because expert configuration is 50% of the protection.
A true UTM device should be seamless - the final result is stronger than the sum of the parts. The antispam should be able to communicate with the IPS, so that a spammer attacking your device will be blocked before the email is even delivered. The antispam should also be able to use the categorization abilities of the web access policy to see if a URL in an email should be allowed or not. The IPS and the firewall should be fully integrated.
There are many other functions that a UTM device can do for you. For example, our device can host DNS records for the company. It can act as DHCP server and NTP server. It supports VLANs (256 per interface), it can automatically create a signature for any outbound email (for legal statements mostly). We support advanced routing, any type of packet mangling, Quality of Service; we can set up a load balancer in the firewall; we can support multiple internet connections either in high availability or in weighed load balance.
Our devices can be set up in high availability or in load balance or in cluster. New functions that are emerging as required on the UTM this year are DLP and Vulnerability Scanning. These functions thus far have been done using separate devices; more and more companies are demanding to see them integrated with the gateway protection.
Lastly, it’s important that the technology offered for small offices is the same provided for the main office. For example, you want the same AV protection, nothing less. -- viruses don’t treat small offices any better than they treat your headquarters. With Network Box, you get the same exact protection whether your office has 1 person or 10,000!
Check out our Security Options Whitepaper
In my Dec. 17, 2010 post, I outlined a number of security trends to watch. I’m going to expand upon this a bit and talk about a few additional things to monitor:
Viruses: zero day vulnerabilities will continue to be one of the biggest threats to small to midsize enterprises as the majority of antivirus vendors take around five hours to provide solutions to new threats. Companies will have to investigate how protection can be provided faster. The continued use of multiple antivirus engines at the gateway and the desktop is one way of bridging this; fast updating technologies provide improved protection. Additionally, new technologies are being provided that can generate protection in under a minute.
Increased scrutiny will be required as viruses become more subtle, hiding more effectively. Scanning internal and external networks for installed malware will be more common, identifying malware that attempts to be unobtrusive. An example of this is the Conficker worm that sat quietly on infected systems, but responded on TCP port 445 enabling companies to remove the threat before it became active.
Mobile devices like tablets and smart phones will infiltrate the network. IDC predicts that by year end, mobile device shipments of new units will have increased by 55% and Gartner estimates that in the same year, 1.2 billion people will be using phones with rich web capabilities.
Increasingly, these are the devices that sales and business use to keep all their contacts, one contact point. They need to integrate with the desktop to transfer diary, address and back up which is the vulnerable moment for companies. The architecture of these systems is going to be critical, not all will have the push technology of phones like Blackberry, which can keep the systems secure and this must be a concern going forward despite the number of viruses for mobile devices currently being low.
As always, any questions/concerns, call me at (832) 242-5757 or send an email to firstname.lastname@example.org.
Whether you allow your users to work from home, from the airport, or from anywhere else –– there are some important security implications to consider.
Here are some basic tips:
- Issue company computers that you can control and ensure that operating systems and antivirus signatures are up to date;
- Install an endpoint security solution;
- Allow connectivity only via a VPN, preferably an SSL type, but any is better than an open connection;
- Use a software that will not allow Internet connectivity when the VPN is not on;
- Educate users to the dangers they face, ensuring they do not share their computer with their family or leave it unattended;
- Do not allow the use of administrative accounts;
- Enforce the use of strong passwords;
- Encrypt the disks or the file system containing the confidential information; and
- Do not allow the use of public computers for any reason whatsoever.
I’ll elaborate on a few of these points. Whether your telecommuters are working from home or on the road, one way to protect potential data loss is to encrypt it, either the entire disk or only certain file systems. The second option gives you more flexibility and allows recovery of the data – if the encrypted data is on a separate logical disk – should the operating system become corrupted. Either one is a good solution to ensure that the data cannot be stolen.
You can also limit risks by avoiding having the data transferred to the remote computer altogether. This can be achieved by using thin-client technology. In brief, the application runs on the server, the data is processed on the server, and it never leaves the server. The data is usually kept in memory and is lost when the client computer is turned off. The files in the swap area will be quickly overwritten as well, so no trace of the data should be left on the client computer.
A strong password is essential to protect your data. This is particularly important for roaming users, since their computers are more likely to be stolen or somehow hacked into; an estimated 10% of all laptop computers are stolen at some point, and 97% of them are never recovered. There is a great aftermarket for stolen laptops, and even though the thieves’ usual motive is just to sell the computer – not access data – it’s just plain common sense to have a strong password, along with disk or data encryption. Passwords should also be changed every now and then, but try to strike a balance so that changing the password doesn’t become a weak point in the security chain.
All these rules and precautions should apply to your IT department and yourself. Implement the above suggestions, and the chances of telecommuters’ files being compromised will be remote.
One of the worst issues for data security is that many, even among the security professionals, confuse that expression with network security, and believe that an IPS is all it takes to secure their data. In reality, data security is a much larger issue, that includes network security only as part of it.
Over the past four years, there has been an overwhelming yearly increase of new malware. This is causing serious issues to the AV community, because the antivirus companies can’t keep up. The traditional method of grabbing a sample, preparing a signature, sending it to regression tests and releasing it after maybe six hours no longer works.
Enter the cloud – which is making things a whole lot worse. Today, in the cloud, many companies are installing their servers without any security, and those who do deploy some form of security, install a basic firewall and nothing more. Most of the times, no AV on the servers, no IPS, no monitoring; they open ports for remote connection without using VPNs, and do things that are wrong and dangerous. It almost seems that, because it is “in the cloud”, security is not an issue. And yet, it is as much of an issue as it is for in-house infrastructure, if not more. Since most cloud infrastructure providers do not offer any security, most customers opt for “taking the risk”, or maybe they do not even realize the risk, assuming that the provider has some sort of global security for all their customers.
Data security needs to be regarded as a separate issue because there are things that a firewall and IPS cannot protect from. For example, one issue is access control. Assigning the proper privileges to each user is not a simple task, as it requires a high level of planning. Many administrators tend to take the easy shortcut of assigning too much access to users that do not need it. So, they end up inevitably with too many users with too much access — this leads to possibly losing data by errors or omissions, or simply intentionally.
What do you do? One solution is to deploy a logging and monitoring system that will record any activity from the logon to the logout, and will raise alerts when it sees patterns of activity that are unusual.
There is another risk too — when you put data in the cloud, unless it is a private cloud, you are sharing resources with other companies who are using the same server and the same disks. And here lies the key – the disks. Your data is usually written on the same disk with data from other companies.
So, now assume that the FBI is investigating one of these companies and obtains a subpoena to impound that disk. First of all, you have just lost your data (OK, you have a copy; you can rebuild everything, not a big deal). But your data has just been “given” to an investigative bureau together with that of a company that is under investigation. Your data is no longer private at that point and anything can happen.
Other questions to consider – do you know where data and the data center is? What if that data is not even in the U.S.? What if you are sending your data to a country that has the right, by its national laws, to take it without any reason? Is it relevant to you? If it isn’t, then don’t worry. But if it is, well, at least make sure that the provider you deal with has data centers only in the U.S.
The bottom line – do your homework first before taking the plunge into the cloud, and of course, feel free to call/email me if you have any questions. I'd be happy to be of assistance!
Last week, we unveiled the new M-385, which is replacing our popular M-380, as part of the Network Box family of unified threat management (UTM) appliances.
So, why should you upgrade to the M-385? For starters, if you’re a current Network Box USA customer, it won’t cost you a dime – the appliance is lent to you for the duration of your contract and you only pay for the service. So, you don’t have to worry about any hardware purchases or amortizing it over time.
The new M-385 also triples the performance of the M-380 and integrates a wide variety of applications. Some of these include anti-spam, anti-phishing, anti-spyware, firewall, intrusion prevention and protection, and virtual private network. Users get a sophisticated hybrid of hardware and software so your enterprise can fight backdoors, hackers, worms and other online threats.
And there’s more – via our PUSH technology, updates are performed in real time. So whenever a new antivirus signature, security patch or software update becomes available, it’s pushed out to all Network Box devices worldwide in less than a minute.
Support is also provided for Network Box advanced services – such as load balancing, quality of service, and advanced policy-based routing – and the units are monitored from our Global Management System. In addition, they can be integrated with existing clusters and networks of Network Box UTM appliances.
The M-385 is sold through our reseller channel and remotely managed by Network Box USA. Any questions? Click here., call us at 832-242-5758; toll free at 888-315-8886, or inquire via email: email@example.com.