Tag Archives: network security

Why Microsoft shops have to worry about security

I am putting together a semester-long, hands-on security training course for a local college.   The college asking me for the program showed me a proposal they got from a professional IT training company for a 120 hour information security course. They are trying to figure how to decide, so they send me the competing proposal and lo and behold, 92 out of 120 hours is about certifying people for Checkpoint firewalls and Microsoft ISA server. Here is what I told the college:

This course focuses on two Checkpoint courses CCSA and CCSE – which counts for 80 hours out of a total of 120.   Then they spend another 12 hours on Microsoft ISA server. The course only spends 8 hours on Information security management and 8 hours on application security.   From a marketing perspective, the course brochure looks slick. But not more than that.

Because of courses like this – companies have so many data breaches. After the course, the students  will know  a few buzz words and how to click through the Checkpoint UI, but they won’t understand anything about hacking software.

If you want to understand data security you have to get down into the dirt and roll up your sleeves instead of learning how to click through the Checkpoint user interface. Microsoft system administrators in particular, need to understand security and how to think about threat response and mitigation, because their thought processes have been seriously weakened by the Microsoft monoculture. They need to think about network , data security and software security threats and how to tie it all together with a practical threat analysis and Information security management approach. They can always train on Checkpoint afterwards….

This reminds me of what Paul Graham writes in his article Beating the averages

The first thing I would do… was look at their job listings… I could tell which companies to worry about and which not to. The more of an IT flavor the job descriptions had, the less dangerous the company was. The safest kind were the ones that wanted Oracle experience. You never had to worry about those. You were also safe if they said they wanted C++ or Java developers. If they wanted Perl or Python programmers, that would be a bit frightening– that’s starting to sound like a company where the technical side, at least, is run by real hackers. If I had ever seen a job posting looking for Lisp hackers, I would have been really worried.

So – if you are a real hacker, look for companies with security administrators who are certified for Microsoft ISA server and you will have nothing to worry about. But if  your targets security administrators  are facile with Wireshark, Ratproxy and Fiddler and Metasploit, then you should be really worried.

Tell your friends and colleagues about us. Thanks!
Share this

Netwitness – next generation network traffic analysis

Imagine Harrison Ford doing traffic analysis on your network.

Hmm – there’s a thought.

The US-based company – Netwitness has been making a lot of noise lately about their “next generation” capability to perform full session reassembly and threat analysis from packet capture. This is a great feature to have for traffic analysis that has been available from other open source tools like Snort, Sguil and NetworkMiner for years. I was doing full session traffic analysis with Snort over 5 years ago – when we had problems in a UDP-based physical security control network that opened and closed doors in a 40 story office building…

NetWitness Investigator is the award-winning interactive threat analysis application of the NextGen product suite. Our patented methods of viewing network session and application data have helped our clients fill in the visibility gaps that exist in their firewall, intrusion detection, SEIM and other security infrastructures. Now, the entire community of security practitioners will have the capability to obtain faster and clearer insight into today’s advanced threats.

Download Investigator and see for yourself using your own data why top government agencies, banks, and Fortune 1000 companies have turned to NetWitness.

Netwitness is exactly what they say it is – a very good network traffic analyzer. However – beware of vendor marketing overshoot – network traffic analyzers are not data loss prevention systems like Fidelis Security Systems XPS or Vontu  (now Symantec) or Websense (formerly Port Authority).

  • Recording all the traffic is not the same is producing potential data loss events with a high level of precision and recall
  • Netwitness performs session reassembly and extracts meta-data such as hostname and filename BUTNetwitness doesn’t perform file format independent content analysis. A regex for a keyword might work for a plain-text string an a simple SMTP email but it is totally worthless for URL-encoded text in Webmail, Microsoft Office, PDF, Open Office etc.
  • It records all the traffic.  On a 1GB network – that is 100MByte/second.  Do the math regarding disk space, network performance and computing capacity. Recording all the traffic also means that Netwitness users are in 100% violation of EU Privacy laws that specifically prohibit recording of personal information. BTW – the last time I  benchmarked pcap – it maxed out at about 100MB/s,
  • Netwitness doesn’t provide rule-based policy capability
  • Netwitness doesn’t provide event management,  event analytics database,  central console management, or distributed sensors provisioning andmanagement
  • Netwitness doesn’t provide extrusion prevention/ data loss prevention
Tell your friends and colleagues about us. Thanks!
Share this