Dan Blum
Research VP
19 years at Gartner
33 years IT industry
Dan Blum, a VP and distinguished analyst, covers security architecture, cloud-computing security, endpoint security, cybercrime/threat landscape, and other security technologies. Mr. Blum has written hundreds of research… Read Full Bio
by Dan Blum | July 12, 2011 | Submit a Comment
There is no dictionary.com definition of “cyberwar” but there’s plenty of colloquial use of the term. Especially lately.
As multiple breaches and DDOS attacks struck the U.S. and Europe in the savage spring of 2011, I became fascinated with the concept of cyberwar, and then increasingly appalled. In the heat of those news moments I felt we were approaching a state of cyberwar in the world.
I struggled to blog about it, but the initial efforts made trusted colleagues uncomfortable. One told me to “be wary of over-simplifying an area that has many actors and dimensions and largely speculation about the role of nation state intelligence agencies in several noteworthy and publicized attacks.”
Yet the unease with definitions isn’t universal. Andrew Walls at the Gartner Security Summit asked rhetorically: “Does the definition matter?” and noted that the last time the U.S. formally declared war was during World War II.
Indeed, many define cyberwar pretty broadly. According to the “free online dictionary,” cyberwar is just “an assault on electronic communications networks.” As described in another post on cyberwar definitions, even the experts’ opinions differ.
Yet another colleague, Ramon Krikken, got me wondering: Should more sober heads prevail? Ramon comes from the Netherlands, a country on the plains of Northern European, one of history’s great invasion routes.
To paraphrase Ramon’s concerns, “I’d rather you didn’t call it war. I’d rather we didn’t get into another war. Definitions are important and calling something war when it isn’t is asking for trouble. I don’t see current cyber-attacks rising to the level of war, which would mean we’re considering all options including a kinetic response.”
To follow this train of logic, most of the cyber-attacks we’ve seen have been undertaken by individual criminals or hacktivists rather than nation states. And most suspected nation state advanced persistent threats (APTs) fall into the espionage bucket. Bitterly resented, maybe. Cause célèbre for war, rarely.
This isn’t to say we won’t see nation states (or their proxies) conduct digital attacks with kinetic consequences in the future. In fact, a spectacularly successful attack on the electrical grid or the financial system might cause enough economic damage to be called an act of war even if it doesn’t immediately kill anyone.
The good news is that we’re not there yet. The bad news is that nation states are building digital arsenals through cybersecurity programs just in case on again, off again efforts at diplomacy fail. Last month I received an inquiry from a client in a medium-sized country asking me to rate the comparative cyberwar capabilities of four other nations. I declined because we don’t provide that sort of research.
But it was one more data point that me think one should be careful with what language one uses on this complex issue, and consider de-escalating the situation. But that’s for my next post.
Perhaps this sums it up the best. Again, from Andrew Walls: “When I hear the term cyberwar, it tells me that the speaker is attempting to define their pursuits and interests as different and more important or arcane than mere information security. The term is political speech, not a meaningful term that defines or describes a group of activities.”
Category: Uncategorized Tags: cybersecurity, cyberwar
by Dan Blum | April 8, 2011 | Submit a Comment
Recently having discovered Google’s 2 step verification feature, I found much to like, but a few concerns.
What’s to like? I’ve been wondering for 10 years when it would become commonplace to use the ubiquitous mobile phone as a second factor authentication device. Now it’s here from Google, and it’s free. After signing up for the feature in a Google account, you’d receive the one time password (OTP) via an application on the phone, a short message system (SMS) text, or even a voice mail.
Now you may be wondering, is 2 step convenient? What if I don’t have coverage? The OTP app on the phone generates different codes every 30 seconds according to a time-based algorithm; it doesn’t need coverage. Also if you find it inconvenient to deal with the two step signon many times a day, you can set the Google Account to remember your PC, i.e. eat cookies. This diminishes physical security but keeps the risk of remote attacks about as low as it can be. A ZD Net Tech Broiler blog entry put it more colorfully “the bad guys won’t have a [rat’s] chance in hell of breaking into your account.” That is, as long as they don’t have spyware on PC. (Note that spyware is always a threat to OTP, at least at the time of use.)
What’s not to like? Tech Broiler complained that Google 2 Step Verification “also broke all the web sites which I use that have to cross-site authenticate using my Google account, of which there were about a dozen, including FaceBook and Quora.”
Google has (since then?) instituted per-application passwords. As described in Google Account help : “Some applications that access your Google Account (such as Gmail on your phone or Outlook) cannot ask for verification codes. To use these applications, you will not use verification codes. Instead, you’ll enter an application-specific password in place of your normal password.” The per-application password can also be remembered on the PC or device if that application allows it. Though to be honest I don’t completely understand this feature, it sounds like per-application passwords protect the main account but give up some of the convenience of single sign on in return for not much incremental per-legacy-application assurance.
My final concern is around recovery and I have a question about this into Google which must be answered . Because the last thing I need is to be travelling in South America someplace, lose my phone AND my gmail account. I’m going to need to be able to reest back to one step – and fast – in that scenario.
I did see some recovery features with Google Accounts that let you reset your password through a pre-configured alternate email address or use secret questions and answers but I’m not sure how that works when two step is turned on. Purists might say: “What good is two step authentication if recovery (or exploitation of recovery) only takes one step?” To which the counterargument would be that the recovery mechanism also (sort of) takes two (weaker) factors and that all multi-factor authentication mechanisms have this kind of issue. Authentication is just plain HARD!
Personally, I just want to know how the recovery works before I turn on the feature. It may be that Google has brought better authentication a bit closer to the masses.
Category: Cloud IAM Tags:
by Dan Blum | February 21, 2011 | 1 Comment
This irresistible pun-and-metaphor popped into my head Sunday morning after my wife showed me the Economist’s Enomaly SpotCloud article, and it stuck, leaving no option but to succumb to writing what is for me an unusually short and chatty blog entry.
For all the upcoming sarcasm or irony, I believe cloud brokerage has a shot at being the wave of the future, and some of my colleagues are dead certain of it. Cloud brokerages will compete to commoditize cloud services while providing security functions.
But for now SpotCloud has high fees and no guarantees. The Google App Engines-hosted spot market for buyers and sellers of cloud computing skims 10%-30% off the top and offers no service level agreements (SLAs).
Further, the identity of the sellers of virtual machine (VM) capacity is opaque to SpotCloud buyers. Although according to the article “buyers can also specify in which country or even city they want their virtual machines to run,” they must rely on sellers such as an unnamed “entertainment company” to keep any border-sensitive data in the desired country.
On the bright side, the entertainment company’s 4,000 servers would “otherwise sit unused, probably in the lull between making animated movies.” I like that – it’s the bit about how companies with servers to sell Christmas cards in December, Easter Eggs in April, and pumpkins in Halloween could share and consolidate resources to make this a greener planet.
So take a look at the savings (as long as you don’t need security). The FAQ is here. You’ll find that, like the fabled Horatio Alger, Enomaly with SpotCloud is working its way up from the bottom.
Category: Uncategorized Tags: cloud computing
by Dan Blum | February 16, 2011 | Submit a Comment
The ongoing turmoil in Egypt encourages me to finally write this long-fermenting blog post. I’m recalling one of the exchanges from a very interesting dialogue with a company considering a three-tier U.S. hub, world region hubs, and country data center model. After brainstorming about hosting in Europe and Asia with me he asked, “Where do we put a data center in the Middle East?” We then thought “Qatar’s good, but too close to Iran. Maybe Egypt would be better ‘while Mubarak still rules.’” How times change and the stability once-assumed is gone!
Many global, multinational companies are larger than small or even medium-sized nation states. Does globalization of entire industries and increasing political assertiveness by governmental regulatory agencies demand that IT, too, have a foreign policy? That puts the ball squarely in the CIO’s court. With the security and business continuity issues looming large among many others, CISOs must also get involved. I enjoy advising organizations thinking about these topics, which marry my lifelong interest in international affairs with my IT expertise.
In the age of abundant, low cost bandwidth, international affairs may drive decisions on siting even more than performance speeds and feeds. Global siting may be affected by any or all of the following concerns.
• Threats: Some organizations are facing ongoing waves of cyberattack from certain countries (see my blog post on Operation Aurora). Putting a data center in a “hot” country may expose the organization to more attacks or make it impossible to screen out traffic from that country.
• Compliance and identity: As I wrote in “The End of Identity Silos,” organizations face restrictions on cross-border transfers of personal data. Having data centers in multiple regions allows organizations to keep identity data localized in Europe for example, or U.S. ITAR data in the U.S. Some data would stay in the desired region, or country, under control of local data owners that work for the company.
• Lawful intercept: Google, Blackberry-maker Research in Motion (RIM), and many other companies that operate services internationally face increasing law enforcement demands for access to data files and data flows. Encryption without backdoors or escrow isn’t allowed everywhere. Private data center operators may face the same demands. Keeping data in a relatively unobtrusive jurisdiction helps preserve privacy and confidentiality.
• Business continuity: No organization wants to see its data center investment go down before riots, or up in flames. Part of the foreign policy is a search for stability.
• Patronage: Siting in an important country or regional market shows potential customers and partners that one’s organization is serious about doing business there. Getting orders from overseas customers may even demand reciprocity, with both the company and region investing in a common business venture.
• Cost: Also a major factor. Some world regions have higher land, labor, or energy costs.
To net things out, multinational corporation CIOs must develop foreign policy that balances stability with patronage concerns, compliance with cost concerns, and so on. Of course one could always paraphrase Microsoft’s commercial: “To the cloud!” and outsource some of these concerns.
The question then becomes, what is the foreign policy of the cloud service? At the end of day, public or private cloud operators alike might do well to put data centers in multiple regions but make the data (and applications) highly mobile. Picture that – barbarians at the gate, but the data is already in flight.
Category: Uncategorized Tags: cloud security, foreign policy
by Dan Blum | January 24, 2011 | Submit a Comment
It was the “Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era” title that got me out of bed in the morning for the cold commute to the conference in Crystal City. In the best BlackHat form, Bryan Sullivan’s presentation uncorked a lot of information about attacks on the Web layers – and still deeper – into the cloud:
• Repetitive AJAX client calls on discretely callable web services in the midst of state transition to induce deadlocks (e.g. “hold seat” in reservation process)
• String to floating point conversion attack that puts old versions of PHP into infinite loops
• ZIP nested file bombs to fill cloud storage
• Billion laughs attack, exploiting nested variable resolution on XML parser and hang the compute process
• Regular expression (regex) strings that tie the regex evaluation process in knots and hang the compute process
To net it out, if you’re a user or service provider of a multi-tenant cloud – especially an IaaS or PaaS one with all kinds of different programs running in it – the “beast” is the volume of cybercrime and cyberbugs. Threat meets opportunity. Think botnet doing Google searches to find all the vulnerable web exposed services in a cloud, or just traversing its address range, and launching these (and more) attacks from thousands of bots. This is bad.
Which leads me to reflect on some larger issues raised in other conference presentations. Keynote speaker and former government security executive Franklin Kramer argued for a strategic emphasis on resilience that starts with the assumption that some attacks are going to get through. Which blindingly obvious fact was empirically reinforced by Apple sandbox disassembler Dionysus Blazakis in his recount of software fuzzing work that first found bugs in Adobe and then that “most software breaks a lot” and at least some of those bugs can be exploited. Kramer’s architectural prescription for resilience is:
• Redundancy
• Diversity
• Distribution, isolation, and segmentation
• Integrity and least privilege
• Moving defenses
• Deception, and
• Adaptive management
Sullivan provided practical examples of ways that cloud services, or any web-based services, can become more resilient in his defense proposals for each of the cloud DOS attacks. The “number of the beast” attack uses an evil valid number to infinite loop the PHP string-to-floating-point conversion function. Bryan said one can mitigate this by upgrading to PHP 5.2.17 or 5.3.5 versions, setting a compiler flag to change the default way conversion is done, or (worst) writing a blacklist signature for a WAF to filter the number. For the others: don’t expose transactions in the midst of state transitions as web services, disable external entity resolution in XML if you don’t need it, do anti-virus scans on all uploaded files (e.g. .ZIP), and so on. Both Sullivan and Blazakis also mentioned that platform defenses (ASLR, NX, stack canaries) are working to make exploitation harder, so one needs to be sure they’re enabled for specific applications.
So many attackers, so many bugs, so little time. That’s the “beast,” and if we’re going to get its “number” we’re going to have to become more resilient.
So ask questions. Is the cloud OS enabling platform defenses and assessing DOS vulnerabilities? How can the provider and customers harden, whitelist, throttle, rate limit, isolate, monitor, etc., etc.? I’m currently working on a paper about “Determining Cloud Security Assessment Criteria.” I know where I have to tweak it after going to this conference!
Category: Cloud Tags: cloud security
by Dan Blum | November 21, 2010 | 1 Comment
“Is this turning into some sort of trade war?” I wondered over breakfast last July at our Catalyst conference. I’d just finished a conversation with a European client who said that he would only consider doing IT outsourcing with a company that had a European presence. He said that sending personal data overseas, even to a vendor enrolled in the US/EU Safe Harbor program, would require too many approvals within his organization.
Cross-border restrictions on personal data, or national security data, or other kinds of data are nothing new. But the issue has become more pressing with the growing use of cloud computing services that offer massive network, compute, and storage capacity allowing IT demand – ideally – to find the most cost-effective and value adding service anywhere in the world.
The same issue came up again in a dialogue with a Canadian client last month, whose security staff asked us whether it was legal for them to host employee data with a human resources outsourcing service based in the US. I’ll paraphrase my colleague Bob Blakley, who after giving the standard disclaimer that we can’t provide legal advice, said: “The guidance on the Canadian Privacy Commissioner web site indicates it would be legal in your situation, but makes it pretty clear that if something went wrong the office would be happy to pile on to the inevitable media criticism.”
This led to a further discussion of the facts of life and governments. In any country, law enforcement proceedings could lead to disclosure of commercial information; sometimes those proceedings are publicized, in other cases the authorities put a gag order on the investigation. When our client asked if there was a data haven somewhere, Bob replied: “Where would that be? A country without a functioning government? When the interests of a country are threatened, the government will go after the pertinent information.”
This reminded me that I’ve often felt the U.S. is singled out for criticism of its Patriot Act, which in some sense just acknowledges the unpleasant reality of what other governments would do anyway. I then asked Bob a rhetorical question:
“Do rising restrictions on cross-border data transfers mean the end of world trade?”
“No,” he answered, “But it means the end of trade in identity data.”
This changed at least my paradigm on the issue. We went on to talk about the architectural implications of growing restraints against onward data transfer. If organizations all over the world are to leverage IT services without border constraints, and if multi-national organizations are to function well, they must separate identity data from application silos. As another colleague Robin Wilton likes to say, they must treat identity data like toxic waste: minimize it, separate it, and manage it.
Service providers must do likewise. Cloud computing is sometimes called “the industrialization of IT” because it dramatically lengthens the IT services supply chain through division of labor and fulfillment of IT needs using the highest expertise at the lowest cost. But for this industrial dynamo to keep whirling at speed, it must throw off the chains of application identity silos.
At Gartner IT1 (formerly Burton Group) we’ve been writing for years about federated identity, loosely coupled service oriented architecture (SOA), and (more recently) runtime data aliasing and other technologies that can enable applications to leverage personal data or other sensitive information without having to store or even know the contents. Today, software as a service (SaaS) and other cloud offerings still house a YETA (yet another directory, or account database) but that could change. Already, many support Security Assertion Markup Language (SAML) and other capabilities to allow the customer, or other data owner, to keep identity and authentication functions under its control.
Cloud will be the forcing function for federation of identity.
Category: Cloud IAM Tags:
by Dan Blum | October 22, 2010 | Submit a Comment
We used to always talk about “Internet years.” Now, to coin a phrase, we may talk about “cloud years.”
The notion of compressed time frames particularly struck me on a briefing today with Eric Olden from Symplified; I told him I’d just gone over my notes from our previous briefing in May and that seemed like a long time ago to both of us. Indeed every day, we hear of new public cloud, private cloud, or cloud-related capabilities and issues arriving.
One thing hasn’t changed: people are still confused. Two years into our coverage of cloud computing, I thought we’d be through the definitional stage. But at the Gartner Symposium this week, at least half the clients I talked with were still struggling with what is cloud and what does it mean to them.
Of course, it’s fair to say that there’s much more to be confused about now than there was a year or two ago. The sweep of changes wrought on IT at cloud’s hands is staggering. I’m halfway through reading Gartner’s Hype Cycle for Cloud Computing, 2010. Fair warning – this vast, wild, wonderful, 78-page gem of a multi-authored document has 38 different points on the curve to represent all the facets of cloud our analysts have found so far.
It’s required reading for those who wish to become confused enough to perhaps (dimly) understand the scope of IT’s transformation. Perhaps by the time I finish it, another cloud year will have already passed.
Category: Uncategorized Tags: cloud computing
by Dan Blum | July 23, 2010 | Submit a Comment
In my recent dangerous times blog post I posed the question:
“How can the [enterprise security pro] battlefield units in our asymmetrical war [with cybercrime] call in the equivalent of an air strike or a SWAT team when they’re attacked? The international cybersecurity community and the security industry itself must address the issues of certification, attribution, due process, and international cooperation that arise.”
It seemed like an insurmountable problem and who wants to tilt at windmills…but once I started to write about it, a trickle of ideas began. Here’s the first few of hopefully many more.
Yesterday I enjoyed a long briefing with Kurt Natvig, Righard Zwienenberg, and John Callahan from Norman Defense – an anti-malware vendor whose malware analysis product Norman Sandbox is sold to the usual high security verticals such as government, defense, financial services, ISPs, and telecommunications (as well as other security vendors). Norman said that the Sandbox is also selling to more enterprise niches such as higher education and pharmaceuticals. Indeed, I used to know a full-time malware researcher at a high tech manufacturing company, so they do exist at enterprises. Norman says it has one pharmaceutical company with 20 (!) full-time malware researchers.
The apparent surge in malware research interest is justified by the increase in targeted attacks on enterprises, like Operation Aurora. Norman Sandbox Analyzer and Sandbox Analyzer Pro take the advanced security research facilities that other security vendors have and put them in the hands of enterprise security pros.
The functionality of Sandbox and other security research tools may be similar, but there are advantages to running the tools in the enterprise environment. First, some targeted malware won’t fully reveal itself until it scents the target, that is, finds something like a customer-specific application file, or a PC with the CEO’s name. To get the malware to fully decrypt itself you have to recognize and supply the fragment of the artifact it seeks.
The other critical difference between running malware research inhouse and using today’s typical vendor research service is time. Send your virus sample to a security vendor, and it will likely take a few days to respond. Run it through your own full-time virus researcher with a good inhouse analysis product and you’ll know what the malware sample does in minutes. How’s that for empowering battlefield units?
Just a start, actually. Norman and other security vendors should be doing more to help enterprise security pros connect the dots between the malware, the attacker, the target, and potential vulnerabilities. Initial analysis of a targeted malware sample may tell you it was going to install a run key in the Windows registry and communicate with a botnet, but it generally doesn’t reveal the identity of the attacker and may not reveal the ultimate target.
What malware is doing and how it does it may only be the first step to neutralizing (let alone prosecuting) an attacker and defending against future, related attacks. As I wrote in my report “Threat Assessment Guidance for Dangerous Times” the security industry has a huge blind spot here. Vendors and customers alike conflate the word “threats” (which should refer to the criminals themselves) with the word “malware” (which should refer just to the threat agent).
To get out of the trenches and take our defense to the next level, we must tear cybercrime up by the roots, not just treat its symptoms. This starts with learning the threat’s motivation, capabilities, and intent. Only then can we hope to neutralize the threat and inform a risk assessment of how to protect all likely attack paths to the targeted asset by future threats.
Let’s play “what if” for a minute: I’ll start by quoting an actual exchange from Norman’s demo of emulated malware attempting to connect and password-authenticate itself to a list of 20 botnet controllers. I asked:
“Is there a button I could push to send each botnet controller’s address and password to the hosting ISP and the host country police force?”
“No.”
See how attribution and collective intelligence aren’t even a feature of an important security analysis product? To be fair, customers aren’t demanding it (yet). I understand why: The typical enterprise is in the trenches hoping not to be attacked and hoping not to spend too many hours interacting with a law enforcement system that only occasionally resolves the issue. And few enterprises want the negative publicity of having been attacked. So I suggested:
“I’d like to be able to push a button and send all this to the police in one of three source attribution modes: as an identified Norman user, anonymously so that even Norman can’t track me, or anonymously with the option to respond to a dialogue request at my discretion.”
“These days it’s difficult to be anonymous.”
“Really? Hackers do it all the time.”
All of us – analysts, enterprise security pros, security vendors, and law enforcement – must work to put an end to the perverse incentive system that’s making us less effective against cybercrime. John Callahan from Norman did say that they share information from their sandboxes with CERTS and cybersecurity police all the time, that they genuinely want to solve the problem.
Enlightened self interest is wonderful, but an incentive system that rewards security intelligence sharing would be even better.
What if a vendor built a malware analysis product with automated community information exchange and the three levels of source attribution that I suggested to Norman? What if they awarded customer discounts for reporting malware analysis results to the cybersecurity police (ISPs, police, and other interested parties)? Wouldn’t this improve the quantity and quality of the research community? Wouldn’t the improvement in the customer’s ability to connect the dots increase the value of the malware analysis product? Wouldn’t crowdsourcing malware analysis reports also enable the vendor to get more revenue from cybersecurity police and others that use the analysis feeds and databases?
Norman and other security vendors could set up these services to crowdsource malware analysis today; there’s no law against it that I know of. Either they haven’t thought of this (but I’ll try to make sure they do) or they don’t know how they could make money doing it.
It’s a fair question whether the cybersecurity police would pay enough to make it profitable for vendors to crowdsource malware analysis. Perhaps as taxpayers that fund the police and as enterprises that lobby the politicians we could have something to say about that. We need to lobby for effective action against cybercrime. Crowdsourcing malware analysis is one idea whose time may come.
The vision should ultimately globalize, transcend individual vendors to reach its full potential. What if there were a thousand crowdsourced malware analysis services? Not all of them need to be products; some could be cloud computing services with near-real response and electronic teleconferencing back to the (non-full time) security pro. Many such products and services could be syndicated together, with incentives to share attack and threat information in a highly-efficient, automated manner among all the authorized users of the civilized world. Radio stations and music royalties do something like this, why can’t security pros?
Then maybe those windmills of international cybercrime wouldn’t look so big anymore.
Category: Uncategorized Tags:
by Dan Blum | July 11, 2010 | Submit a Comment
As the Catalyst North America conference of July 26-30 draws near, my antenna is tuned to anything that might inspire ideas for my joint presentation with Phil Schacter: “Dangerous Times: Shared Intelligence Plays a Vital Role.”
I found some ideas in the recent Economist article: “Cyberwar: The Threat from the Internet.” This article does a good job of explaining a “complex, multifaceted, and potentially very dangerous” phenomena and provides a lot of useful background information, but it doesn’t break much new ground. Most valuable to me were its policy recommendations (things that need to be said and acknowledged more widely) that countries must
• Raise the political costs of cyber-attacks
• Exert economic pressure on states that don’t fight online criminals
• Establish an international center to monitor cyber-attacks and a “duty to assist” countries under attack, and
• Create a “Geneva convention” type accord that bans cyberwar on civilian targets
However, the article gives too little airplay to the reality that, in many ways, cybercrime and cyberwar are joined at the hip. On the offense, nation states and cyber-criminals work together as we saw in the case of Operation Aurora. On defense, governments can do little to defend critical infrastructure, track down attackers, or drain the swamp of botnets without help from individual security pros and private sector organizations.
Our “Dangerous Times” presentation starts from the premise that cybersecurity is a shared problem and explores ways to increase our individual and collective security intelligence. Security pros are fighting an asymmetrical war against hordes of individual attackers who can strike from anywhere anonymously and are increasingly collaborating to increase their efficiency using underground markets.
To wage asymmetrical war, modern battlefield strategy gives individual units more latitude within rules of engagement. The units also share information to enhance situational awareness. In the presentation we’ll talk about using the power of pull for security.
Security pros are the battlefield units of cybersecurity, and “Dangerous Times” as well as other security monitoring presentations at Catalyst will show how we can enhance situational awareness. In addition, the presentations will cover our pattern-based security strategy ideas and operationalizing collective intelligence.
As well as situational awareness, the industry requires vastly more efficient prevention and response to cyber-attacks. Unfortunately, the Economist article barely scratched the surface of this issue: How can the battlefield units in this asymmetrical war – mostly non-military security pros – call in the equivalent of an air strike or a SWAT team when they’re attacked? The international cybersecurity community and the security industry itself must address the issues of certification, attribution, due process, and international cooperation that arise.
We won’t be able to solve ALL the world’s problems at our July conference in San Diego, but we can make big gains in understanding situational awareness and pattern-based security strategies. Come to Catalyst and join the conversation!
Category: Uncategorized Tags: cybercrime, cybersecurity, cyberwar, security intelligence
by Dan Blum | June 10, 2010 | 3 Comments
I went to Microsoft’s TechEd this year already holding the opinion that application whitelisting was a key technology not just because traditional signature-based anti-malware has been losing effectiveness, but also due to a not yet widely recognized problem with standard user deployment. What I learned at TechEd validated and reinforced this view.
User Account Control (UAC) is forcing developers to change their applications. Because of UAC, users can be prompted before installing applications and more organizations are making the choice to deploy the desktops they manage in standard user mode. However, what users and vendors desire tends to flow around security controls like water; perhaps unsurprisingly, independent software vendors (ISVs) are now releasing applications that don’t require administrative privileges.
At his session “Applocker: Your Solution for True Application Smackdown,” GPAnswer’s Jeremy Moskowitz put it this way: “If you want to make the CIO sit up and take notice, demonstrate installing Google Chrome on a PC without admin privileges.”
Thus, while standard user privilege limitations still prevent users or applications from making unwanted configuration changes to the OS, they don’t bar the many unapproved applications that can install to the per-user space in the OS – that is, in the “\users\username\appdata” directory rather than “Program files.”
Application whitelisting has been around for awhile from vendors such as Bit9, CoreTrace, Lumension, Savant, and some of the major anti-malware vendors like Syamntec and McAfee are getting into the act. Microsoft’s release of AppLocker with Windows 7 further validates the need for this market category. In my upcoming document “Making the Most of Windows 7 Security” I’ll provide some detailed recommendations on UAC deployment as well as advice on when to use AppLocker and when to consider third party whitelisting products.
Category: Uncategorized Tags: application whitelisting, AppLocker
