Network Access Control Technologies and Symantec Compliance on Contact
NAC solutions require multiple enforcement methods and policy flexibility to cover the entire enterprise network. As an innovator in NAC solutions, Symantec provides the most comprehensive and flexible set of options for deploying NAC to best fit your enterprise needs. Read this paper to learn more about the theory behind Symantec’s technology.
Click here to download PDF

The Essential Elements of Comprehensive Endpoint Security
Description: For today’s computing environments, there is little question that endpoint security is a required component of an overall enterprise security strategy. Read this paper is to clarify the various aspects of the endpoint security problem and to identify the functional requirements of a comprehensive endpoint security solution.
Click here to download PDF

Internet Security Threat Report
The Highlights of this volume reveals the security threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. This report offers analysis and discussion of threat activity, including: Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends.
Click here to download PDF

Security professionals share tips at InfoSec

At the InfoSec Conference in Orlando this week, security professionals shared tips for tackling some of the biggest issues they face, such as minimizing risks associated with outsourcing, selecting a network-access control mechanism and deploying identity management technologies.

Kathy Kirk, director of information security at Prudential Financial, said her company has outsourced some data-processing and call center work abroad to countries that include China and India, for about seven years. While Prudential management reckons that can save 30 percent to 40 percent per year in costs, the reality is that there are underestimated security costs that quickly become apparent.

"Management is thinking in terms of personal salaries, such as the hourly rate in Mumbai, which is a third of the rate in the U.S." Kirk told InfoSec attendees Tuesday during a presentation. But additional costs always accrue in the effort to safely transmit data between an outsourcing company and Prudential, such as the need to put a site-to-site VPN and routers at each end. Addressing those issues, plus trying to ensure outsourcers appropriately handle confidential customer data, presents a huge challenge.

Business managers at Prudential Financial, whose dozen business lines range from insurance to real estate, interact with the legal department, physical security division and Kirk's information security division when the decision to outsource is considered. With a project subject to a security review of the outsource provider they are considering, managers want to hear Kirk approve every deal. But she acknowledges sometimes she can't, based on an evaluation of the outsourcer's network and data-handling procedures.

"We do over 100 reviews of outsourcing projects each year, and in 5 percent of those, the proposed provider is turned down," she noted. One company, which she didn't name, was rejected because it was running Windows NT two years after NT was eliminated and had no firewall or intrusion-detection system. "We did go to the site and unfortunately it confirmed our fears," she said.

The depth of security reviews is based on the level of risk, with simple projects such as printing business cards carrying less importance than more critical tasks. But contract negotiations for multi-million outsourcing deals can easily take a year to complete, and she advised security professionals to make sure they are in the loop as early as possible to obtain background checks, service-level agreements and reviews.

"The thing that can be hard to get out of the [outsourcing] business is a network diagram," Kirk said, calling it a key document. She and her staff will engage in lengthy phone and e-mail discussions to try and pin down network and applications used by prospective outsourcers. Prudential also requires a visit every quarter to physically inspect outsourcing facilities.

And mistakes happen. "One of our outsourcers lost a laptop with employee data," Kirk said.

Another topic that got panelists talking at InfoSec is network access control (NAC).

NAC involves the process of performing a security health check on a laptop computer and quarantining any device for remediation before granting network access. Cisco and Microsoft offer their own methods, about two dozen other vendors also have an approach, and the industry standards organization Trusted Computing Group (TCG) is engaged in hammering out a general standard.

Phillip Maier, vice president of the information security engineering, technology and network group at Visa's technology arm, Inovant, said NAC is a great concept, but presents some obvious obstacles to overcome.

If an outsider, such as a contractor, wants to come into the network and needs a virus or patch update, is it practical for the corporation to give away licensed software in the quarantined network? "Now you need two quarantines," Maier said. He added that he favors an agent-based approach to NAC, rather than an applet-based scan, because an agent, which can continuously scan, also gives a manager "a periscope" into a machine.

Maier also noted that quarantine and remediation will require careful management of antivirus downloads to user desktops in companies using different vendors' products, which have signature updates that don't work well together. "If at my company, the West Coast uses one [antivirus], the East Coast another, if I downloaded antivirus to it from the East Coast, I would lock him up because he has antivirus 'B'," Maier said.

Roger Herbst, IT specialist for the manufacturing firm Timken Company, said the quarantine used in NAC can be expected to lead to higher numbers of help desk calls as users find themselves denied access and become frustrated.

With so many proprietary NAC products on the market, both Herbst and Maier indicated preference for a standards-based approach. But they are uncertain if the market will be able to deploy TCG-based network-access control technologies within a three-year timeframe.

Some information security professionals have foreboding that 2007 will be worse than the last few years, when massive worm attacks fell off.

Attackers probably have less interest these days in bringing down large numbers of computers than simply exploiting the data in them for financial gain, said Doug Sweetman, senior technology manager in corporate information security at Boston-based financial services firm State Street.

"Things are deteriorating in a fairly substantial way since late 2005," said Sweetman, who spoke at InfoSec on new threat scenarios. With more than 30,000 new phishing attacks each month, businesses are constantly on the defensive against them.

The recent TJX data theft, into which an investigation is still ongoing, will be carefully watched by the business community to understand what went wrong. Like Prudential's Kirk, Sweetman said he worries about outsourcing abroad, which State Street has done on occasion. But he also said it's important to take actions that are preventative. To that end, State Street will be adding encryption software (based on GuardianEdge) to all its mobile laptops by next month so that data would remain encrypted to unauthorized users.

At InfoSec, some firms said they're willing to throw a lot of ammunition into the battle against data theft. Stacey Halota, director of information security and privacy at the Washington Post Company, said she deploys a number of tools to guard the Post's databases.

Among them are Application Security's AppDetective for vulnerability scanning and Symantec's Database and Security Audit product for detecting, recording and alerting of unauthorized or suspicious attempts to gain access to Washington Post databases. "It's for database extrusion detection," Halota said.

The company also uses Mazu's network products for anomaly detection to identify and block harmful traffic.

"It's not cheap, but we have had a zero-day problem, and it will shut it down like that because it looks for anomalies," Halota said.

Back to top

Click here to submit a story for consideration by Cram Session Editor, stories@cramsessionnac.com