Security, et al

Randy's Blog on Infosec and Other Stuff

Don’t Create a Different sudoers File for Each System

Wed, 06 May 2015 17:53:34 GMT

For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that

  • no one ever logs on with root
  • you can implement least privilege instead making everyone all powerful
  • enforce accountability over privileged users with a high integrity audit trail of every command executed

But most folks have more than one system to manage. It might be simple to start off using sudo by maintaining a different sudoers file on each system. As you setup sudo on each system you just copy and paste portions of sudoers from another system already set up. But that is a bad pitfall you do well to stay out of. Usually the differences in sudo policy between each system are important but subtle; most of your sudoers policy can be re-used across systems. Creating independent but substantially similar sudoers files leads to management headaches and security risks because files inevitably become out-of-date and inconsistent as roles, users and security needs change.

Thankfully sudo is designed to support multiple systems. For instance you can use the Host_Alias directive to define groups of systems and then assign the same rule(s), once, to all appropriate systems via the Host_Alias.

That’s how sudo supports multiple systems within the sudoers file but how do you get all your systems to share the same sudoers file? One way is maintaining the file on system and using a variety of file copy utilities to physically copy sudoers to each system. But sudo also supports storing your sudoers policy in your LDAP directory. http://www.sudo.ws/sudo/man/sudoers.ldap.html. This isn’t as simple as it sounds because it does involve schema changes which many admins fear.

In my next webinar with BeyondTrust I’ll explore how to manage sudo on multiple systems. Please tune in.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Virtualization Security: What Are the Real World Risks?
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
How Randy and Company Do IT: Server and Application Monitoring

Mirazon – Great Folks for Unraveling Microsoft Licensing

Wed, 06 May 2015 15:50:40 GMT

Microsoft licensing is complex, confusing and time consuming. “I just want the license key – legally!”, right? While trying to figure out how I could get a legal copy of Windows 8.1 Enterprise for a friend (they need Windows To Go Creator), I came across this article at http://www.mirazon.com/windows-8-1-enterprise-get/, I also got this newer article from Seth http://www.mirazon.com/windows-8-1-enterprise-licensing-now-a-stand-alone-product/. I still had some questions and so I took them up on their offer to “guide you through the confusing terrain of Microsoft licensing so you can avoid unnecessary purchases” and emailed them. Got a reply back from Seth the same day. Fast and accurate. It’s not just about the money saved on unnecessary licensing mistakes but it’s also the time and effort saved researching stuff you really don’t want to learn about anyway! Thanks, Seth and Mirazon!http://www.mirazon.com/category/microsoft-licensing/

email this digg reddit dzone
comments (0)references (0)

Related:
Virtualization Security: What Are the Real World Risks?
Mirazon – Great Folks for Unraveling Microsoft Licensing
Automating Review and Response to Security Events
Live with Dell at RSA 2015

Live with SecureAuth at RSA 2015

Thu, 23 Apr 2015 15:51:34 GMT

Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240).  Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!



Randy: Alright so we’re back at the Ultimate Window’s Security Booth at RSA. I’ve got with me this time Darin Pendergraft from SecureAuth. Darin we’re talking about authentication and there’s a lot of people doing authentication nowadays. Everybody seems to recognize, all of a sudden, that we need strong authentication which usually means a second factor.

Darin: Right.

Randy: So I just want to talk to you about what’s different with how you guys are doing it. First of all, I think maybe the first thing we need to get across is companies that have enterprise security requirements, that require them to control certain things on premise, you know, that’s a sweet spot for you – an on premise solution.

Darin: On premise solution is a virtual machine, so you know it’s housed on your hardware. You do have a physical appliance option for folks that want that. But we really feel that having that control is important to our enterprise customers.

Randy: The other thing we were talking about is two factor authentication and strong authentication, is all obviously that is one of the pain points we’re trying to solve.  One of the big risks we’re trying to mitigate, but with SecureAuth you’re not done once you’ve delivered two factor authentication.

Darin: That’s right.

Randy: Tell me more about how you said that’s really just the beginning.

Darin: Right, right… You know with strong authentication the point is to protect the business and to make it harder for the attackers to get in. Getting that set up is important but what’s really important is then to start to understand the context of the authentication, who is using that credential? Where did they log in from last? Did they use a device we’ve seen before? And we call that adaptive authentication, because the level of, you know, risk really determines how easy or how hard we make for someone to log in. That’s something we firmly believe. We can’t just set the system up and let it run, because any system that is static like that, will be defeated. Right?

Randy: Right.

Darin: So our system really takes every authentication into account. We look at the context around it and then we either step it up in this situation that we see something that’s a little out of the ordinary. You know, if you log in here from San Francisco and then all of a sudden there’s a log in from somewhere in Eastern Europe… you know, that’s unusual.

Randy: Sure.

Darin: So we shouldn't just allow you to put your password in to get in – we should really challenge you and send you to that second factor.

Randy: So we could almost call it “Just in time Authentication”….

Darin: Yeah, Just in time is a good way to look at it.

Randy: ….that it’s appropriate for the dynamics for that moment for that user and all the other dynamics. I think that you talked about velocity…

Darin: Geo velocity…

Randy: Is this a device that we've never seen them on but we can add those things together and do it dynamically. Yeah, I can see the value of that. The other thing that I thought was important for folks trying to sort out, ‘how are all of these authentication companies different’-- is form factors. You've got flexibility… you want to talk about that?

Darin: Absolutely, we are always asked, “What’s the best second factor?” To be honest, the best second factor is the one that fits your use case the best. At SecureAuth, we don’t rely on any one technique for the second factor. We can send a text to your phone. We can use a hardware token that you've got from a third party. You know, it really depends on that use case. We have some customers that want a very good user experience so they want a really low friction second factor. In those situations, we rely on a device fingerprint to recognize the device to see if it’s been jailbroken and to see if there’s anything usual about it. In other situations and in very high security situations, our customers are very comfortable with having a hard token or a card or something like that. In SecureAuth we let the customer to decide what they want to do. We really fit the second factor to the use case so that the end users really feel like they are getting security and they’re not being put, unnecessary, through hardship. That it fits kind of the risk profile.

Randy: Do you see companies using a variety of form factors for different sets of users within the organization?

Darin: Yeah and because of the way our product is architected, you can mix and match. We have a lot of hybrid environments. We have some folks that are traveling a lot and they have everything on their phone and they say, “That’s what I want to do.” And yet, we also have sales people that are mainly, you know, laptop people or Blackberry people potential, right? So we can work with different form factors for those folks.

Randy: Gotcha…Well, there’s other reasons why a variety of form factors is important. We like to use a phone at my company, as a second factor. But if that phone is down, we don’t want to have to provision something else. So we don’t we have folks carry a one-time password token with them but they don’t need to touch it unless something happens to the phone.

Darin: In that situation, what our customers have done is they’ll actually… the customer’s administrative staff will present you with two or three different options so if your phone is lost or you leave it at home, so it’s not compromised or lost, or maybe you just don’t have it…

Randy: Yeah…

Darin: A lot of times when you’re presented with that second factor dialogue it’ll say: “Receive a call on your office phone” or “Receive a call on another number” or “Answer a question…” Like you said, have a one time PIN. So we can give you the flexibility to shut certain channels off or form factors off or offer the end user the option of two or more.

Randy: Well, cool. I appreciate your time and hopefully folks this useful to you if you’re trying to sort out differences in strong authentication offerings and I look forward to working more with you more, Darin.

Darin: Thanks, Randy. It’s a pleasure to be here, thanks.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Visualize Your Network and Access Paths Correlated with Relevant Vulnerabilities

Thu, 23 Apr 2015 15:02:44 GMT

Here’s another cool thing I found, this time at Redseal’s South Booth 1107.  Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its structure.  But that’s only the beginning.  It makes it easy to color code different segments of network with classifications like DMZ, Internet and various internal zones.  Then it shows you the paths different protocols and applications can take throughout your network.  You can select any device or host and instantly trace out all possible paths that data can take to or from that node.  I wish I’d had that recently when I re-designing our 2 data centers to provide better isolation of our virtualization hosts and some labs that outsiders need to access.  It was such a nightmare to test and validate that the policies I’d architected were configured correctly and that the wrong traffic was blocked and the right traffic permitted.  For instance we needed the 2 virtualization infrastructure networks to communicate over the site-to-site VPN with each other but only allow admin access from our jumpbox.  But Redseal goes beyond this by consuming the results from any vulnerability scanner.  Redseal doesn’t just plot those vulnerabilities on your network visualization – that’s not really that hard.  Instead they analyze the vulnerabilities found by your scanner against the known access paths on your network and surface the vulnerabilities that really count = those that are accessible via the actual access paths open on your network.  Pretty cool stuff.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Automating Review and Response to Security Events
Live with LogRhythm at RSA

Finally, a new and different way to mitigate the risk of compromised user endpoints

Thu, 23 Apr 2015 14:51:06 GMT

Here’s another find from the South Hall at RSA 2015 I came across (I’d snuck away from the UWS booth while Barry wasn’t looking.)  The 2,000+ of you who’ve attended my recent endpoint security webinars know how much I worry about endpoint security – especially user endpoints (laptops and workstations).  On my daily hike I actually puzzle over new ways to address this risk and I wish I’d come up with the idea Bromium has already implemented.  The messaging on booths here make it hard to figure out what companies do but “isolation” and “endpoint risks” caught my eye as I walked past Bromium’s booth 2007.  From talking to Bill Gardner I learned that Bromium was started by virtualization experts formerly at XenSource.  Bromium inserts a hypervisor between the metal and OS of your endpoint.  Then each application is isolated in its own micro-virtual machine.  This is something I want to learn more about.  Depending on how isolated applications really are and how clean the user experience is – this could be really awesome.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
Virtualization Security: What Are the Real World Risks?
How Randy and Company Do IT: Server and Application Monitoring

Live with Dell at RSA 2015

Thu, 23 Apr 2015 12:09:35 GMT

Dell Software is my longest time sponsor and has made possible many hours of my real training for free ™ webinars.  We don’t usually give them much time to talk about their products on my webinars and they are really nice about that.  So I thought I’d set down for a few minutes at the UltimateWindowsSecurity.com booth here at RSA 2015 with Todd Peterson.  You never hear from Todd on the webinars but he is one of the main folks behind making them possible and he has a good perspective on Dell Software’s sizable portfolio of security products.  Our conversation centered around the Dell Software security portfolio as a whole and what makes it compelling compared to point solutions.

(Transcript below video)

Randy:  Alright, so back at the Ultimate Windows Security Booth at RSA.  This time I’ve got Todd Peterson from Dell.  And folks, you’ve probably have, I don’t know if you’ve heard Todd before, but you’ve heard a lot of other Dell people because Dell and before that Quest have been pretty much our best and biggest sponsor of real training for free™, so thanks a lot for that through the years Todd.  But, here’s what I want to talk to you about and I’m picking this topic for you because how many security products does Dell have?

Todd: Lots.

Randy:  Yeah.

Todd:   I mean, Dell kind of has the strategy of baking security into everything they do, so you know, if you want to be really technical, every laptop, every tablet, every server, every router, every switch has security baked into it.  If you want to be a little more literal on the classic security products, firewalls, data encryption, it’s probably 40 or 50 separate offerings across the whole line.  Most of them under the Dell software group umbrella.

Randy:  So, if we want to buy “a security”, we can go to….

Todd:  Yeah, yeah I’m happy to sell you an app for security. 

Randy:  Right.  Okay, but the thing of it is, is then and you’re the perfect person to expound on this, is do we go after security piecemeal, like here’s my risk, I want to solve this problem or do we build a security stack and think strategically, how are we going to make all these pieces fit together and then the risk is time to value and functionality but we never get anything out the door?

Todd:   I think in a perfect world, you do the latter.  You plan it out, you build security from the ground up, everything fits together and works great, but we know that that never actually happens.  So you end up with a piecemeal approach with whatever the fire of the day is or you know BYOB all of a sudden comes up and you didn’t even think about that, you know 12 years ago when buying a server was your big deal and so piecemeal is the way it has to go, but if you approach piecemeal with the right strategy, there is going to be something next and you may not even know what it is.  So just make sure that you’re future looking with everything you do.  I think piecemeal can work and kind of give you that plan from the ground up, you know, result without actually having done it.

Randy:  Yeah, because what I fear is management coming and they’ve read about a breach and they’ve read what Gardner or whoever is saying at the time, we need to get control of mobile devices.  We don’t have a mobile device management.  Go get MDM and so you go and you buy a MDM point solution, you get that in place.  Iterate that a few more times and what you’ve ended up with is a whole bunch of solutions, maybe a lot of them really cool, but they were from start ups, a lot of them.  They’ve gotten bought by someone else over the years, who knows what has happened and do they all talk to each other.  Because that’s the other thing, Todd, is getting your security products to talk to each other is opening up a whole new world of synergy, so given that you’re a company with 40-50 different security products, you probably have feelings on these issues.

Todd:   Yeah, I mean obviously you want them to talk to each other, but, you know the reality is people are often, you know you have pressure, you have to solve the problem today, so you’re going to go out and you know, whoever you’re hearing the most about to solve that problem is at the top of the list.  Maybe you’ll implement them, maybe you won’t, but you know, then down in the future, the next thing comes up and that solution’s great, but the next thing can’t be solved by that solution, so you do it again.  So, what you end up with is you’re defining security and the controls that provide security, so, an identity of a person, a person’s authorizations, the way you authenticate, what it means to be somebody, you’ve defined that in each and everyone of those silos, and you’ll probably define it differently.  So then standards emerge, that if you’re able to wait for the standard to take over, that makes it a little easier.  You know, only use SAML authentication, that solves a lot of the problems.  Use other standards is the baseline.  That’s good, but a lot of times the problem can’t be solved at that time.  So you just need to look for things that are on the cutting edge of standards, but also for a strategy of not reinventing the wheel every time a security issue comes up.  You don’t want 12 Randy’s across 12 different security silos.  You want 1 Randy that’s applied 12 times to across 12 silos, if that makes sense.

Randy:   Well, that’s ironic since Dell is, would you say your core security product is your one identity solution?

Todd:  I would definitely say that. 

Randy:  Yes.  Well let’s come back to that and talk about what is the core of a company’s security stack, but I think what you’re getting at is that to build a house, you have to put the foundation in first, you cannot say, you know, the biggest thing I need right now is a roof, and then I’ll come back and do the foundation.  There’s a sequence that you have to build things in.  Alright, with an IT environment, that’s not really the case.  You do have the option to say these are my biggest pain points.  I don’t have a roof over my head, I know I don’t have a great foundation for identity or whatever, but I need to get that roof over my head in terms of two factor authentication or mock change auditing, whatever.  I could go put that roof in and I can say I also need this door over here with a lock on it, but so that’s piecemeal, but what you’re saying is that what we want to do is be looking towards the future and saying at the end of the day we want a house that’s all connected to each other and doesn’t look like we bought a trailer and then added on a family room.

Todd:    Or worse case, you end up with 12 trailers.

Randy:  Well that’s ulgy.

Todd:  So yeah, I mean totally.  And what I would say to that foundation is as you’re putting the roof on, let’s say you’re just doing your roof, you know, you do have the opportunity at that time to form up the foundation and set it up so that when you put in the walls, when you put in this door, when you add on to the house, that those things can happen easier without re-pouring a new foundation.  So, you know, getting that foundation solid and then right along with that first big fire that you’re putting out, is probably the best approach and I would say that foundation is what I mentioned earlier…identity, role, authorizations, authentication, you know, getting those things set because if people can’t get to the stuff they need to do their job, there’s no point, that’s why it’s there.  Security is often viewed as a barrier to people doing their jobs because it’s another person saying no instead of another person saying yes.  But, if that foundation is right, there’s going to be opportunities to say yes, go way up and the opportunities for the temptation to say no unnecessarily has just disappeared. 

Randy:  Yeah, well that’s, I always go back to we’re in business to do business, not to be secure.  Secure doesn’t make money.  So I think what I’m hearing is you’re thinking about what we’re hearing from a lot of folks is the whole whether you want to call it dynamic or adaptive security, right, being able to dynamically say I need more assurance that this really is Bob, right?

Todd:  Yeah and if you think about the way security is normally implemented as a silo approach, you know, you’re on-prem you’re using a company controlled device.  There is a set of rules, you follow those rules and you’re allowed to get to something.  So you go off-prem they’ve established another set of rules for that and you follow those rules, you’re allowed, you’re using their mobile device, a different set of rules, data encryption is involved, different set of rules.  You’re coming from an IP that’s unknown to the organization of a different set of rules.  So, each of those can return a yes or no decision.  If any one of those 5 things, returns a no, the answer is no, even though I may legitimately be doing things that’s going to be absolutely secure, but one says no.  But, what if you take into account the context of the who, what, when, where, why, how and past history to make a dynamic decision in real time that says hey I know who you are, I know where you are, I don’t know you’re device, but I know that you’re history means that you’ve come in from a device like this one and so I’m going to allow you in.  So you can kind of take into account the varying strengths of the yes and no decisions to return an accurate decision that changes in real time depending on the situation.  You know, that’s I think the nirvana of security.

Randy:  So, going back to the building at your security stack and piecemeal and looking toward the future and so on, you know, what do we get if we make a commitment to Dell in terms of… you know, I have to have a lot of worry.  My supply management people have worry every time I bring in another vendor or another partner on board.  All right, how healthy are they, are they going to be in business, what’s their limits of support and so on.  So I mean, what’s codified in terms of if we come to Dell and saying if possible we’re going to try to get our different pieces of security from Dell?

Todd:   Well, obviously we would like that, but the advantage is Dell is a very mature, very stable company that’s not going anywhere and has a long legacy of very happy customers including customer service excellent support and each of the acquisitions that they’ve made have been of companies with an equal to a lesser degree, but an equal reputation, so they acquired Quest, which is where I came from.  You know, Quest has some of the industry leading customer satisfaction numbers on a software site.  The security software, being Identity Access Management stuff, is the leading satisfaction among the questions. So all of these things come into play that you know, you’re going to eventually have to buy a firewall if you don’t already have one or you may have to upgrade your firewall.  You’re going to have to buy something for identity and access management, something for privilege management, something for authentication.  You’ll probably eventually need a data encryption type of solution.  You’re going to need security baked into your servers and your laptops and your tablets and your desktop computers.  If that ultimately is in the same place and you know it’s not going anywhere, then you already trust and you know you can continue to trust, that really alleviates a lot of the danger, a lot of the risk and a lot of the worry of am I really going to be secure next year with the decision I make today?  With Dell, we feel and I think that history proves that yeah you’re set for years and years and years and years, at least from a peace of mind state.

Randy:   Well, it is, I’m always amazed.  I can never keep track of all the different security solutions that you have and you’re starting to make them talk to each other more too.

Todd:   Yeah, absolutely.

Randy:  I think that’s important and that’s something maybe that I had wished for more in former days and I’m seeing more now, so…

Todd:  Yeah, for example a lot of our authentications solutions, our multifactor authentication our federations’ solution are beginning to be reused by other Dell technologies.  So the Dell Case MDM solution uses our single sign on federation.  The Dell SonicWall firewalls use our multifactor authentication.  You know, all they’re offerings, the Dell offering for medical organizations uses our signal sign on solutions.  So you know there’s a lot of places where this 1+1=3 can come to pass because it’s, you know, all offered by the same organization.

Randy:   And that’s what I would want and expect if I’m going to make a commitment and say all right, I’m not just going to automatically go out there and get the cheapest, newest and best of breed solution for each piece of the puzzle.  I want that synergistic benefit of going with a vendor.  If I’m going to go with one vendor, then I’m hoping for that synergy along with products.  The more of their products I use, the more of that 1+1=3. 

Todd:  Yeah, and the treads continue, you know where I mentioned earlier that adaptive context way of security.  Right now that involves few of our identity and access management solutions and our firewalls and the SecureWorks Counter Threat platform.  In the future that can expand to where the firewall is actually enforcing, not just helping make a decision, where an encryption solution from Dell is enforcing in addition to helping to make a decision and it can go anywhere and then when we build an API into it, then it can actually go beyond Dell and you can build your own contributive piece to that context where it thinks.  So you know we are excited about that, but you know it all comes down to it’s one big stable strong company that can provide it to you.

Randy:   That’s cool.  Folks normally you’re used to seeing me or at least listening to me more, but this is an opportunity I get to talk to the people like Todd that make all the real training for free™ webinars possible and I said let’s just talk about their products a little bit.  So thank you, thanks for all the great webinars that you’ve sponsored over the years.  We get lots of people that come up and say I go to every single one of your webinars and when we need answers especially on windows security log, they come here, but you guys are the ones that make that possible, so thanks.

Todd:   Thanks for allowing us to do it.  We find a lot of value in it as well.

Randy:  Well, take care.

Todd:  Thanks Randy.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Stopping Key Logging and Screen Scraping

Thu, 23 Apr 2015 10:43:55 GMT

As you know I view compromised user endpoints (aka workstations and laptops) as the biggest risk facing us today.  And that’s why I love application control (aka whitelisting) from UWS sponsors like (Lumension and Bit9+CarbonBlack).  But there’s one single silver bullet – defense-in-depth right?  One of the scary things bad guys can do once they have code running on your user’s endpoint is log key strokes, change your keystrokes and record (aka scrape) your screen – and even potentially re-write your screen. So it was cool when, while wondering the booths at RSA 2015 I met Mark L. Kay, of StrikeForce Technologies, who is a kindred soul on this concern.  Their GuardedID software is designed to prevent “malicious keylogging programs by encrypting every keystroke at the point of pressing the keys, and rerouting those encrypted keystrokes directly to your Internet Explorer browser through its own unique path”.  The products appear to be targeted primarily at consumers but Mark told me they do have enterprise customers and their website does have an Enterprise section showing how to deploy GuardedID by group policy.  If you are at RSA 2015 check them out at booth 1227 in the South Hall. 

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Automating Review and Response to Security Events
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Live with LogRhythm at RSA

Live at RSA: FIDO authentication protocols and checking in real-time for user presence

Thu, 23 Apr 2015 10:30:32 GMT

There are a LOT of authentication companies at RSA 2015 this year.  It’s been fun learning the difference between them – and there are big differences.  

Arshad Noor from open source company StrongAuth (South Hall booth 2332), came by the UltimateWindowsSecurity.com booth (South 2240) and briefed me on the relatively new FIDO (Fast IDentity Online) authentication protocols.  FIDO protocols are interesting for a lot reasons but what Arshad said about “user presence” got my attention.  One of my top concerns is how a compromised user endpoint can effectively defeat even the strongest authentication schemes.  (2 Factor, SSO, Federation and Cloud Identity are Awesome but it’s all for Naught if You Leave this One Backdoor Open ) If your endpoint is compromised, malware can wait until you authenticate and then piggy back off that authentication using a host of different methods.  So you have to attack that on 2 different fronts: preventing malware and for really high value operations you need to get reassurance at that moment in time that the user is present and the one initiating that operation.  Just checking for user presence still doesn’t solve for every sophisticated scenario but it gets you a lot closer.  But as with all things security, if you aren’t careful you end up making things so inconvenient for the user that you get in the way of business and asking users to go all the way back through onerous authentication steps at seemingly random times is a great way to get in the way of business.  So that’s why Arshad got my attention when he mentioned “user presence”.  

FIDO makes it easy for an application, including web applications, to reach out to the users FIDO compliant token and ask for real-time user presence verification.  It’s up to the token vendor how to implement this but the example Arshad talked about was a simple token started flashing and LED.  All the user has to do is touch the token to say “yes, I’m here and initiating this transaction”.  Then the token signs the verification response with its private key tied to that application and user and sends it back to the server.  That’s got to be the lightest weight 2nd factor user presence check I’ve seen.  I’ll be talking a lot more about the risks at the intersection of authentication and endpoint security but if you’d like to learn more about the FIDO protocols visit the FIDO Alliance.    

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Virtualization Security: What Are the Real World Risks?
Automating Review and Response to Security Events

Live with Duo Security at RSA 2015

Thu, 23 Apr 2015 10:11:16 GMT

Duo Security is a cloud-based 2-factor authentication service that I’ve been following for some time.  I sat down with Ash at the UWS booth here at RSA.  (#2240 South Hall).  Here's the #1 thing you need to know about Duo Security.  It's the easiest and fastest 2-factor authentication solution I've seen.  Here’s some highlights of our discussion about some of the cool things I like about Duo Security and their new Platform product.

Duo Security is close by at #2345 in the South Hall.

(Transcript below video)

Randy Smith:  Ash, Randy Smith here.

Ash:  Hi, Randy  it’s good meeting you.

Randy Smith:  Yeah, I’ve got Ash here at the Ultimate Window’s Secruity.com booth here at RSA. Ash is with DUO Security. I don’t know if you’re familiar with DUO. I wanted to talk to you guys because we’ve actually been using DUO security as one of our authentication solutions for quite awhile. And I don’t want to steal your thunder but what I love about it is that it’s service based. It’s just a token that runs right on your smart phone and it’s so easy to install.  Alright, so anyway, like I said, I think it’s a neat solution, but how did you get started? Let me let you put it in your own words, what makes you different from a lot of the other solutions out there?

Ash:   Sure, so a couple of things.  By the way, thanks for having me here.  We do two factor authentication and that’s what the company started as almost five years ago.   What we did is take this very reliable two factor authentication security control and make it radically easy. So when you request for a two factor authentication people are used to typing in a six digit number and typically get a SMS or hardware token. We took that away and the end user gets something like this… a push notification. All the end user does is hit the green button, right?  If it’s not the authentication they are requesting for they hit the red button. That’s all they do and boom you’re in.  It looks very easy in the front end but in the back end it’s really secure. When they hit the green button, they’re actually signing with their private key on the device and telling them, “Yes, this really me.” So that’s what the company really started with almost five years ago.

Randy Smith:    The other thing I love is there’s nothing to install except the agent, if you call it that, maybe you have a different word that you prefer. Put the agent on each server you want to control  access to. So whether we are using it for our terminal services remote access or different servers for remote desktop. Also we’ve got it integrated into the back end of our website, but that’s all there was to install. Everything else we manage from the cloud.

Ash:   That’s absolutely right, Randy. A lot of our customers get the whole department up and running in three or four hours or less than 4 hours. We have cloud based that allows us to do this. We even have something called the “DUO five minute challenge.” If you Google for it you’ll find it. It tells you how to get DUO up and running in less than five minutes. You know, we take pride in that but I think it’s one of those secure controls that you want to get up and running as fast as possible.

Randy Smith:   So what is it again that you support?

Ash:    We support all VPNs: Cisco, Juniper, FI. We support RDP from Microsoft. We also support a bunch of web applications. Also a bunch of product applications like Office 365, Google and Google applications, Amazon AWS and so on. Recently we also started supporting all the SSO. If you are using something like OneLogin or Ping or Autha then we work out of the box with all of these as well.

Randy Smith:    So, but, you’ve got this new thing “platform”. What’s that?

Ash:   Yep. So platform is a new addition that we launched last week, we’re very excited about it. It takes us beyond 2FA in securing access. It’s kind of a cliché when you say we secure access for any device and any user or any application but that’s really what we’re doing. So some of the functionality that you get is without installing any agent or any MDM on your mobile device, you can get visibility into on one or all of the devices our users may have. Are they IOS devices or are they Android devices and what version of it? Are they jail broken? Are these free login phones.  It’s kind of a mobile compliance without installing a MDM agent. You can also secure access to cloud through policy and control. A typical thing is I want to block users from China logging into my Salesforce.com and you can set that up just by click of a policy down.

Randy Smith:    So you are able to leverage the fact that you already have an app running on that device so you can do more than just ask the user is it okay to log on.

Ash:    That’s absolutely right. You know, one thing that a lot of people do not understand is that the kind of API’s, IOS and Androids have and the kind of querying and control you can do just through the API’s. We no longer live in the world of Windows XP where you need an agent for everything. So the app we have on the device talks through the API that does all the querying. These are API’s that were released like ten months ago. So we’re taking advantage of all the API’s and eliminating the need of a ticketing agent or an MDM agent and just doing the right security stuff on the device.

Randy Smith:    Alright, well I’m going to be real interested to see what you can do with that.  Well, cool. Thanks. It was nice to meet you and we’re looking forward to learning more about your platform.

Ash:    Be sure to look on duosecurity.com Thank you.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Automating Review and Response to Security Events
The Growing Threat of Friendly Fire from Vendors
Virtualization Security: What Are the Real World Risks?

Best Practices Primer for Managed File Transfer

Wed, 22 Apr 2015 17:02:46 GMT


  • Why managed file transfer matters
  • The basics of file transfer security and compliance
  • How to improve IT agility with managed file transfer automation
  • Key requirements for managed file transfer solutions
Download now or get your signed copy at booth 2138 South Hall at RSA 2015.

email this digg reddit dzone
comments (0)references (0)

Related:
Virtualization Security: What Are the Real World Risks?
Auditing File Shares with the Windows Security Log
Chances are Someone is Trying to Steal Your Organization’s Information
Chances are Someone is Trying to Steal Your Organization’s Information

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive