SecureVue Review

Risk and Audit Management Platform

 

I was recently helped a medium sized corporation prepare for security compliance review. It is a necessary step to go through for compliance issues but I dreaded trying to find every node on the client’s network. Once all of the dust had settled I decided to try SecureVue from eIQNetworks. SecureVue combines Security information management with real time governance risk and compliance to help any organization get compliant and just as importantly stay compliant. SecureVue’s integrated model allows logging, configuration and compliance information to be viewed on a single stand alone system.

Installation

Installation is fairly straightforward. A pre-process check is performed to verify that the system being installed meets the prerequisites for SecureVue. From there you answer questions about installation locations and IP addresses. A website will be setup for you to view the settings as well. All very straight forward. Once the system has been installed we can get down to the business of configuring our network for discovery and have a look at what the product can do.

Configuration

The first thing SecureVue wants is Data Sources. It needs to know what devices it is getting information from. Many devices can be auto discovered by SecureVue. For those that cannot there is a manual process. The remainder of the configuration revolves around licensing (for which you must have a license file) and editing the collection policy. The collection policy allows you to define various types of data such as that from vulnerability scanners, performance and configuration matrices as well as syslog events. Although this may sound somewhat daunting, the attached guides are concise and very easy to follow. Once the entire configuration has taken place it is time to have a look at the actual ease of use of the product.

Ease of Use

Like many multi faceted systems, SecureVue has a dashboard which easily allows the administrator a quick glance of many of the aspects of the system. SecureVue ships with over 50 predefined dashboards which should satisfy the majority of your needs. If not you can always modify/create your own to best suit your needs. One of the greatest features I found was the auto discovery feature. This allows you to delve deep into your network. Once the discovery has taken place you can drill down on a specific node and bring up a plethora of data on that particular device. This is extremely useful when analysing past events as all of the data can be referenced and shown back to the administrator. If you are more on the lookout for security events, you can use the Topology tab from the dashboard and drill down based on criteria such as policy violations, vulnerabilities and many other security related issues.
All are colour coded based on severity making it very easy to discern exactly what is going on with your infrastructure. Another likeable feature is QuickVue. QuickVue allows an administrator to see all of the details of every node on the network. With a simple click the administrator can then expand that node and obtain information such as summary, dashboards, configuration and vulnerabilities. So if a computer in accounting has a high security risk, using QuickVue quickly allows a drilldown to see why.

Quarantine

When an event triggers a security feature, the event could be placed in quarantine. On very busy networks, it is extremely difficult to sift through all of the logs and decide if something has gone wrong. With the Quarantine feature, any suspicious activity that trips predefined policies allow the systems to flag the logs and place them in the Quarantine section. Here the administrator can decide what action would be taken. The analytics the product has included is extremely impressive. Analytics such as vulnerability, configuration, asset and performance are all available at the click of a button; making navigation extremely simple. When you start up SecureVue you feel you are at the helm of a 747, with dials and information everywhere. However, once you start navigating around a little, the initial shock turns into pure glee (for those of us who get excited about anomaly detection and compliance anyway) as the product is taken out for a spin. The reporting is a click away with over 1500 canned reports included. The reports vary in audience from senior management all the way to the Security analyst you hired to look at your infrastructure. Filtering makes the reporting versatile and easy to find exactly what you want.


 Visit Their Web Site

TrueCrypt Review

Introduction

TrueCrypt Partition Selection

It seems as though I have been on a quite an encryption kick lately. While not foolproof, encryption adds a substantial layer of security to any system. Encryption helps keep secrets secret. This is not new, encryption and cryptography have been around for hundreds of years. In ancient times, Spartan soldiers would write critical orders on a scytale which was a sheet of papyrus wrapped around a staff. The correct size staff would cause all of the letters to be lined up and read.

What is TrueCrypt?

While ingenious, modern computers are extremely good at guessing computations which try to crack algorithms used to encrypt the data. The average user most likely has a need to perform some form of encryption (i.e. payroll, secret recipe, etc), but little idea how to implement it. Public Key Infrastructure (PKI) is daunting. TrueCrypt is a simple tool which allows a user to encrypt and decrypt data on a hard drive, portable hard drive or USB thumb drive as required.
TrueCrypt is an open source project that is extremely simple to configure and use, which is all most people really want. TrueCrypt does not provide boot sector encryption for full disk encryption like DriveCrypt or the upcoming BitLocker in Vista but does allow a user to mount a virtual encrypted volume on a hard drive instead, still very cool.
You can download TrueCrypt from http://www.truecrypt.org/downloads.php.

Features

TrueCrypt Preferences

TrueCrypt allows mounting of virtual encrypted drives. The product can also be used to encrypt an entire partition or a storage device such as USB flash drive to provide a secure location to store files. The encryption is completely transparent.
TrueCrypt also supplies two levels of plausible deniability. I always get a chuckle when I read about this as my mind helplessly slips into cloak and dagger mode. What does this mean? Depending on the password you enter, you can have access to a hidden drive with no files located there or if you enter another password you would have full access to your secret data. That way if you are forced at gunpoint (or a stern look from your wife) to open up and reveal your secrets, you would only have to reveal the non secret drive.
When the TrueCrypt partitions are not mounted, they are invisible to the operating system. They cannot be identified and according to TrueCrypt, they cannot be distinguished from random data.
The product uses a number of selectable encryption algorithms including AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish. You can even use multiple configurations of different algorithms if you want to be super secure.

Usability

The product can create a virtual encrypted partition or a complete encrypted hard drive. The interface is simple and easy to use. One simply selects the device or file they want to mount and click mount. They will be prompted for a password and the utility will mount the drive as a normal looking drive letter. All files in the mounted drive are encrypted and decrypted on the fly effortlessly. Minimal overhead is introduced.
Please Note: The program does let you “auto” remember passwords when mounting an encrypted volume. It will also let you auto start the program on operating system start-up. You may want to avoid both of these scenarios. The security of encryption lies in the fact that you control when it is being turned on and off. If someone steals your computer, it is extremely easy to bypass a username and password prompt when the computer boots to gain access to the system. If your system auto boots with the password combination for TrueCrypt you have defeated the security you are trying to embrace. Remember to layer those security factors.
The preferences are simple to get used to even for a novice user and basically centre around the aforementioned auto start functions.

Conclusion

For a free utility, TrueCrypt is fantastic. In fact it rivals many pay for programs. The algorithms are sound and well tested in the field. The user interface is simple to use and easy enough for a novice but providing enough under the hood mechanics to keep the tinkerer of cryptography at hand as well. TrueCrypt is a welcome edition to any computer requiring simple and effective security and encryption. I give TrueCrypt 4 stars out of 5. If TrueCrypt gets full disk encryption I would lean to 5 out of 5 stars.

Publisher's Site

SIMP Lite - Secure MSN Chat

Protect Your MSN Chat

Email is a popular communications medium but instant messaging is quickly gaining ground due to its ‘real time’ nature. While it is an effective and quick way to communicate with coworkers, business partners, and even loved ones; it suffers from the same huge problem as email ... it is majority of it is insecure!
Every message that is sent is like talking in an over-crowded elevator; everybody who wants to listen to your conversation can because it is sent in clear across the Internet.

Easy to Use Secure Chat for MSN

How do you solve this problem? There is a small security shop based in France (www.secway.fr) named Secway that have created a product called SIMP (Simple Instant Messaging Privacy). This product installs as a compliment to most of the major chat clients and provides a secure add on to your existing chat client. Yes..that’s right…you don’t have to change your existing chat client for a secure one.
SIMP automatically installs itself as a proxy server for your chat client and performs all the encryption and decryption of the chat session before your client ever sees the information. Encryption requires keys and SIMP has a very elegant key exchange process. When you message someone who has SIMP installed SIMP detects this and prompts you to exchange keys. A simple yes or no and you are chatting securely; if the user does not have SIMP installed the conversation continues on without any encryption as it normally would.
Now that you know what SIMP does, let’s have a look at how easy it is to install and configure. This installation is based on version 2.2.4 of SIMP Lite and the MSN Messenger chat client. Installation for other chat clients is almost identical.

ID Vault Review - ID Vault from GuardID Review

Protects You from Phishing and Pharming

Like many people, I find myself purchasing a number of items online. Not only for the convenience (I love having boxes arrive at my house in the mail), but also because I now have access to stores and merchandise I wouldn’t ordinarily be able to track down (Thinkgeek comes to mind).

Background

I also do a fair amount (if not all) of my banking online. Being in the security field, I keep apprised of the security risks that exist with online banking and consider myself aware so as not to be caught in a phishing scam. However, being aware is not enough. Being vigilant is not enough. Anyone can be caught. So is online banking safe? It can be. Recently with the advent of such products as Passmark and Symantec Confidence, banks are starting to take the security of their clients seriously. But what can the average consumer use to help protect them online? One such product I have evaluated lately has been ID Vault by GuardID.
ID Vault provides multi factor authentication in the form of a USB security token with an embedded smart card chip. This USB key stores a user’s sign on credentials which helps to prevent having users type in their credentials at risk of having them stolen in the process.

Setup (4.5/5 Stars)

The setup process is simple. Load the software (which is as simple as clicking Next five times), insert the key and you are ready to go. You will notice a new icon on your menu. Right clicking the menu brings up a menu bar with all of the immediate choices to get you started.
View ID Vault menu from the Windows tray
Inserting the key into the USB slot prompts the setup and personalization of the product. The user creates a PIN which is paramount to the security of the device (This is the something you know with regards to multi factor authentication). The next step is the generation of the serial number. The serial number allows you to reset the PIN in case you forget it. DO NOT LOSE the serial number. Write it down and put it in your safe (or Password Safe). Lastly, name the token. The token is updated and ready for use. When all is said and done you will receive a popup that states all is ready. You will also see a couple of popups to let you know that ID Vault has updated to the latest database.

Ease of Use (4.5/5 Stars)

Using ID Vault is very simple. In fact, I must commend Guard ID for taking the pain of security out of the product. All is very simple for the average user who has no need to understand the complexity of smart cards or secure tokens. To get started, simply open Internet Explorer and navigate to your favourites. You will notice a new Secure Favourites added to the menu. This is where all of the frequent places you visit will be stored.
Clicking Create a Secure Financial Favourite starts the vault process and you are prompted to choose a financial institution. Unfortunately the software is only geared towards American financial institutions with no mechanism to add a financial institution. However, in fairness you can add a secure website of your favourite bank under the Secure Favourites menu; it just doesn’t appear under the financial institutions menu which may confuse some users. It’s a minor point though and easily worked around.

Select the bank, and enter your credentials using the onscreen keyboard to thwart keyboard loggers!
If the site connects you simply select Next from the menu and the information is stored to your key. The key is updated and you now have an entry under secure favourites. You can have ID Vault automatically pass the credentials if you like each time you visit the site.

Cost (4.5/5 Stars)

Well worth the $49. Period.

Conclusion

ID Vault monitors the financial sites continuously and constantly updates their database to ensure users won’t become caught with a pharming or phishing attack. The use of smart cards is suggested by many financial institutions and the ease of use for the end-user is a welcome site. I would recommend this product to anyone who banks or shops online. This is a great product for non security people to help protect them from phishing and pharming attacks. Simple yet effective.

Vendor's Site

IPCop Firewall Review

Great Open Source Firewall
IT Manager: “We spent a lot of money on our infrastructure. Are we secure”?
IT Support: “Sure…we have a firewall”.
The Support Specialist is perpetuating the myth that having a firewall is the be all and end all for security. But a firewall is an important part of any defence in depth strategy to protect your network. MS’s Ten Immutable Laws of Security, number one states that if the bad guy can change anything on your computer, it is not your computer any more. So, yes, we need firewalls.

Selecting Firewalls

What firewall is best for you is a subject of debate. Your needs, your staff and your budget will play a huge determining factor into what type of firewall you will purchase. Some people swear on hardware based firewalls, while others are strong proponents of software based firewalls. Personally, having installed many of both types, the decision comes down to what is best for your company. A smaller company obviously does not have the staff and budget to support a Cisco PIX firewall so in many cases it would be overkill. What is a small business owner to do? Many times a software based firewall will be a better choice. They are configurable, easily updated and much simpler to support. This review will look at an open source firewall called IPCop. We’ll examine it from various angles including ease of setup, configurability and reliability. It wouldn’t be fair to talk about cost – as it is freely downloadable from SourceForge and was the second runner up in the security category in the 2006 SourceForge.net Community Choice Awards.

IPCop the Linux Distribution

You do not need to know anything about Linux in order to install and manage IPCop. If you have a networking background, even from the Windows world you can get IPCop running in a very short timeframe. Many of my Microsoft skilled networking friends use IPCop for many reasons and most of them are not what you would call Linux users. IPCop is a lean and mean Linux distribution designed to be a firewall. Many small businesses may worry about installing and supporting Linux in their environment. IPCop has simplified the overall experience to the point you don’t even know you are running Linux. IPCop is packaged in a way that there is a single bootable CD (you download the CD image called in ISO) and it installs everything you need in one quick installation routine then you manage the firewall from a web interface. No command line and you don’t need to know anything about Linux. This is very powerful for a small business as they can have the power of a Linux based firewall and the simplicity of a web interface.

Feature Set (4 Stars)

The downloadable ISO is only about 50 MB. The ISO is then burnt to a CD and used to boot the computer and start the installation. The good news is that it will run on almost any computer new or old. You probably have enough spare parts lying around your shop to build a computer that will run IPCop. The feature set is long and great for a SOHO business owner. Such things as IPChains-based firewall and the ability to have the outside interface a modem, an ISDN modem, or an ADSL modem adds some flexibility. DMZ support is built in if you require a safe location to allow web access to your servers. Access is gained by port forwarding rules which are simple to configure.
Features include:

• Firewall
• Intrusion Detection System
• IPSEC VPN
• Caching DNS
• Web Proxy
• DHCP Server
• Time Server
• Traffic Shaping
• NAT

So when examining the feature set for a small or home based business they can take an old or new PC, install IPCop and have a full functional network server with many of the base services a small business needs. All of the features are managed though IPCop’s web based interface and is a cinch to navigate – even for the novice.

Setup (4.5 Stars)

© 2006 by Tom Eichstaedt

Once the product has been downloaded, the user can expect 15-30 minutes from start to finish setting it up. There are a number of documents to help setup the product by visiting IPCop Install Docs. The only questions you will have to answer is the type of network cards you will be installing, how many interfaces you want to configure, and their IP addresses. IPCop does a good job of discovering most network cards…even obscure ones. IPCop colour codes its interfaces making installation even simpler. Red is the external interface (usually used to connect to the Internet) and is completely protected. Green is the internal interface and allows all outbound traffic. Orange is for the DMZ which allows the internal interface to talk to it, but no other network traffic. There is also a Blue interface for wireless configurations. The only caveat you may encounter is if you are using different brands of network cards. If all cards are identical, then IPCop sees them all as active. If you have different cards you will have to tell IPCop to add them.
The system can be easily configured from the web interface once all is configured. The network interface screen shot is a view of the web interface for a system with three network cards.

A Summary of State Data Breach Laws

Know the Laws Governing Data Security Breaches in Your States

 

 

California was the first State to pass a data security breach law. Since then, 43 additional states, along with the District of Columbia, Puerto Rico and the Virgin Islands have passed laws that require public disclosure of data security breaches.
Most states require businesses that own, lease or store personally identifiable information to notify every individual whose personal data is stolen or misused. In some cases, businesses must also contact the major credit reporting agencies, State Attorney General, and the news media.
Data breaches do not always have to be disclosed. Exceptions include the loss of encrypted data, and the judgment of law enforcement authorities that the breach is not likely to result in harm to the individuals. In addition, disclosure is not required if it would interfere with an on-going investigation.
Because of the growing threat of identity theft, Congress is considering several laws that would regulate data security breaches from the federal level. As of this writing, however, data security is still regulated on a state by state basis.
If you store personally identifiable information, you need to be aware of your State's data security breach disclosure laws. To help with your research, the following pages contains links to current laws.


California
California led the charge on data breach and privacy laws, and the policies adopted by many other states are variations on the west coast theme. For that reason, I'll give them top billing.
The State of California has adopted four sets of laws to address privacy of medical information, credit reporting companies, state agencies, and businesses.
Like most of the states that followed suit, California law requires immediate disclosure of data breaches involving personal information. The State makes only two exceptions: encrypted data and publicly available government records. Unlike many states, California residents also have the right to take private action against companies that disclose their information.
New laws and summaries will be added in state by state order, so check back often to access the legislation for your specific state.
Alaska
Alaska's breach disclosure law requires immediate disclosure of data breaches. Like California, Alaska exempts publicly available government data. Disclosure may only be delayed if law enforcement determines that immediate action would interfere with their investigation. If an investigation determines that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.
Alaska's law also includes civil penalties of up to $500 for each state resident who was not notified of the breach.
You can access the full text of Alaska's breach disclosure law here.
Arizona
The Arizona breach disclosure law requires disclosure of data breaches without unreasonable delay. Arizona residents may be notified of breaches by phone. The law provides for civil and criminal penalities, but Arizona residents do not have the right of private legal action.
You can access the full text of Arizona's breach disclosure law here.
Arkansas
The Arkansas breach disclosure law requires immediate disclosure of data breaches. Arkansas exempts encrypted data laska exempts publicly available government data. Disclosure may be delayed if law enforcement determines that immediate action would interfere with their investigation. If the entity concludes that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.You can read the full text of the Arkansas law here
Missouri
Missouri's breach disclosure law requires disclosure of data breaches without unreasonable delay. Encrypted data is exempted, although the law does not specify an encryption standard. Notification may be delayed if law enforcement believes the notification will impede a criminal investigation. Breaches involving over 1,000 consumers must also be reported to the attorney general's office and all national consumer reporting agencies. Only the attorney general has the authority to bring an action in Missouri; residents do not have the right to take private action. The Missouri breach notification law was passed as part of an omibus bill. You can read the full text of the bill here.

Securing Your Laptop on the Road

Seven Tips for Traveling with a Laptop

If you lose a laptop, you could be out much more than the money you'll spend to replace the hardware. You may give away sensitive company information and a free ticket into your network. Here are seven things that you can do to keep your traveling computers secure.
Use a Cable Lock
Because a laptop is easy for you to carry, it's also easy for a thief to carry away. A good cable lock can help protect your computer when it is left unattended at your desk. Locks are also an excellent theft deterrent at trade shows and meetings. It's very easy for an unsecured laptop to disappear into a crowd while you are distracted.Don't Use a Laptop Case
A laptop case only advertises the fact that you are carrying a valuable computer. Try using a padded sleeve in your briefcase, or a backpack with a laptop compartment. The less attention you invite, the better. Keep Your Eyes Open at Checkpoints
When your laptop trundles down the conveyor belt at airport security, surrounded by shoes and overnight bags, it's easy to lose sight of. Stay focused on your laptop's location as you move through the line and pick it up as soon as it emerges from the scanner. I learned this the hard way on a trip from Virginia to Texas. Leaving security, I grabbed what I thought was my laptop and headed for the gate. Later I realized that someone had already taken my computer and left their very similar model behind. Back Up Data
The only thing worse than losing sensitive data, is losing the only copy of sensitive data. Make sure that your files are backed up - either to your network, or to external media such as a thumb drive - to avoid a total loss. Practice Good Password Hygiene
Treat your password like your toothbrush - never share it, and replace it often. It's a pain, but frequent password changes do keep you more secure. A good habit to cultivate is that of refreshing your passwords every four to six months. Two bad habits that you need to kick are letting websites remember your passwords and leaving them on slips of paper in your laptop bag or briefcase. Use Two Factor Authentication
Adding a fingerprint reader in addition to your password gives you and extra layer of protection when you log on. Good security - whether physical or IT - is all about layers. No policy or device will be strong enough to protect you on its own, but every new layer adds strength and toughness to your security plan. Choose Your Hot Spots Carefully
Not all WiFi connections are equally secure. It may be possible for a clever hacker to read all of your work - including passwords and account numbers - as you sip your coffee and type. For more information on hot spot security.