Inside Intels launch into security

We talk to Intel about their new Anti Theft Technology and their collaboration with WinMagic
To share or not to share? How to keep your sensitive corporate data secure Websense announce ESG Email Security Gateway completes the unified TRITON platform How to secure your Wi-Fi Best practices for implementing enterprise wireless security

Spring 2011

Introducing SecurityPlus
The leading security magazine
Welcome to the latest edition of Securityplus produced by Uniq Systems and e92plus. Being responsible for the security of your companys data or network is currently one of the toughest positions to be in. End users want full access to networks to perform their jobs, build business relationships and access external information. Opening up a network to external resources results in a number of possible security problems but if you dont, employee productivity can suffer. The articles in this edition look at the conundrum and discuss the options available. For IT security professionals it all comes down to balance and acceptable risk. If after reading this edition you have any questions or you would like additional information please give me a call on 0118 927 2700 or send me an email at sales@uniqsystems.co.uk Anjam Sohail Technical Director Uniq Systems Ltd

Inside this edition

Page 3 Meeting the challenge of modern email threats with Websense Email Security The risks associated with email have changed significantly over the last few years. Page 4 Is your sensitive corporate data secure? The challenge of sharing key information without compromising security. Page 5 What hackers know that you dont Bridging the gap between on-premise and hosted security solutions. Page 6 Revolution through evolution: the launch of Intelligent Whitelisting Reduce operational headaches, remove endpoint complexity and lower TCO. Page 7 High security, low cost 2FA Authenticating users is an essential security issue to tackle today. Page 8 Interview with Intel We speak to Intel about their entrance into the security market. Page 10 Is your Wi-Fi network secure enough? What are the best practices when it comes to enterprise wireless security? Page 15 Page 15 Page 14 Page 13 Page 13 Page 11 Global Radio authenticate with 2FA How they maximised flexibility offered to their workforce using 2FA via mobile phone. Page 12 The secret key to your network The importance of implementing a log management process. New SMB focused storage products Sophisticated storage solutions from Drobo for small and medium businesses. The worlds first portable, encrypted private web browser Unparalleled web surfing privacy via USB. Securing your VPN traffic How to avoid the security loopholes associated with remote VPN access. LG offer a recession beating solution Meeting the demand for low-cost desktops. Does poor AV performance turn you off? Why 25% of users admit to turning off their anti-virus protection.

Page 2

Meeting the challenge of modern email threats with Websense Email Security
When you examine the challenge that companies are facing when it comes to modern email security, it becomes apparent that the threats and risks associated with email have changed significantly over the last few years.
Inbound Threats Spam Viruses Malicious URLs

Websense Email Security Gateway Anywhere

SaaS Offload all inbound email processing Maximise resiliency by queuing inbound email in the cloud Reduces network and bandwidth load

89.9% of all unwanted emails contain links to spam sites or malicious websites.
Websense 2010 Threat Report

Outbound
Data leaks Acceptable use Compliance

Websense V-Series Appliance TruEmail DLP Unified Policy Control and Reporting Across Email, Web and Data

Today email security and Web security have converged. In a recent threat report conducted by Websense, over 89% of unwanted email contains an embedded link to a website. Email is typically the lure to a website that delivers the attack and more often than not, the website itself is a legitimate site that has been recently compromised. This makes it nearly impossible for legacy signature and

reputation-based security to provide adequate protection. It also underscores the importance of dynamic Web security intelligence in stopping email security threats. Websense Email Security Gateway is the only email security product anywhere that offers embedded, enterprise-class data loss prevention (DLP) that screens incoming email for blended threats that contain links to malicious websites, invasive script, or other web threats. Use of the extremely

granular policy controls guards against outgoing malicious or accidental data loss. Websense ESG also taps into their hosted email security offering, intercepting all spam and other unwanted email in the cloud, freeing up your servers and preserving bandwidth. Whats more, it is all wrapped up into the single TRITON interface meaning you dont have to worry about the extra expense and complexity of multiple vendors or interfaces.

What is Websense TRITON?

The Websense TRITON solution consolidates web security, email security and data loss prevention (DLP) into a highly flexible and scalable architecture that unifies content analysis, platforms, and security management. The unified platform offers several benefits. First, the freedom of deploying content security solutions in the cloud or on-premise offers the flexibility to meet changing security requirements. Second, the on-premise platform is highly integrated, enabling web, email, or data security solutions to operate on a single appliance. Finally, tight integration between the cloudbased and on-premise platforms through Websense TruHybrid deployment enables you to best meet the needs of headquarters, remote offices, and mobile workers. Unified management spans the Websense hybrid deployment option ensuring that remote office and mobile workers receive the same high-quality protection consistent with their HQbased colleagues. And you receive a single interface with management and reporting capabilities for Websense web, email, and DLP technologies. Compared with narrowly focused point solutions, the TRITON solution provides unrivalled visibility into an organisations computing environment and application traffic, thereby delivering superior flexibility and control.

request an evaluation at www.securityplusonline.co.uk/uniqsystems/ websense

Page 3

To share or not to share: Is your sensitive corporate data secure?

In todays world, mission critical data needs to be shared quickly and securely. The increasing requirement to send information between users all across the globe means that sensitive data is constantly at risk. With the rising sophistication and frequency of threats, its essential that information is secured no matter where it is, how its sent, or who its being shared with. The Challenge A critical part of todays business operations is the efficient sharing and distribution of information between employees and nonemployees such as contractors, vendors or partners. Organisations depend upon users being able to collaborate easily and share information quickly. The challenge is how to easily secure sensitive information whilst making it available to legitimate users when and where they need it. For example, attaching a confidential document to an email is an easy and efficient way of transferring information, but how secure is it? If the document is highly confidential and contains valuable information, what protection methods are used whilst the file is in transit, and after its received? The result of insufficient data protection methods can result in damaging data leakage. Whats the real impact of data leakage? In a recent survey conducted by Forrester titled The Value of Corporate Secrets, the associated cost of a data leak derived from a rogue employee stealing sensitive company documents was estimated to be at least 250,000. Meanwhile the cost of a data leak from an outside business partner losing or abusing sensitive information was over 75,000 per incident. Breaches of data security dont just have direct financial impact. They can also lead to bad press, lower customer confidence, brand and reputation damage and potential fines imposed by regulatory authorities. Think Data-Centric Security Securing your network, devices and applications is one step in the overall security chain but what about securing the data itself? Encrypting an entire laptop doesnt help to protect data when being shared: it only addresses the loss of the device and data at rest, and does not help in securing data that needs to be shared in order to be used effectively. Transmitting data securely from point A to point B is just one step in its journey but what happens when it reaches point B, the recipient? How do you ensure that the data, now it has safely reached its destination, is only accessed by the recipient you want to access it and not by anyone else? To use the information it has to be opened in a decrypted state, leaving the possibility for mistaken or malicious disclosure. By applying data-centric security, companies can ensure that the information itself has a persistently applied level of security around the document itself, thereby keeping it safe wherever it needs to go. This also means that additional layers of security can be introduced, enhancing the data owners ability to control what can happen to the information, who can access it, when they can access it and where. With these parameters in place, companies can define everything needed to ensure information security both internally and externally to the business whilst still remaining flexible and with enough granularities to cope with the many different levels of access different parties need. Introducing Celestix BSA As a global leader in securing business information, Celestix Networks is bringing to market the BSA appliance to specifically address the critical data protection challenges businesses face. Celestix BSA is an integrated appliance solution that delivers:

Information Rights
Management ensuring the right people get the right level of access to the appropriate files.

Secure Managed File Transfer

- industry leading 2048-bit encryption applied to both the transfer and to the file itself.

Persistent Data File

Encryption Protection applied to any file type, any transport method and whilst in storage.

Auditing & Compliance

Reporting Supports regulatory compliance by providing reporting and audit trail functions of the file activities. For the first time your sensitive information can be made available for distribution and collaboration on your terms, without the risk of interception, unintentional loss or theft. Celestix BSA keeps control of your sensitive data no matter where it goes or who its being shared with.

find out more at www.securityplusonline.co.uk/uniqsystems/bsa

What hackers know that you dont: Cloud security for web 2.0
Many organisations are finding that the weakest link in the security chain is the endpoint device, or more specifically, the end user. Whether it is through carelessness, ignorance, malicious intent or just plain ignoring the rules, end users introduce all sorts of security ills into a business network. However, one of the biggest considerations for network managers today is the need to provide flexibility. Todays workers have come to rely on social networks, websites and electronic messaging to gather the information needed to perform their jobs, build business relationships and access external information. Those necessities create a conundrum for security professionals: on one hand, administrators can limit the access to those resources, but productivity will eventually suffer, while on the other hand, opening up a network to external resources can result in a myriad if security problems. It all comes down to balance and acceptable risk. Simply put, all that typical end users desire is unhindered access to the resources they need to perform their duties. For IT to provide that access, a multitude of security services need to be implemented, all without burdening the end user and still offering the highest level of protection. These requirements are often beyond what can be done with desktop or endpoint-based security products, forcing IT to adopt highly integrated security solutions which are burdensome, expensive and short of fully reliable. Finally, there is an increased administrative burden in the form of security. Most Web 2.0 services allow users to bypass corporate controls and access applications directly, leaving only local (PCbased) security and possibly the corporate firewall between the enduser and the application. The problem worsens when mobile users and remote offices are added to the equation. Simply put, premise-based security solutions cannot scale beyond the corporate edge. One way to address the problem is to use hosted security solutions to protect users from the security problems created by hosted applications. That concept completely changes the dynamic of dealing with security. In practice the user is always protected, regardless of what they are connecting to. Ideally, a fully implemented security cloud solution will handle and control all web traffic between the user and their destination, regardless of the users location and connectivity methods. Barracuda Flex is a cloud-based secure Web gateway that protects users from malware, phishing, identity theft, and other harmful activity online. The service sits between a companys network and the internet to protect the companys users as they conduct business-critical activities on the web. The management is handled through a familiar Barracuda console interface, with infinite scalability to allow your business to grow without necessitating expensive hardware or software upgrades.

Typical challenges with web 2.0

Users trust website content without hesitation. People will click on links - and that applies equally to a contact on LinkedIn as it does a surfing cat on Facebook. Most people trust social network users. Despite the ubiquity of anonymity online and the inherent dangers we all know, most people will trust a familiar name. Nobody resists free Wi-Fi. The temptation in the coffee shop is to just quickly check those emails, but one simple bad connection can blast a gaping hole in your network. End users execute code from places they trust. They cant help it - Trojan-laced banner ads on Web 2.0 sites such as MySpace often require no user interaction to activate infection. Browsers are the new security flashpoint. We all need them, but IT departments cant control them and zero-day vulnerabilities have replaced AV as the distribution method for malware.

request an evaluation at www.securityplusonline.co.uk/uniqsystems/barracuda

Page 5

Revolution through evolution: the launch of Intelligent Whitelisting

The current approach to protecting endpoints is ineffective, and this is costing organisations time and money. Malware has exploded; endpoint complexity continues to increase due to the many 3rd party and so-called Web 2.0 applications; and security products today are more complicated than ever. Adding to the challenge is stagnate IT budgets. Application whitelisting, sometimes referred to as application control, is one of the original security models. It prevents any program file / executable from running unless explicitly permitted in the whitelist. By creating a whitelist of known good applications, everything else malware, unwanted applications, unknown programs, etc. is blocked until authorised to run. While few doubt its effectiveness as a security tool, historically it has not been flexible enough for the modern enterprise. The Past At the dawn of the modern computing age, computers and devices arrived with all features, services, and ports turned off by default and thats where they stayed until someone explicitly authorised and enabled (or whitelisted) them. As computer use flourished outside of the server room and as more users required a growing number of new applications, IT managers found whitelisting too restrictive, too inflexible, and too difficult to manage within the modern enterprise. So, while effective, application whitelisting became a security tool generally reserved for static environments such as mission critical servers, kiosks, POS systems, and the like. The Present Today, the vulnerabilities in operating systems and 3rd party applications are increasing; according to NSS Labs, historically about 6,000 to 7,000 vulnerabilities were found in applications in any given year, but in 2010 the count was closer to 10,000. The malware being pushed out to exploit vulnerabilities have exploded both in number and sophistication. Hackers are layering complex methods that subtly alter single pieces of malware to make them look like hundreds of different applications to the blacklist signature (AV) engines. Additionally, as malware has exploded, so have the costs associated with it, including rising help desk calls, tier 2 and 3 event management, HD re-imaging, network downtime, lost employee productivity, and so on. The Future One can distil the root causes of most endpoint security issues to a single core issue: a breakdown in change control. Whether that manifests itself through malware or end users installing unauthorised applications, the lack of an established change-control policy or the ability to enforce this policy is adding to the security and operational overhead in todays IT environments. Advances in application whitelisting now focus on making the technology more flexible for todays dynamic endpoint. New levels of intelligence are being added through trusted change engines and whitelist management can integrate with other tools like patch management. And no longer is application whitelisting an alternative to antivirus. AV will continue to play a role in endpoint security, as will patch management and other technologies like device control. But now application whitelisting will play an increasingly important role in your defence-in-depth approach to endpoint protection. Lumension Intelligent Whitelisting is the industry's first integrated, application whitelisting solution that combines patch management, application control, anti-virus, and trust-based change management into a single, unified workflow. Delivered through LEMSS Management Console, Intelligent Whitelisting helps you to reduce operational headaches, remove endpoint complexity, lower total cost of ownership and regain control of your endpoints.

Continuous Protection quickly

enforces whitelist policies to prevent untrusted changes

Simplified Deployment
provides a snapshot to define policies

Flexible Automation allows onthe-fly policy changes to facilitate authorised updates

Unified Workflow integrates

Application Control, AV and Patch Management into a seamless workflow

Page 6

learn more at www.securityplusonline.co.uk/uniqsystems/lumension

HOTPin from Celestix: High security, low cost two-factor authentication

Introducing HOTPin 3.0 Next Generation Tokenless TwoFactor Authentication (2FA). Form grabbers, keyloggers, and phishing are a few of the tools hackers use to steal user-login IDs. Selling stolen IDs has become a sophisticated business, which brings up the question: who really is on your network? Authenticating users is the right security issue to tackle today. Celestix has introduced the latest version of its leading 2FA solution, HOTPin 3.0. HOTPin enables organisations to leverage their existing infrastructure and resources to add another layer of security for remote access. It positively verifies who gets access to resources by adding a second factor of authentication using OTPs (One Time Passwords) that can be used in conjunction with a PIN. OTPs are delivered via email, SMS text or soft tokens via the users mobile device. Soft token devices include iPhone, Windows Mobile, Windows, Symbian, Android, and Blackberry. Whats new with HOTPin 3.0? Although HOTPin was the first 2FA system fully integrated with Microsoft Unified Access Gateway (UAG), the new version of HOTPin can now be integrated with any SSL VPN or firewall product, or it can be deployed as a standalone appliance solution. It also adds further integration with Microsoft technologies such as DirectAccess and Active Directory. Other highlights include advanced user reporting capabilities and integrated high availability options. Enhanced security for DirectAccess from Microsoft With todays workforce more mobile than ever, providing a seamless connection to internal resources for remote employees is a key benefit of DirectAccess (DA), but also creates a new level of risk. DirectAccess from Microsoft is exclusive to Windows 7, and provides the ultimate user experience when working remotely by providing full desktop access to the network. HOTPin integrates with DA to add another layer of security by requiring users to enter an OTP before they can access the network. The HOTPin/DA combination helps organisations to ensure their resources are protected, even with always on remote connectivity. Simplified remote access HOTPin provides a single, integrated platform for strong two-factor security using existing infrastructure investment. It is easy to setup and deploy to large numbers of geographically diverse users and it meets the demands of industry regulations like PCI DSS, FFIEC, HIPAA, and Sarbanes-Oxley. HOTPin delivers a feature-rich authentication solution at a fraction of the cost of competing 2FA options, and it scales with the needs of any sized organisation.

Why use soft tokens for 2FA?

With HOTPin from Celestix, you can enjoy the benefits of soft tokens the simple alternative to traditional hard tokens that deliver fantastic benefits:

Great for extranet partners,

customers or contractors - no need to redistribute hardware tokens after short-term use and you can repurpose user licencing on the fly. expensive hardware tokens.

Enjoy a lower cost, by avoiding Stronger compliance with PCI, Increased employee mobility,

SOX, HIPPA and other regulations. without worrying about keeping the token with you - everyone always has their mobile to hand. you on the leading edge of 2FA. Microsoft infrastructures for reliable operations. expired hardware tokens to send to landfills.

State of the art technology keeps Highly interoperable with

Lower environmental impact: no

request an evaluation at www.securityplusonline.co.uk/uniqsystems/ HOTPin

Page 7

Its not just your PC - its your business We speak to Intel

Intel Anti Theft Technology (Intel AT) is technology from Intel that provides intelligent security for lost or stolen laptops all built into the hardware, and gives you protection no matter what happens to the laptop*. capabilities. WinMagic has enhanced their product to leverage these hardware capabilities, which in turn provides a more robust offering to their customers. Intel has chosen to collaborate with WinMagic to include an encryption solution in Intel AT. Can you tell us more about how the two solutions work together, and why you have chosen WinMagic as a key encryption partner? As I mentioned earlier, WinMagic has incorporated support for Intel Anti-Theft Technology into WinMagics SecureDoc console to allow a service provider or IT department to manage SecureDoc encryption and Intel AT from the same console. On an Intel AT capable notebook, encryption keys are stored in a protected area of the Intel manageability engine. When the PC is marked as stolen, access to this protected area, including the encryption keys is disabled. Utilising this unique hardware feature provides for a more robust and more secure solution. WinMagics SecureDoc full disk Encryption, support of Opal Self Encrypting drives, and support for Intel AT provides a very robust security solution for the customer who needs to ensure their data is encrypted. The combination of Intel AT with SecureDoc encryption provides a very powerful solution to protect critical data. The development of Intel AT is a significant move for Intel, as it has not only brought you into the security market but also into services. What were the key drivers for this move? Intels focus for 2011 is in three areasEnergy Efficient Computing, Connectivity, and Security. Every week in the news, we hear about some website thats been hacked, a notebook was stolen with customers data, or some new internet fraud schemeSecurity is becoming more and more important and Intel believes that leveraging features in our silicon, Intel, through our ISVs like WinMagic, can provide more secure, differentiated solutions to their customers. Intel Anti-Theft Technology is one example, as well as Intel Identity Protection Technology (Intel ITP). How do security resellers add value to Intel AT? Security solutions can have a high level of complexity and security resellers play a vital role in the selection, implementation, and support of those solutions. Without security partners like Uniq Systems, many companies would be forced to enter this market alone. Customers, both large and small, need a trusted advisor to help them understand the changing technologies and to help them select the right solutions. Intel AT can be a component of a security resellers portfolio, which could include Intel AT, encryption and complimentary services such as backup and restore, help desk, and management. This portfolio can even be sold as a service, hosted and managed by the security reseller. IT budgets are under severe pressure due to the economic challenges many organisations are facing, so how does Intel AT deliver ROI (Return on Investment) to the user? The ROI will vary, depending on a number of factors ISV, usage model, mitigated risk, and the endusers business. In many cases, Intel AT is sold as part of the ISVs solution, so the ROI for Intel AT becomes part of their value proposition.

We spoke to Glenn Le Vernois, of Intels Services Program Office, about Intels entrance into the security market, their collaboration with WinMagic and the future of data security. Hello Glenn, and thanks for speaking to SecurityPlus. Can you tell us about the Intel AT service, and what it means for your customers? Intel Anti-Theft Technology (Intel AT) can remotely disable a PC should it become lost or stolen. If stolen, a Poison Pill can be sent to the PC over the internet or via 3G text message which immediately disables the system. In addition, the system is required to check-in (rendezvous) with a server on a predetermined interval. Should the system miss a rendezvous, it will assume that its lost or stolen. Intel Anti-Theft Technology utilises a special capability in the Intel chipsets manageability engine, which provides special hardware

Page 8

looking to find out more about Intel Anti-Theft?

Interview with Glenn Le Vernois

The primary usage models for Intel AT is to disable the PC, however there are other benefits / usage models which may solve problems that some companies may have not considered: Securing confidential data is a broad topic, as security is a key focus for Intel, we will continue to add new technologies to our processors and chipsets which can be leveraged through our ecosystem of ISVs and security resellers to enhance the solutions they deliver to their customers. As cloud computing becomes a new norm, it will present new challenges and opportunities in this space...beyond that, your guess is as good as mine! You can find out more about Intel AT and how it integrates with WinMagic to provide comprehensive security for your laptop at www.securityplusonline.co.uk/ intel or antitheft.intel.com
Intel, the Intel logo and the Intel Anti-Theft Technology mark are the trademarks of Intel Corporation in the US and/or other countries * No system can provide absolute security under all conditions. Requires an enabled chipset, BIOS, firmware and software and a subscription with a capable Service Provider. Consult your system manufacturer and Service Provider for availability and functionality. Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. For more information, visit www.intel.com/go/anti-theft

Working with Encryption ISVs,

Intel AT can provide enhance encryption by leveraging unique capabilities in the Intel manageability engine. Using encryption technology and Intel AT can mitigate risk of data loss in the case of a stolen notebook.

Some Telcos are using Intel AT

as a way to ensure customers who finance the purchase of a PC through their monthly billing, continue to pay their bills. In some countries theft of notebooks is very high and Intel AT can reduce theft, as the system will become locked down if stolen, so greatly reducing the notebooks value post-theft. Finally, what do you see as the major challenges for organisations in securing confidential data over the next 5 years, and what role will Intel AT play in meeting them?

Other ISVs can provide a

mechanism for recovering the lost or stolen notebook, as it will beacon its location to that the system can be recovered.

Some school districts use Intel AT

to disable notebooks during school breaks deterring prospective thieves.

Some ISVs support geo-fencing,

which allows the PC to only operate within this pre-defined area.

Delivering Intel AT with WinMagic

The continued rise of the mobile workers combined with an ever increasing volume of data has presented IT departments with more challenges than ever before:

one management console for all notebooks embedded with Intel AT. WinMagic provides a data protection solution that protects endpoint devices, removable media, sensitive files, applications, residual information (such as temp files), and the operating system from unauthorised access. Through the SecureDoc Enterprise Server (SES), it is possible to disable user access to the data in a nondestructive manner. Even if the user (for example, a terminated employee) still has valid credentials and moves the drive to another machine, the user will not be able to access the data. The solution is flexible to configure, and simple to deploy. The built-in, tamper-resistant security renders a laptop unusable while also blocking access to the valuable information stored on its encrypted hard drive. It also features customisable recovery

messages to encourage the computers safe return. And once returned, its simple to reactivate the laptop without harming the hardware or data. Intel AT is available today in partnership with WinMagic, providing you with a strong anti-theft protection solution for lost or stolen laptops . For more information on the service, or to request a demonstration of the solution, visit our website. You can also find out which laptops are already equipped with Intel AT technology at http://antitheft.intel.com.
1 2 3

The average cost incurred due to a

lost laptop is $49,246 1 More than 88% of all cases in this years study involved insider negligence 2 Each year, 2m notebooks are reported stolen and 97% of stolen computers are never recovered 3

To provide organisations with a complete, fully integrated solution WinMagic combines Intel Anti-Theft Technology (Intel AT) with full hard disk & removable media encryption in

Ponemon Institute, Feb 2009 Ponemon Institute, Jan 2009 Processor, May 2006

visit us at www.securityplusonline.co.uk/uniqsystems/intel

Page 9

Are Wi-Fi networks secure enough for the enterprise?

Wireless networks are common today in many security conscious industries such as government, healthcare, and financial services. You might be wondering how such organisations are even able to deploy wireless networks given some of the well-publicised attacks on wireless security, for example the one that affected TJ Maxx in the United States circa 2007. Historically, the most significant WiFi attacks have been due to reliance on an outdated security standard called WEP (Wired Equivalent Privacy). Today, if wireless security is planned with defence-in-depth in mind, the wireless network can be equal to or more secure than a wired network. Defence-in-depth provides different layers of security through mechanisms such as encryption, authentication, firewalls, and intrusion detection & prevention. This article will discuss best practice recommendations for each of these. WEP was the first wireless encryption standard but was cracked within a few years after its inception. Unfortunately, the knowledge of this failure has propagated in the minds of people today. To address the security hole of WEP, the Wi-Fi industry instituted WPA (Wi-Fi Protected Access). WPA came out in two different versions WPA and WPA2. The WPA and WPA2 frameworks can be implemented in two different
Standard WPA2 Enterprise WPA2 Personal WPA Enterprise WPA Personal WEP First Certified 2004 2004 2003 2003 2000 Encryption AES AES TKIP TKIP WEP Authentication 802.1X w/ EAP Pre-Shared Key 802.1X w/ EAP Pre-Shared Key Shared Key / Open Relative Strength Very High Moderate High Moderately Low Low

ways, Personal and Enterprise. WPA/ WPA2 Personal use pre-shared keys with the same key placed into both the access point and the wireless station (e.g. laptop). The key is used to authenticate the station and encrypt its traffic. Unfortunately, WPA/WPA2 Personal is subject to offline dictionary attacks. WPA/WPA2 Enterprise leverages a server-side digital certificate on a RADIUS server. Client-side credentials vary and can include username/password combinations, tokens, or digital certificates. Additionally, WPA2 uses the best-inclass Advanced Encryption Standard (AES) which is currently considered unbreakable. The Wi-Fi security standards are summarised in the table above. Once authenticated into the wireless network, it is best practice to use an integrated stateful firewall to further segment access to network resources. Firewall rules can then be written to allow or deny access based on factors such as IP address, port, service, or time of day. Another important piece of security on Wi-Fi networks is wireless intrusion detection & prevention systems (WIDS/WIPS). These systems scan the air, either via dedicated sensor radios that scan 24 hours a day or by time-slicing. Time-slicing sensor radios also serve wireless stations and so periodically scan off-channel to detect threats to the network, reducing the amount of effective time they have to scan.

In addition to these technical mechanisms, do not overlook the basics. Change default values such as the administrator username and password, SNMP community strings, etc. The following summarises best practices with regards to enterprise wireless security:

Implement WPA2 Enterprise

where possible this is the most important one. Using WPA2 Enterprise eliminates the impact of many attacks.

If using WPA/WPA2 Personal, use

long pass-phrases (a minimum of 15-20 characters) which are much more resistant to attacks.

When implementing WIDS/WIPS,

choose a solution with dedicated sensors to provide 24x7 protection.

Segment users into different

groups and leverage firewall rule sets to give each group only the access they need.

Dont overlook the basics, such as

changing default values and enduser security awareness training. All things considered, is wireless secure enough for your organisation? Absolutely. By implementing the idea of defence-indepth and following best practices, wireless can be equally (or more) secure than wired networks. Xirrus is the leader in high performance Wi-Fi delivering unmatched performance, giving you greater capacity and bandwidth with fewer devices, ports and cabling.

Page 10

watch our videos at www.securityplusonline.co.uk/uniqsystems/xirrus

Tune in for secure remote access! Global Radio authenticate with 2FA
Boasting the number 1, 2 and 3 commercial radio brands in the UK, Global Radio is the model of efficient, brand driven, market leading radio with brands including Heart, Capital FM and Classic FM. Global Radio was looking for an effective, costeffective and user-friendly authentication solution to secure remote access for website content editors working from home updating online content. However, there were a number of additional key requirements: dont have to worry about the distribution, and the authenticators can be managed centrally by the company. However, we had already made security investments previously so it would have been a shame not to use the hardware authenticators as well. DIGIPASS for Mobile is our main solution, as it offers more flexibility and a very soft touch way of deployment and at the same time leaves the company in control of the authenticators. DIGIPASS GO3 and Virtual DIGIPASS are rather used as back-up or emergency solutions, in case there is a problem with an employees mobile phone.

The ability for any system to

grow for use in future deployments across more sites

Work with existing hardware and

software solutions

Be up and running in 8 weeks!

Having chosen VASCO, the new solution combined hardware and software options to maximise flexibility offered to the workforce. The key principle of VASCOs strong authentication solutions is the replacement of weak static passwords with more secure dynamic ones. Unlike traditional static passwords, dynamic passwords or OTPs (one-time passwords) are only valid for a limited amount of time and can be used only once. Possible password abuse is thus minimised, as it becomes impossible to re-use the password even if it were intercepted. Global Radio deployed VASCO in a flexible way, providing 3 different options for users. For example, the content editors will be able to generate an OTP at the push of the button of the DIGIPASS GO3 hardware authenticator.

Remote workers using a Virtual DIGIPASS to log in type in their user name and PIN. A text message containing the OTP is immediately sent to their mobile phone. However, the main authenticator to secure remote access for Global Radios home workers became VASCOs DIGIPASS for Mobile. The principle of OTP generation is the same as in hardware authenticators, but in this case the mobile phone becomes the authentication device. DIGIPASS for Mobile software creates the OTP that the user needs instantly and easily. DIGIPASS for Mobile is one of the main reasons we chose VASCO as a strong authentication supplier, says Ross Draper, IP Infrastructure Manager at Global Radio. There are a lot of benefits to using a mobile phone as an authentication device. You dont have to provide your employees with hardware authenticators, when managing many devices can be difficult and costly, as people can lose them or break them. DIGIPASS for Mobile is a budget friendly solution: you

VASCO offers us a costeffective, user-friendly solution...with home workers using DIGIPASS for Mobile, there have not been any incompatibility issues or questions about deployment from end-users. Ross Draper
IP Infrastructure Manager Global Radio

VASCOs authentication solutions also offer an opportunity to further develop the companys security infrastructure. The high scalability of the VASCO IDENTIKEY Server allows Global Radio to easily add more users and applications, and the flexibility of DIGIPASS for Mobile provide a way to use strong authentication for additional purposes in the future - such as for Network Logon or securing web applications.

request a free demo token at www.securityplusonline.co.uk/uniqsystems/VASCO

Page 11

The secret key to your network: Unlocking the value of your log data
Organisations today are deploying a variety of security solutions to counter the ever increasing threat to their email and internet investments. Often, the emergence of new threats spawn solutions by different companies with a niche or a specialty for that specific threat whether it is a guard against viruses, spam, intrusion detection, spyware, data leakage or any of the other segments within the security landscape. This heterogeneous security environment means that there has been a proliferation of log data generated by the various systems or devices. As the number of different log formats increases coupled with the sheer volume of log data, the more difficult it becomes for organisations to turn this data into meaningful business information. Transforming data into information means that you know the who, what, when, where, and how giving you the ability to make informed business decisions. There is no point capturing data if you do not use it to improve aspects of your business. Reducing recreational web browsing, improving network performance, and enhancing security, are just a few outcomes that can be achieved using information from regular log file analysis. However, who has time to review the logs of all the network devices...let alone make sense of them? To achieve these outcomes, it is important for organisations to have a log management process in place with clear policies and procedures and also be equipped with the appropriate tools that can take care of the ongoing monitoring, analysis and reporting of these logs. So, heres a few tips on what can be achieved through effective log reporting. 1. Establish acceptable usage polices - this is the first step towards reducing inappropriate usage before you implement any form of filtering, and essential to ensure the workforce understands what the rules are. Improvements are often seen early on if the staff know the reporting is in place. 2. Establish your reporting requirements, especially to ensure you meet any obligations under any laws or regulations relevant to your industry or geography. Its all important to examine who needs reports - senior and line management would often benefit as well as the IT department. 3. Research your existing capabilities - you may find that many devices produce logs (including proxy servers, firewalls, routers and email servers) that could give you an insight into data loss or remote access activity. 4. Establish log management procedures - its important to establish and maintain the infrastructure and administration for capturing, transmitting, storing and archiving or destroying log data. 5. Establish standard reporting procedures - regular reporting is essential to ensure that initial improvements are maintained. Its also important to store user reports in a secure location to ensure confidentiality is maintained. 6. Assign responsibilities - its essential to identify roles and responsibilities for taking action on events, remembering that responsibility is not only the security administrators domain. 7. Review and adapt to changes because of the metamorphic nature of the security environment it is important to revisit steps 1-7 regularly and fine tune this process to get the maximum value from your network logs. WebSpy are a leading global provider of solutions that provide a transparent view over organisations internet, email and network usage. They enable organisations to protect and maximise their internet investment and enjoy the benefits of a web-enabled environment while reducing costs and minimising organisational risk.

We needed accurate reporting of web usage and the ability to analyse where our bandwidth was going...WebSpy allowed us to understand exactly that. Codemasters UK

The benefits include the ability for real time monitoring of internet access by staff....since installation we have reduced our internet traffic by 30% which resulted in significant savings and reduced wasted productivity. Mitcham Council

Page 12

learn more at www.securityplusonline.co.uk/uniqsystems/webspy

Drobo enters the business arena with new business focused storage products
Drobo, makers of the award-winning data storage product, have introduced a new line of sophisticated yet easy-to-use and affordable storage solutions for small and medium businesses. The new Drobo business systems are optimal as primary and secondary storage, as well as departmental file-sharing or offsite backup, and server virtualisation deployments including those using VMware solutions. "VMware recognises the importance of affordable storage alternatives for firms implementing virtualisation as they continue on the path toward IT as a service," explained Parag Patel, vice president, global strategic alliances, VMware. "Like larger organisations, SMBs are looking for ways to improve productivity and lower IT costs. Drobo streamlines VMware-virtualised storage for SMBs by delivering storage that is simple, scalable and automated - all with an affordable price tag. With more than 150,000 customers worldwide, Drobo has been embraced by individual professionals and small businesses globally. The new Drobo business systems up the ante with improved system performance and redundancy, a new business-oriented dashboard and control panel and upgraded business support options - all while maintaining Drobo's breakthrough ease-of-use and the BeyondRAID data protection capabilities that define the Drobo brand. Drobo's new business line also includes performance enhancements, new management software and extended business support and services, in addition to the existing ease of use, affordable capacity and storage features that set Drobo apart from any other storage product on the market. The systems are based on the patented BeyondRAID technology and are certified for VMware, Citrix, Microsoft Exchange and Symantec backup.

watch the video at www.securityplusonline.co.uk/Drobo

Encrypt Stick release the worlds first portable, encrypted private web browser
The long anticipated Digital Privacy Browser has been released by ENC Security Systems - makers of the 'unhackable' Encrypt Stick USB drive software. The Encrypt Stick Private Browser runs from your USB drive and provides unparalleled web surfing privacy as it leaves behind no trace whatsoever on the host computer. Recently publicised issues uncovered in many popular web browsers has brought to light the fact that in Private Mode these browsers still leave a trail of browsing history to be left behind on your computer. The Encrypt Stick Private Browser ensures that even if someone gains access to your computer, they will never know where you have been on the internet. It maintains private bookmarks and a cache to improve performance in an encrypted vault on your USB drive. This allows you to then plug the USB drive into virtually any computer in the world knowing that you and your browsing history are protected. The Encrypt Stick Private Browser is now available as part of the Encrypt Stick USB drive encryption software.

Download your copy at www.securityplusonline.co.uk/uniqsystems/ encryptstick

Page 13

Threat Free Tunnelling: Securing your VPN traffic

Before the internet, for computer A to talk to computer B located in a different office, physical wire connections were used. For security reasons, you would want to ensure that only your two computers used that line, so you would contract with a vendor to lease that circuit. However, this network was expensive, not scalable and dependent on the local vendor to provide the service. With the advent of the internet, there was no need for physical connections. As long as each computer can reach the internet, information is shared using a virtual network created by a local ISP, across the internet. VPN is designed to securely extend the organisation's network (LAN) beyond its physical boundaries. The very design of VPN ensures that the content is secured in transit. But the biggest security loophole is at the endpoint. Outside of IT control, these devices can often be damaged, reconfigured, or lack fundamental security maintenance and updates. Whether they connect remotely or directly into the LAN, any user or device is potentially unsafe and can expose business data, posing huge security threats from malicious hackers, viruses, worms and malware. What you need is a way to see inside the tunnel without disrupting its security. Cyberoam UTM's Threat Free Tunnelling (TFT) security is driven by the premise that the perimeter/endpoint of any functionally accessible network, is inherently insecure. The TFT secures you by establishing an intelligent layer of secure remote access driven by identity based policy control, enforced authentication, gateway firewall, granular access policy, and gateway threat and malware protection by integrating VPN and UTM (Unified Threat Management) functionalities.

Stop Malware and SPAM The VPN traffic is inspected by thorough auto-updating anti-virus, anti-spyware and anti-spam features of the UTM. These features ensure that no viruses, worms, Trojans, key -loggers, spyware and other malware or spam mail sneak through. Prevent Threats and Intrusions The VPN traffic is subjected to an Intrusion Prevention System (IPS) scan. This feature sanctifies the traffic by detecting and eliminating any threats lurking in it. The Identity Aware Firewall You can set firewalls to restrict the number of open ports, what type of packets pass through and which protocols are allowed. The identity driven TFT ensures that the credentials of each user is verified and custom security policies are enforced. Granular Access Policy Cyberoam's Granular Access Policy control feature allows you to provide specific resources to specific employees depending on their professional requirements. This feature is useful in SSL VPN situations when the person can remotely access the LAN resources even from smart hand-held devices or over insecure networks.

Management and Reporting To ensure compliance over VPN, it is crucial to have centralised management that generates comprehensive event reporting, proactive alerts, rapid forensic analyses and complete audit trails. VPNs, whether they use PPTP, L2TP, IPSec or SSL, are appealing to companies of all sizes. Even small businesses find compelling reasons to implement VPNs. Many view VPNs as a competitive advantage, specifically because of their global coverage and the relative ease with which they can be extended to create extranets which in turn can help companies increase the productivity of their workforce by secure connectivity to key network resources. Maintaining network security requires constant vigilance, and maintaining VPN security even more vigilance. Given the growing interest and increasing deployment of VPN, it is vital to scale that interest in terms of security. Possessing a better understanding of VPNs and their security mechanisms empowers companies to extend the borders of their business, without increasing the vulnerability of their information assets.

Page 14

find out more at www.securityplusonline.co.uk/uniqsystems/ cyberoam

A sensational desktop solution from LG for beating the recession!

For the time being, it seems that the global economic recession is expected to worsen continuously. Considering the need across all industries to optimise their operations by saving costs and boosting business productivity, LG have introduced a breakthrough product, which is the result of years of R&D. The LG Network Monitor has been developed to meet the demand for a low-cost solution to the PC replacement cycle due to the global recession. In the B2B market, less than 10% of the computing power of a PC is generally being utilised at any given time. The LG Network Monitor product is a solution that can redistribute the remaining 90% of a PCs resources to several users, simultaneously. When connected to a single PC, LG Network Monitor enables multiple users to fulfil their computing needs, enabling a cost effective Virtual Computing Solution. The implementation of this solution will enable users to reduce upgrade costs by at least 60% per year, and reduce system usage and maintenance costs by 70%. In addition, the monitor is an ultralow energy consumer (at least 90% lower than other products) and minimises environmental waste.

request a demonstration at www.securityplusonline.co.uk/LG

Does poor AV performance turn you off?

Anti-virus may have become an essential part of everyones security infrastructure, at home and at work, but a survey by leading anti-virus vendor Avira has discovered that more than 60% of respondents have tried multiple anti-virus products over the course of a year. In addition, 25% of the users admitted to turning off their antivirus protection because they thought those programs were slowing down their computers! The questions were posed to over 100 million people worldwide, giving the survey an international flavour. Here are the top findings from Aviras recent security survey: Everyone is trying to find the right security product which can effectively balance protection and a computers resource usage said Sorin Mustaca, data security expert of Avira. The scary take-away from this survey is that 25% of the respondents admitted to just turning off their security products because they feel that it hurt the performance of the machine. Thats not a good idea because such a practice leaves the computer totally exposed to even the simplest of viruses.

25% of users admitted to turning off their antivirus protection because they thought those programs were slowing down their computers.
Avira Anti-Virus Survey

62% have tried multiple security

products in a one-year span on the same computer.

25% turned off the anti-virus

software because it was slowing down their computer.

12% thought about not using the

internet due to safety reasons.

request your free licence at www.securityplusonline.co.uk/ uniqsystems/avira

Page 15

With over 145 million customers, Avira is the fastest growing AntiVirus company in Europe.

Barracuda Networks is the worldwide leader in appliance based Email and Web Security.

Celestix Networks is the premier developer of Microsoft Windows based security appliances.

Cyberoams range of feature-rich UTM appliances are suitable for both small and large businesses.

Drobo delivers enterprise class SAN and File Storage with great reliability and ease of use.

EncryptStick transforms any USB Flash Drive into a Digital Privacy Manager to keep files secure.

LG Network Monitors enable a single PC to be easily shared by up to 31 individual users

Lumension Security provides unified protection and control of endpoints, apps and devices.

NComputing provide simple and affordable desktop virtualisation solutions.

VASCO is the number one supplier of strong (Two-Factor) authentication services.

Websense is a global leader in integrated Web security, Data security and Email security.

WebSpy analysis and reporting software transforms log file data into manageable information.

WinMagics SecureDoc hard disk encryption secures a laptop or PCs sensitive information.

Xirrus manufacture leading Wi-Fi Array architecture replaces both wireless and wired networks.

Uniq Systems Limited

Linpac Building, Headley Road East, Woodley, Reading, RG5 4HY

tel

+44 (0)118 9272700

fax

+44 (0)118 9272701

email tim@uniqsystems.co.uk

web www.uniqsystems.co.uk