- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 11, 2000 (Vol. 5, #41 - Issue #215)
If YOU don't hack your systems, who will?
  This issue of W2Knews™ contains:
    • A Brand New Security Scanning Concept
    • What is Network Perimeter Defense, and what is Scanning?
      (If YOU don't hack your systems, who will?)
    • Operating System Vulnerabilities On The Rise
    • Security Specialist Shortage: How do I get to be one?
    • Protecting Your Network Perimeter Is A Continual Process
      (You definitely want to check this one out!)
    • Critical Security Questions and Answers
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Where do I get Security Books?
  SPONSOR: Computing Edge
Looking for detailed hardware and software inventory of all your PCs?
Computing Edge Inventory +Solution gathers PC serial number, BIOS
& registry details, comprehensive software auditing, disk, OS, system
configs, and full end-user info. Track your data from any browser
with numerous pre-packaged reports. Zero footprint-- nothing has
to be installed on the client, run it from the network. Fits on a
single floppy to inventory non-networked systems. 30-day FREE trial!

Visit Computing Edge for more information.

A Brand New Security Scanning Concept

Hi NT/2000 Pros,

Before we go into the Big Announcement, a reminder. This is the LAST WEEK you can vote for your 'fave' TOOLS at the W2Knews Target Awards 2000. Vote now!
Winners will be announced in the W2Knews issue next weekend.

And here is the big announcement. You told us Security was your headache #1. So, I went out and looked at the current market, did my homework and found out some very interesting things. Now I understand better why you say it really IS a major pain:

  • More and more vulnerabilities are found, it's on a steep rise.
  • The amount of your (distributed) machines has mushroomed
  • The attacks get increasingly sophisticated
  • You have less and less time to dedicate to Security
  • It is getting harder and harder to simply keep up, as there are a multitude of (sometimes conflicting) information sources.
  • There is NO centralized, simple way to manage vulnerabilities
  • But your management insists you need to keep things tied down (while increasing exposure via Internet-based applications)
The real problem is that you almost have to be a hacker yourself to be sure no one else can penetrate your networks. But who has time to burn the midnight oil, find out about vulnerabilities, how to exploit them, penetrate your own site, and then plug all the holes found?

Recently I read a survey and it was found that something like 60% of U.S. MIS managers would not hesitate to put Kevin Mitnick on their payroll. (In case you have been creating code locked up in a closet for a few years, Kevin Mitnick is probably the world's most famous hacker who recently came out of prison.) A very recent quote from Mitnick is "What you don't know will hurt you".

The upshot of all this? It would be great if you could have your own hacker on your payroll, who would protect your network. Too bad though, that ain't gonna happen. The next best thing is QualysGuard[tm].

This is the new service that we are introducing. In a nutshell, it's an internet-based artificial intelligence solution that allows you to scan your own systems from the outside in, just like a hacker would, using all known holes and exploits, and then plug the holes you find.

Built and maintained by Security Consultants, (white-hat hackers) and updated d a i l y (!) with the latest exploits found. It's a subscription service, you only use a browser. No installation, training, updates and all the other hassle. Check it out and watch the (web) demo:

I guess you now understand why I'm so excited about QualysGuard. We ran it on our own network but I'm not going to tell you what I found.

Warm regards,

Stu Sjouwerman
(email me with feedback: [email protected])

  SPONSOR: QualysGuard
"You, The Black Hats, And Your Network" -- Discover how intruders
break in. We have a revolutionary new approach for you: now you can
scan your own networks like intruders would. Use QualysGuard[tm] to
get the "outside-in" view on your networks. You'll be surprised at
what you'll learn about your external security risks and their rela-
tive severity. This is the essential missing link in your security
toolkit. Get an instant on-line demo right now.
Visit QualysGuard for more information.

What is Network Perimeter Defense, and what is Scanning?
(If YOU don't hack your systems, who will?)

Network Perimeter Defense is also called Security Auditing and it is a process that identifies network computing equipment and the security vulnerabilities associated with these devices. This info can be used to measure security, manage risks, and eliminate the security vulnerabilities found before unauthorized users can exploit potential security holes.

'Scanning' is what both white-hat and black-hat hackers do. They use a series of both freeware and shareware programs and write their own scripts to attack and penetrate networks. It is a highly specialized kind of activity, but more and more automated tools are being used to hack into sites.

The question really is, if you do not have a process like this in place, when (not if) is some one going to penetrate your network and cause damage. There are a few specialized IT Security consul- tants out there, but they are scarce and expensive. It's up to you to batten down the hatches. Many of you bought STAT and this is a great tool for inside hole-scanning, that you certainly should continue to do. But scanning 'outside-in' was missing up to now, so you should add QualysGuard. Having you own 'attack tool' in place is an essential part of a strong defense.

And being able to scan your own networks, scheduled automatically and get extensive reports on what was found is really a MUST if you want to continue to protect against intruders. Check out:


Operating System Vulnerabilities On The Rise

Everything is getting online, companies are integrating systems with their vendors, interdependencies are created, e-commerce and its next evolutionary step called 'e-business' are rapidly developing.

All this makes strong network security a must. The only way to get there is with robust corporate security programs that include regular network audits for vulnerability assessment and for corrective action. Until now, these audits were typically done by using purchased software or homegrown solutions.

Of course these are initially better than no proactive approach at all, but those solutions often have serious shortcomings that could give you a false sense of security. Some of the drawbacks of a setup like this are:

  • Can be expensive and cumbersome (time consuming) to apply.
  • Results are sometimes difficult to understand.
  • They offer little in the way of risk assessment or scoring.
  • Often lack recommendations for fixing vulnerabilities.
  • They look at the network from the inside out, and thus miss the holes hackers can see.
  • They can become quickly and dangerously outdated as new holes are uncovered constantly, literally at internet speed.
And in the mean time, the amount of vulnerabilities found in the popular OS-es is on the rise. The trends are the same for Linux, Solaris and Windows, and the totals for all three look something like this: (I'm being conservative)
1997: 25
1998: 75
1999: 200
2000: 300
2001: 600

Conclusion: all of the above points to a need for a new approach to security auditing that is:

  • Affordable
  • Extremely easy to deploy and use
  • Effective for Risk Assessment and corrective recommendations
  • ALWAYS up to date on the latest vulnerabilities

    If you run an environment with Windows, (and/or) Linux/Unix I strongly suggest you have a look at the new service we provide:

    Security Specialist Shortage: How do I get to be one?

    Just like MCSE, there are Certifications for Security specialists. And Oh Boy, are they needed! I think this is one of the most urgent needs of corporate IT, and hardest to find. What kinds of Certs are there?

    LevelOne Certification for everyone involved in Security is called GSEC. (GIAC Security Essentials Certified). You can take this live or online.

    LevelTwo Certs for advanced security professionals are:

  • GCIA: GIAC Certified Intrustion Detection Analyst
  • GCIH: GIAC Certified Advanced Incident Handler
  • GCFA: GIAC Certified Firewall Analyst
  • GCIX: GIAC Certified Unix Security Analyst
  • GCNT: GIAC Certified Windows NT Security Analyst

    Around the globe, these GIAC certs mean excellence in security skills. GIAC certified professionals have studied up-to-date material, passed difficult exams, and have proven their mastery through practical demonstrations. If you have the time, this is a really good career move. More at:

    Protecting Your Network Perimeter Is A Continual Process

    The Internet has basically created a perimeter around your corporate network that you need to defend. I have been doing some digging and the most recent data I could get my hands on was the 2000 Computer Crime and Security Survey by the CSI and FBI. Just a few of the highlights of this recent survey:

    • 70% reported serious attacks
    • 42% acknowledged financial loss
    • 59% reported more Internet attacks than internal attacks- this trend is continually up
    • 120% increase in loss last year.
    And all of this is true. Just as an illustration, I just opened up my BlackICE tool, and checked the last few days. I'm on a Cablemodem with a 24 hour connection so this NT WS is a prime target for hackers. Today I had 9 attacks on this box, most of them port probes, and it's only 12:30. Yesterday there were 15. I'm sure you get the point.

    The problem is that your risk of intrusions is a moving target. It would be nice if you could do a vulnerability assessment, plug the holes and be done with it. But no, your network is growing, there are continual machine changes and multiple software installs and upgrades. Each of these can cause one or more new holes to appear.

    On the other hand, the threats multiply too. There are about 4 new vulnerabilities discovered each day, with newly invented exploits to go along with them and there is more and more "hobby hacking". These are also called 'script kiddies' and are usually not very harmful, unless they unleash something that brings your server down.

    The solution to all of this requires an ongoing process. There is no 'cure' for it, there is only a professional approach of managing the vulnerabilities. You have to continually test and retest:

  • points of access
  • potential vulnerabilities
  • problem areas
  • and continue to worry about it.

    In short, you need to institute a (or expand your existing) corporate Vulnerability Management program that will be your Internet Bodyguard. Nothing better than to check out the new QualysGuard that is just that:


    (You definitely want to check this one out!)

    I'm excited about this solution. Why? I know it's going to make your life a lot easier and protect your networks in a unique new way. QualysGuard is the first security tool built from the ground up to fully leverage the power of the Internet. It allows you to scan your own networks from the outside in and find holes. Lights- out, scheduled, with extensive reporting for both the CIO and the system- and network admins. This is _very_ cool leading edge stuff, and a great additional (complementary) tool if you already run something like STAT.

    What does it do:

  • Gives you a visual map of your network from the outside
  • Automatically and intelligently audits all the devices for vulnerabilities (runs device-dependent tests)
  • Delivers an immediate easy-to-understand risk assessment
  • Gets you detailed recommendations for fixes and solutions

    What does it do for YOU:

  • Frees up more time in your interrupt driven working conditions
  • Gives you a handle on security issues and how to fix them
  • You have a 'white-hat hacker' backup team supporting you 24/7
  • You don't have to burn the midnight oil maintaining security expertise from 20 different sources
  • No need to spend your time training, installing and updating shrink-wrapped tools
  • The QualysGuard analysis does not bring your networks down as it has intelligent load monitoring.

    What it does for MIS, CIO Management:

  • Provides and overall 'helicopter view' of the security posture of the organization
  • Brings relief in finding and keeping internal security staff
  • Now easier to bring more processes and functions to the web
  • Incredible value, and much cheaper than hiring a hacker
  • Gives them a way to measure and manage effectiveness of the corporate security precautions.

    What it gives all of you: Job Security.

    QualysGuard is online and on-demand. You access it with your own account, and a password over the internet. When you subscribe to this service, a range of IP addresses you want scanned will be set up in your account. (Yes, we check if they really belong to you.) The service is available online to authorized security personnel 24 hours a day to run and scan:

  • 150+ CGI tests
  • 50+ Backdoor tests
  • 300+ Remote vulnerabilities
  • Full TCP/UDP (User Datagram Protocol) checks
  • Network TCP/IP
  • Windows NT/2000
  • Web Servers
  • Mail Servers
  • FTP Servers
  • Firewall Scans
  • Routers
  • Switches
  • And an average of 4 new vulnerabilities e v e r y day.

    You can schedule regular audits on a daily, weekly or monthly basis to monitor your network vulnerabilities so that you are sure you are covered. The tool avoids using up network bandwidth or crashing your servers.

    This tool is always private and secure. The service is designed to ensure the privacy and security of each subscriber's data. We'll be happy to explain how this works, and it's also in the Sunbelt Software Knowledge Base.

    Want to see how it works? Fill out the DOWNLOAD FORM and you'll get a 2-3 minute web based immediate demo. Cool Stuff! Check out:

    Critical Security Questions and Answers

    I have received some questions that I'll answer in this W2Knews so that everyone has the benefit of them.

    Q1: As a security consultant, I am familiar with products like ISS, Cybercop, Retina, as well as many of the freebie tools like SATAN, SAINT, Nessus, whisker, etc. That said, I am curious what QualysGuard does that is new or different in the way of vulnerability scanners.
    A1: The unique concept is the fact you can subscribe to a service, which will automate the scanning for you, and manages the database of vulnerabilities in pretty much real-time.

    Q2: Is it designed to audit NT or Unix machines (or both)?
    A2: Both, but it finds out what kind of server or device it looks at and then only runs vulnerabilities relative to the device. It has many years of security consulting expertise built in to the AI-engine.

    Q3: Is the scanning technology new?
    A3: It uses known methods to scan and penetrate sites from the outside in. What is new is that it is now available as a managed service that is schedulable and consistent. It also provides a historic database of vulnerabilities found and fixed for upper management purposes.

    Q4: Is the reporting capability considerably different than its competitors?
    A4: I would have to do some more research on this point, as I'm not intimately familiar with the other players in this area. We'll do this and come back on it. Can they send automated emails to warn for critical holes found?

    Q5: The web page says "over 600 vulnerabilities" putting this on par with ISS (who boasts roughly that amount). Given companies like E&Y offering solutions that scan a database of 2200 vulnerabilities, the disparity in numbers begins to stand out.
    A5: The numbers do not tell all. Unfortunately these are used for marketing purposes and it depends entirely on how you count, and what you count. You know the old saying: Lies, damn lies, and statistics. What really is important is the type of holes they test for from the outside, which are different from the things you scan for from the inside out.

    Q6: Is your product available for trial use in any capacity?
    A6: There are three phases. 1: the web-demo, 2: Our reps have a demo account that allows a scan of a live system set up at Qualys. 3: Incidental cases can scan one (1) IP address only but only after signing some legal paperwork.

    Q7: How reliable are these Qualys guys? How do I know that they won't break in my systems?
    A7: Qualys was founded in 1999 with a veteran management team that has its history in Security Consulting. It's Venture Capital backed and has as one of its main investors VeriSign, (VRSN) which is the world's number one provider of Internet trust services.

    Q8: Do I need any kind of equipment on my side at all?
    A8: No, this runs completely from an outside Qualys Internet Server that sits in a secure co-hosting facility.

    Q9: Do I need to be an expert in security to be able to set up and use QualysGuard?
    A9: No, you supply the IP-range you want to scan and get the paperwork signed. From there on out it is clicking on your Favorites button, provide the password and click the SCAN button. The reports show you what was found, how severe it is and how to fix it.

    Q10: I already have a firewall, do I still need QualysGuard?
    A10: Yes. Firewalls are essential to network security but are very complex and often badly configured. QualysGuard tests the effectiveness of your firewall as well as apps such as Web, ftp and mail that are naturally accessible through firewalls. Rule changes can expose your networks, so firewalls need a regular program of "hygiene".

    Q11: I already have an intrusion detection product, why would I need QualysGuard?
    A11: These tools are reactive, you need a proactive approach as when some one is hacking your system, there is a good chance it is already too late.

    Q12: How secure is the QualysGuard solution? How do I know that no one else finds out about the holes in my network?
    A12: The map and scan results are encrypted with 1024-bit protection, as a subscriber you are connected with SSL, there is no archiving (not even backups) and it is completely inaccessible without the password - even by Qualys. All of their machines are located at top-tier hosting facilities.

    Bonus Q13: How long does it take to scan?
    Bonus Answer: Only about 2.5 min per IP, the scanning engine is highly efficient.

    Check out:


    This Week's Links We Like. Tips, Hints And Fun Stuff

  • All the tools hackers use to break into systems are discussed at the hackingexposed site:
  • Need to get Security Trained? Start by looking at the SANS site:
  • Want to talk to security experts, attend class, and want it October 15-22, 2000 in Monterey, CA?
  • Developing for Windows in Europe? If so, then the best conference for you to attend this year is the WinSummit developer's conference in Davos, Switzerland: October 2 to 6:

    Where do I get Security Books?

    Did you know about the new Sunbelt BookClub? Now, this is no ordinary BookClub. Not only are we are offering 11 books from New Riders, an industry-leading publisher, but I've managed to pass some savings on to you. There are some good titles in there that will help you plan good Windows 2000 Security. With the Sunbelt BookClub, you will receive up to 40% off the latest Windows 2000 titles.

    These books will help you:

  • Install and Configure Windows 2000
  • Manage DNS and DHCP
  • Develop unified directory strategy to support enterprise applications
  • Clarify Security issues for reliable client performance
  • Create techniques using VB and VBScript to automate task

    Those are just a few of the items covered. You have to see it to believe it. Visit the Sunbelt Windows 2000 BookClub at:

    Two other specific Security titles that I recommend are:

  • HACKING EXPOSED - McClure and Scambray - Publisher is Osborne, the is ISBN 0-07-212127-0
  • HACK PROOFING your network - Russell and Cunningham - Publisher is Syngress - The ISBN is 1-928994-15-6