Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 11, 2000 (Vol. 5, #41 - Issue #215)
If YOU don't hack your systems, who will?
This issue of W2Knews contains:
- EDITORS CORNER
- A Brand New Security Scanning Concept
- TECH BRIEFING
- What is Network Perimeter Defense, and what is Scanning?
(If YOU don't hack your systems, who will?)
- NT/2000 RELATED NEWS
- Operating System Vulnerabilities On The Rise
- Security Specialist Shortage: How do I get to be one?
- Protecting Your Network Perimeter Is A Continual Process
- NT/2000 THIRD PARTY NEWS
- BRAND NEW NETWORK SECURITY SERVICE: QualysGuard[tm]
(You definitely want to check this one out!)
- Critical Security Questions and Answers
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Where do I get Security Books?
SPONSOR: Computing Edge
Looking for detailed hardware and software inventory of all your PCs?
Computing Edge Inventory +Solution gathers PC serial number, BIOS
& registry details, comprehensive software auditing, disk, OS, system
configs, and full end-user info. Track your data from any browser
with numerous pre-packaged reports. Zero footprint-- nothing has
to be installed on the client, run it from the network. Fits on a
single floppy to inventory non-networked systems. 30-day FREE trial!
Visit Computing Edge for more information.
A Brand New Security Scanning Concept
Hi NT/2000 Pros,
Before we go into the Big Announcement, a reminder. This is the LAST
WEEK you can vote for your 'fave' TOOLS at the W2Knews Target Awards
2000. Vote now!
Winners will be announced in the W2Knews issue next weekend.
And here is the big announcement. You told us Security was your
headache #1. So, I went out and looked at the current market, did
my homework and found out some very interesting things. Now I
understand better why you say it really IS a major pain:
The real problem is that you almost have to be a hacker yourself
to be sure no one else can penetrate your networks. But who has
time to burn the midnight oil, find out about vulnerabilities,
how to exploit them, penetrate your own site, and then plug all
the holes found?
- More and more vulnerabilities are found, it's on a steep rise.
- The amount of your (distributed) machines has mushroomed
- The attacks get increasingly sophisticated
- You have less and less time to dedicate to Security
- It is getting harder and harder to simply keep up, as there are
a multitude of (sometimes conflicting) information sources.
- There is NO centralized, simple way to manage vulnerabilities
- But your management insists you need to keep things tied down
(while increasing exposure via Internet-based applications)
Recently I read a survey and it was found that something like
60% of U.S. MIS managers would not hesitate to put Kevin Mitnick
on their payroll. (In case you have been creating code locked up
in a closet for a few years, Kevin Mitnick is probably the world's
most famous hacker who recently came out of prison.) A very recent
quote from Mitnick is "What you don't know will hurt you".
The upshot of all this? It would be great if you could have your
own hacker on your payroll, who would protect your network. Too
bad though, that ain't gonna happen. The next best thing is
This is the new service that we are introducing. In a nutshell,
it's an internet-based artificial intelligence solution that allows
you to scan your own systems from the outside in, just like a hacker
would, using all known holes and exploits, and then plug the holes
Built and maintained by Security Consultants, (white-hat hackers)
and updated d a i l y (!) with the latest exploits found. It's a
subscription service, you only use a browser. No installation,
training, updates and all the other hassle. Check it out and watch
the (web) demo:
I guess you now understand why I'm so excited about QualysGuard. We
ran it on our own network but I'm not going to tell you what I found.
(email me with feedback: [email protected])
"You, The Black Hats, And Your Network" -- Discover how intruders
break in. We have a revolutionary new approach for you: now you can
scan your own networks like intruders would. Use QualysGuard[tm] to
get the "outside-in" view on your networks. You'll be surprised at
what you'll learn about your external security risks and their rela-
tive severity. This is the essential missing link in your security
toolkit. Get an instant on-line demo right now.
Visit QualysGuard for more information.
What is Network Perimeter Defense, and what is Scanning?
(If YOU don't hack your systems, who will?)
Network Perimeter Defense is also called Security Auditing and it
is a process that identifies network computing equipment and the
security vulnerabilities associated with these devices. This info
can be used to measure security, manage risks, and eliminate the
security vulnerabilities found before unauthorized users can
exploit potential security holes.
'Scanning' is what both white-hat and black-hat hackers do. They
use a series of both freeware and shareware programs and write
their own scripts to attack and penetrate networks. It is a highly
specialized kind of activity, but more and more automated tools are
being used to hack into sites.
The question really is, if you do not have a process like this in
place, when (not if) is some one going to penetrate your network
and cause damage. There are a few specialized IT Security consul-
tants out there, but they are scarce and expensive. It's up to you
to batten down the hatches. Many of you bought STAT and this is a
great tool for inside hole-scanning, that you certainly should
continue to do. But scanning 'outside-in' was missing up to now,
so you should add QualysGuard. Having you own 'attack tool' in
place is an essential part of a strong defense.
And being able to scan your own networks, scheduled automatically
and get extensive reports on what was found is really a MUST if
you want to continue to protect against intruders. Check out:
NT/2000 RELATED NEWS
Operating System Vulnerabilities On The Rise
Everything is getting online, companies are integrating systems with
their vendors, interdependencies are created, e-commerce and its
next evolutionary step called 'e-business' are rapidly developing.
All this makes strong network security a must. The only way to
get there is with robust corporate security programs that include
regular network audits for vulnerability assessment and for
corrective action. Until now, these audits were typically done
by using purchased software or homegrown solutions.
Of course these are initially better than no proactive approach
at all, but those solutions often have serious shortcomings that
could give you a false sense of security. Some of the drawbacks
of a setup like this are:
And in the mean time, the amount of vulnerabilities found in the
popular OS-es is on the rise. The trends are the same for Linux,
Solaris and Windows, and the totals for all three look something
like this: (I'm being conservative)
- Can be expensive and cumbersome (time consuming) to apply.
- Results are sometimes difficult to understand.
- They offer little in the way of risk assessment or scoring.
- Often lack recommendations for fixing vulnerabilities.
- They look at the network from the inside out, and thus miss
the holes hackers can see.
- They can become quickly and dangerously outdated as new holes
are uncovered constantly, literally at internet speed.
Conclusion: all of the above points to a need for a new approach
to security auditing that is:Affordable
Extremely easy to deploy and use
Effective for Risk Assessment and corrective recommendations
ALWAYS up to date on the latest vulnerabilities
If you run an environment with Windows, (and/or) Linux/Unix I
strongly suggest you have a look at the new service we provide:
Security Specialist Shortage: How do I get to be one?
Just like MCSE, there are Certifications for Security specialists.
And Oh Boy, are they needed! I think this is one of the most urgent
needs of corporate IT, and hardest to find. What kinds of Certs
LevelOne Certification for everyone involved in Security is called
GSEC. (GIAC Security Essentials Certified). You can take this live
LevelTwo Certs for advanced security professionals are:
GCIA: GIAC Certified Intrustion Detection Analyst
GCIH: GIAC Certified Advanced Incident Handler
GCFA: GIAC Certified Firewall Analyst
GCIX: GIAC Certified Unix Security Analyst
GCNT: GIAC Certified Windows NT Security Analyst
Around the globe, these GIAC certs mean excellence in security skills.
GIAC certified professionals have studied up-to-date material, passed
difficult exams, and have proven their mastery through practical
demonstrations. If you have the time, this is a really good career
move. More at:
Protecting Your Network Perimeter Is A Continual Process
The Internet has basically created a perimeter around your corporate
network that you need to defend. I have been doing some digging and
the most recent data I could get my hands on was the 2000 Computer
Crime and Security Survey by the CSI and FBI. Just a few of the
highlights of this recent survey:
And all of this is true. Just as an illustration, I just opened up
my BlackICE tool, and checked the last few days. I'm on a Cablemodem
with a 24 hour connection so this NT WS is a prime target for hackers.
Today I had 9 attacks on this box, most of them port probes, and it's
only 12:30. Yesterday there were 15. I'm sure you get the point.
- 70% reported serious attacks
- 42% acknowledged financial loss
- 59% reported more Internet attacks than internal attacks-
this trend is continually up
- 120% increase in loss last year.
The problem is that your risk of intrusions is a moving target. It
would be nice if you could do a vulnerability assessment, plug the
holes and be done with it. But no, your network is growing, there
are continual machine changes and multiple software installs and
upgrades. Each of these can cause one or more new holes to appear.
On the other hand, the threats multiply too. There are about 4 new
vulnerabilities discovered each day, with newly invented exploits
to go along with them and there is more and more "hobby hacking".
These are also called 'script kiddies' and are usually not very
harmful, unless they unleash something that brings your server
The solution to all of this requires an ongoing process. There is
no 'cure' for it, there is only a professional approach of managing
the vulnerabilities. You have to continually test and retest:
points of access
and continue to worry about it.
In short, you need to institute a (or expand your existing) corporate
Vulnerability Management program that will be your Internet Bodyguard.
Nothing better than to check out the new QualysGuard that is just that:
THIRD PARTY NEWS
BRAND NEW NETWORK SECURITY SERVICE: QualysGuard[tm]
(You definitely want to check this one out!)
I'm excited about this solution. Why? I know it's going to make
your life a lot easier and protect your networks in a unique new
way. QualysGuard is the first security tool built from the ground
up to fully leverage the power of the Internet. It allows you to
scan your own networks from the outside in and find holes. Lights-
out, scheduled, with extensive reporting for both the CIO and
the system- and network admins. This is _very_ cool leading edge
stuff, and a great additional (complementary) tool if you already
run something like STAT.
What does it do:Gives you a visual map of your network from the outside
Automatically and intelligently audits all the devices for
vulnerabilities (runs device-dependent tests)
Delivers an immediate easy-to-understand risk assessment
Gets you detailed recommendations for fixes and solutions
What does it do for YOU:Frees up more time in your interrupt driven working conditions
Gives you a handle on security issues and how to fix them
You have a 'white-hat hacker' backup team supporting you 24/7
You don't have to burn the midnight oil maintaining security
expertise from 20 different sources
No need to spend your time training, installing and updating
The QualysGuard analysis does not bring your networks down
as it has intelligent load monitoring.
What it does for MIS, CIO Management:Provides and overall 'helicopter view' of the security posture
of the organization
Brings relief in finding and keeping internal security staff
Now easier to bring more processes and functions to the web
Incredible value, and much cheaper than hiring a hacker
Gives them a way to measure and manage effectiveness of the
corporate security precautions.
What it gives all of you: Job Security.
QualysGuard is online and on-demand. You access it with your own
account, and a password over the internet. When you subscribe
to this service, a range of IP addresses you want scanned will
be set up in your account. (Yes, we check if they really belong
to you.) The service is available online to authorized security
personnel 24 hours a day to run and scan:150+ CGI tests
50+ Backdoor tests
300+ Remote vulnerabilities
Full TCP/UDP (User Datagram Protocol) checks
And an average of 4 new vulnerabilities e v e r y day.
You can schedule regular audits on a daily, weekly or monthly
basis to monitor your network vulnerabilities so that you are
sure you are covered. The tool avoids using up network bandwidth
or crashing your servers.
This tool is always private and secure. The service is designed
to ensure the privacy and security of each subscriber's data. We'll
be happy to explain how this works, and it's also in the Sunbelt
Software Knowledge Base.
Want to see how it works? Fill out the DOWNLOAD FORM and you'll
get a 2-3 minute web based immediate demo. Cool Stuff!
Critical Security Questions and Answers
I have received some questions that I'll answer in this W2Knews
so that everyone has the benefit of them.
Q1: As a security consultant, I am familiar with products like ISS,
Cybercop, Retina, as well as many of the freebie tools like SATAN,
SAINT, Nessus, whisker, etc. That said, I am curious what QualysGuard
does that is new or different in the way of vulnerability scanners.
A1: The unique concept is the fact you can subscribe to a service,
which will automate the scanning for you, and manages the database
of vulnerabilities in pretty much real-time.
Q2: Is it designed to audit NT or Unix machines (or both)?
A2: Both, but it finds out what kind of server or device it looks
at and then only runs vulnerabilities relative to the device. It
has many years of security consulting expertise built in to the
Q3: Is the scanning technology new?
A3: It uses known methods to scan and penetrate sites from the
outside in. What is new is that it is now available as a managed
service that is schedulable and consistent. It also provides a
historic database of vulnerabilities found and fixed for upper
Q4: Is the reporting capability considerably different than its
A4: I would have to do some more research on this point, as I'm
not intimately familiar with the other players in this area. We'll
do this and come back on it. Can they send automated emails to
warn for critical holes found?
Q5: The web page says "over 600 vulnerabilities" putting this on
par with ISS (who boasts roughly that amount). Given companies like
E&Y offering solutions that scan a database of 2200 vulnerabilities,
the disparity in numbers begins to stand out.
A5: The numbers do not tell all. Unfortunately these are used for
marketing purposes and it depends entirely on how you count, and
what you count. You know the old saying: Lies, damn lies, and
statistics. What really is important is the type of holes they
test for from the outside, which are different from the things
you scan for from the inside out.
Q6: Is your product available for trial use in any capacity?
A6: There are three phases. 1: the web-demo, 2: Our reps have
a demo account that allows a scan of a live system set up at
Qualys. 3: Incidental cases can scan one (1) IP address only
but only after signing some legal paperwork.
Q7: How reliable are these Qualys guys? How do I know that they
won't break in my systems?
A7: Qualys was founded in 1999 with a veteran management team
that has its history in Security Consulting. It's Venture Capital
backed and has as one of its main investors VeriSign, (VRSN) which
is the world's number one provider of Internet trust services.
Q8: Do I need any kind of equipment on my side at all?
A8: No, this runs completely from an outside Qualys Internet
Server that sits in a secure co-hosting facility.
Q9: Do I need to be an expert in security to be able to set up
and use QualysGuard?
A9: No, you supply the IP-range you want to scan and get the
paperwork signed. From there on out it is clicking on your
Favorites button, provide the password and click the SCAN button.
The reports show you what was found, how severe it is and how
to fix it.
Q10: I already have a firewall, do I still need QualysGuard?
A10: Yes. Firewalls are essential to network security but are
very complex and often badly configured. QualysGuard tests the
effectiveness of your firewall as well as apps such as Web,
ftp and mail that are naturally accessible through firewalls.
Rule changes can expose your networks, so firewalls need a
regular program of "hygiene".
Q11: I already have an intrusion detection product, why would
I need QualysGuard?
A11: These tools are reactive, you need a proactive approach
as when some one is hacking your system, there is a good chance
it is already too late.
Q12: How secure is the QualysGuard solution? How do I know
that no one else finds out about the holes in my network?
A12: The map and scan results are encrypted with 1024-bit
protection, as a subscriber you are connected with SSL, there
is no archiving (not even backups) and it is completely
inaccessible without the password - even by Qualys. All of
their machines are located at top-tier hosting facilities.
Bonus Q13: How long does it take to scan?
Bonus Answer: Only about 2.5 min per IP, the scanning engine
is highly efficient.
This Week's Links We Like. Tips, Hints And Fun Stuff
All the tools hackers use to break into systems are discussed at
the hackingexposed site:
Need to get Security Trained? Start by looking at the SANS site:
Want to talk to security experts, attend class, and want it October
15-22, 2000 in Monterey, CA?
Developing for Windows in Europe? If so, then the best conference for
you to attend this year is the WinSummit developer's conference in
Davos, Switzerland: October 2 to 6:
PRODUCT OF THE WEEK
Where do I get Security Books?
Did you know about the new Sunbelt BookClub? Now, this is no ordinary
BookClub. Not only are we are offering 11 books from New Riders, an
industry-leading publisher, but I've managed to pass some savings on
to you. There are some good titles in there that will help you plan
good Windows 2000 Security. With the Sunbelt BookClub, you will receive
up to 40% off the latest Windows 2000 titles.
These books will help you:Install and Configure Windows 2000
Manage DNS and DHCP
Develop unified directory strategy to support enterprise applications
Clarify Security issues for reliable client performance
Create techniques using VB and VBScript to automate task
Those are just a few of the items covered. You have to see it to
believe it. Visit the Sunbelt Windows 2000 BookClub at:
Two other specific Security titles that I recommend are:HACKING EXPOSED - McClure and Scambray - Publisher is Osborne, the
is ISBN 0-07-212127-0
HACK PROOFING your network - Russell and Cunningham - Publisher is
Syngress - The ISBN is 1-928994-15-6