What Are the Most Underrated Security Technologies?

Last week we looked at security technology some readers consider overvalued. This week we’re back to study the other side of the coin. Here are four techniques and related technologies several cited as underrated in today’s security fight. Since one security pro’s miracle tool is another’s waste of budget, it’s no surprise that a couple of the technologies panned last week are praised here.

Whitelisting

Application security is something companies increasingly worry about, as the number of business and personal apps proliferate. Hackers are targeting everything from online banking apps to the gaming apps popular on such social networks as Facebook. Web Application Firewalls (WAFs) are among the technologies designed to reduce the risk. One of the more overlooked features of the technology is whitelisting — the art of allowing only traffic known to be valid to pass through the gate; thus providing an external input validation shield over the application.

Andy Willingham, senior security engineer at E-chx Inc. and founder of AndyITGuy Consulting, believes whitelisting and URL filtering are too quickly dismissed as too difficult. “Most people think that it’s too hard to limit what people can run and where they can go,” he said. “We’ve reached the point where we can’t just let people do what they want. Too many preach that if we want to attract and retain good employees that we have to allow them to install programs and surf freely but until we get virtual environments to the point where everything is its own virtual session and can be ‘cleared’ at will or regularly, then we have to start locking down.”

Chris Young, a VP at ISM Inc., said the biggest setback for this technology has been inconsistency on the management side, but that this piece is improving. “We are at the point where this is no longer a problem and new programs can be added with minimal/no admin assistance in a secure and controlled manner,” he said. “On the endpoint it should not be seen as a locking down of the system in that users won’t be able to have any freedom, but it provides admin/user education in the sense that it forces admins/users to check what they are downloading first to make sure it is a legit program and conforms to company policy.”

At the same time, he said, the technology is filling the holes cause by poor/accidental user behavior while protecting executables that have been authorized to run on the system. ” Operation Aurora was one of many examples where whitelisting on the endpoint would have completely prevented the compromise even after a user was duped into clicking on a link that led to a website that automatically downloaded and executed malware on the host system,” he said.

Data encryptors and/or shredders

Readers noted that one of their biggest challenges is to properly protect the data they HAVE to store and get rid of the data that’s no longer needed. In many a security breach, the latter is what the bad guys hack into or physically cart offsite. For the digital data that can’t be expunged yet, those polled stressed the importance of data encryption. For the physical records (and of course disk drives also), the humble shredder is a machine some cite as underrated.

“You need shredding machines to securely dispose of unnecessary or unscanned records and data encryption to protect the necessary scanned ones,” said Tony Goring, owner of Aclarado Enquiries, a South African investigative agency.

CPU stress testers

The concept of CPU cache poisoning gained attention last year when Invisable Things Lab founder and CEO Joanna Rutkowska released a paper on ways to exploit Intel CPU cache mechanisms. One of the paper’s goals was to shed light on the lack of solid firmware security in the industry.

The paper described, among other things, “practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory.” Invisible Things Lab cooked up two working exploits: “one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM,” the potential consequences being the ability of the bad guys to create more insidious rootkits, launch hypervisor attacks and/or bypass defenses around the OS kernel.

“It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying,” the paper concluded.

Kandy Zabka, a botnet researcher and moderator for the Infosec Island Forum, said a diagnostic CPU stress utility is an “excellent” tool to flush out the exact memory address(es) used by a CPU cache poisoning exploit. “If it is run multiple times, a stop exception appears that reveals the exact block(s) of memory addresses involved,” Zabka said.

Firewalls and AV

In last week’s story, respondents were tough on firewalls and antivirus technology. Security experts for years have been complaining that antivirus has grown obsolete because the security vendors can’t keep up with all the AV definition changes required to thwart every new piece of malware. In fact, some experts boasted about ditching it altogether.

But like any technology that comes under criticism, someone will always step up and defend its value. Firewalls and AV may no longer get the glory, but many regard them as absolutely necessary parts of any network security posture.

“I would place firewalls, AV and patching solutions as the most important technologies from an IT security perspective in our organizations,” said Mark Fullbrook, a director for Cyber-Ark Software’s UK and Ireland divisions. However, he added, “But are they underrated? How many companies DONT have them?”