Month: October 2014

Posted on

Web Security Tips: How PAN-DB Works

PAN-DB is our URL and IP database, designed to fulfill an enterprise’s web security needs. PAN-DB is tightly integrated into PAN-OS, providing you Advanced Persistent Threat (APT) protection with high-performance beyond traditional URL filtering.

Traditional URL filtering is intended to control unwanted web surfing such as non-business or illegal sites, but it usually doesn’t cover up to the minute malicious web sites such as newly discovered malware site, exploit site or command and control sites. Let me explain how PAN-DB works for you.

How PAN-DB maximizes your URL lookup performance

 

Figure1. PAN-DB classification and cache system

 

PAN-DB Core: The PAN-DB Core, located in the Palo Alto Networks threat intelligence cloud, has a full URL and IP database to cover web security needs.

Seed database: When the PAN-DB is enabled on your firewalls, a subset of the full URL database is downloaded from the Palo Alto Networks threat intelligence cloud to firewalls based on the selected geographic region. Each region contains a subset of the URL database that includes URLs most accessed for the given region. This regional subset of the URL database allows the firewalls to store a much smaller URL database, in order to greatly improve URL lookup performance. You can download a seed database by region to the each firewall from our Panorama centralized management system as well.

Figure 2. Seed database by regions

Management plane cache: The seed database is placed into the management plane (MP) cache to provide quick URL lookups. The MP cache will pull more URLs and categories from the PAN-DB core as users access sites that are not currently in the MP cache. If the URL requested by a user is “unknown” to Palo Alto Networks, the URL will be examined, categorized, and implemented as appropriate.

Dataplane cache: A dataplane cache (DP) contains the most frequently accessed sites for quicker URL lookups.

 

Malicious URL database delivered from WildFire

Millions of URLs and IPs are classified in a variety of ways. In addition to the “Multi-language classification engine” and the “URL change request from users,” PAN-DB receives malicious URL and IP information from WildFire. Examples of malicious URL and IP database are shown below.

  • Malware Download URL and IP address: Prevent from downloading malware.
  • C&C URL and IP address: Disable malware communications.

The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits and APTs by executing them in a virtual sandbox environment.

 

PAN-DB will block malicious URL with low latency

PAN-DB has a superior mechanism to lookup URL faster, and then you will get URL category information without sacrificing the throughput.

The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) and executes them in a virtual sandbox environment. The ongoing malicious URL updates to PAN-DB allows you to block malware downloads and disable malware command and control communications.

By utilizing malicious URL database, you can block variety of malicious web access and communication without compromising web access performance.

To learn more about web security, please visit our resource page, Control Web Activity with URL Filtering.

[Palo Alto Networks Blog]

Posted on

ISACA International President: Teamwork Fuels ISACA’s Spirit and Intensity

“It takes two flints to make a fire” has been attributed to noted author Louisa May Alcott and it truly symbolizes the teamwork that goes into delivering ISACA’s activities and resources, and specifically, theISACA Journal. Thousands of members have shared their time and expertise with the Journal since it was introduced in 1973 as a quarterly publication named The EDP Auditor Journal.

Since then it has grown in size and circulation and has earned a reputation as a highly respected global peer-reviewed source of practical knowledge. The Journal is consistently rated as one of the top member benefits and value and satisfaction are high across all job functions and global regions. According to the ISACA Member Needs Survey, 83 percent of members are satisfied with the Journal and 81 percent believe it is of value to members.


A cover of the ISACA Journal
from 2005

A cover of the ISACA Journal
from 2014

This is possible only because of the dedication of article authors and other volunteers, including contributing editors and editorial reviewers, who have been instrumental every step of the way. Two of these volunteers hit milestones this year—Steve Ross is marking his 15th year as author of the Information Security Matters column and after volume 6 (and nine years of contributions) Tommie Singleton is retiring from writing the IS Audit Basics column. Both of these columns are widely read and respected and have contributed to the knowledge and lively debate among many ISACA constituents.

Steve and Tommie are great representatives of the many members around the world who volunteer their time and help propel ISACA’s valuable publications, events, translations, research, certification programs and other resources, which are created to serve our constituents. This teamwork is priceless and I thank you all for making ISACA a worldwide leader and innovator.

Robert E Stroud, CGEIT, CRISC, international president of ISACA

[ISACA]

Posted on

Researcher Shows Why Tor Anonymity Is No Guarantee Of Security

Tor exit node in Russia spotted downloading malicious code.

Users of the Tor network now have one more reason to be cautious when using the service to browse the Internet or to download executable code anonymously.

A security researcher last week uncovered a malicious Tor exit node in Russia being used by unknown attackers to insert malicious code into files being downloaded by Tor users. Tor administrators have since flagged the node as a BadExit, meaning that Tor clients now know to avoid using the server.

Still, its presence on the network shows how Internet users are not immune to malicious downloads when using Tor, said Josh Pitts, security researcher at Leviathan Security Group who discovered the malicious node.

Tor is a network that allows users to browse the web anonymously. It uses a series of encrypted connections to route data packets in such a manner as to hide the true IP address of the person using the service. Instead of routing traffic via a direct path to a destination, Tor routes traffic through a series of servers distributed around the world with an exit node serving as the last server on the network before the public web. Between 1,100 and 1,200 servers currently serve as exit nodes on the Tor network.

Pitts discovered the malicious node while doing research on the threat to Internet security posed by unencrypted binary files. In a presentation at the DerbyCon security conference earlier this year, Pitts showed how binary files hosted without any transport layer security encryption on the web could be easily intercepted and tampered with when they are being downloaded.

According to Pitts, some 90% of the sites from which downloads are available do not use SSL/TLS encryption nor use digital signatures to prevent such tampering. As a result, hackers are likely inserting malicious code into binaries via man-in-the-middle attacks, Pitts had maintained at his DerbyCon presentation.

Pitts decided his best chance of catching binaries being maliciously tampered with during download was to look at traffic coming out of known Tor exit nodes. Using, a tool called exitmap, Pitts checked the nodes for traffic modifications and quickly discovered the malicious server in Russia.

Though this was the only malicious node that Pitts discovered, it is quite possible there are others similar nodes. “I may not have caught them, or they may be waiting to patch only a small set of binaries,” Pitts said.

The key takeaway here is that binary files hosted in the clear without any digital signature pose a danger and should be avoided, he said in an email exchange.

“Companies and developers that host static, compiled binaries and source code need to host it via SSL/TLS so that nobody can patch them [maliciously],” he said.

Though such binaries pose a threat to everyone, Tor users need to pay attention, he said. Users should be careful particularly about download Windows executables or raw binaries over Tor, he said,

“Tor is risky because you need to have good information security awareness when using it. Tor is not a beginner network. You need to have some sort of understanding that every exit node could be out to get you,” Pitts said.

The issue discovered by Pitts is not an indictment of Tor security or of the strength of its anonymity protocols. Even so, it is the second time the Tor Project has been in the news over something similar in the past one year. Last year, some people questioned whether the FBI had found a way to exploit an vulnerability in Firefox to disable Tor’s privacy protections.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including Big Data, Hadoop, Internet of Things, E-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, IL.

[DarkReading]

Posted on

You’ve Never Seen Love This Deep For An Enterprise Security Platform

Once in a while, you come across a story that grabs your attention and makes you wonder how it would apply to your own situation. Last year, one such story was the film ‘Her.’ It portrayed an everyday person falling in love with an everyday technology called OS1 and its voice, Samantha.

The analogy? We meet customers every day who tell us that they’ve fallen in love with our platform. So in honor of our customers, meet PAN-OS…

[Palo Alto Networks Blog]

Posted on

IoT Security: Sorting Through the Noise to Take Action

This post originally appeared on Iron Bow Technologies’ Techsource page.

Editor’s Note: In honor of National Cyber Security Awareness Month (NCSAM) we are focusing our content on tips and best practices in the area of cyber security. This week, we are emphasizing the importance of protecting critical infrastructure and properly securing all devices that are connected to the Internet. We asked our partners at Palo Alto to provide their thoughts on the topic. Isabelle Dumont, Director of Industry/Vertical Initiatives, weighs in with her thoughts below: 

Many businesses are aggressively pursuing Internet of Things (IoT) initiatives with the goal of creating revenue-generating opportunities or turning today’s businesses into more profitable ones. From every corner of the economy you see connected devices disrupting the way we conduct business. In parallel, disturbing stories emerge on the lack of security around connected “things.” Here are a few in various sectors:

First, when discussing the security of network-connected devices, it is important to distinguish between single or multi-purpose devices. Single-purpose devices typically collect a well-defined set of data that is sent back to a specific cloud application for storage, analysis and intelligence gathering – connected medical equipment and devices are a great example. On the other hand, multi-purpose devices connect to multiple servers and services hosted in some form of cloud – the extreme case being smartphones and tablets running any number of apps downloaded from app stores and used alternatively for personal and professional purposes.

The above distinction brings us to recommendations on how to best approach security:

  • Single-purpose connected devices or equipment: Apply tight network segmentation and even isolation of the servers or cloud services these devices connect to. Because these are part of a single-purpose specialized network, it should be straightforward to identify and document the applications and the types of files or payload exchanged on the network. Using application-level segmentation is very effective; you can block all traffic except the few applications that are explicitly authorized on this specialized network, regardless of ports used. This approach significantly reduces the risk of malware intrusion and lateral movement and will enable you to perform much tighter inspection of the authorized applications.
  • Multi-purpose connected devices or equipment: Key principles such as limiting the traffic on the network(s) to what’s legitimate and classifying all traffic are still applicable, as this will reduce the volume of unknowns and treated risks. Apply the same segmentation and tight control principles between the various cloud services as well. Additional policy rules will be required to flag suspicious application behavior and payload. An obvious one is to not allow the download of .exe files outside of well-codified exception. It might take several iterations to get to the most effective segmentation and related rules. Regardless, continuous monitoringand refinement of the security rules in such environment is a must.

In addition, for devices used for both professional and personal use, such as today’s laptop, tablets or smartphones, we recommend that you deploy on the device a means to apply to the device the same security policies as those applied inside your enterprise. A gateway solutioncan enable this and start monitoring devices as they connect to your enterprise to prevent any malware intrusion.

  • Protecting the endpoint: Wherever applicable, we recommend adding advanced protection directly at the device level. For equipment based on the Windows platform, our advanced endpoint protection solution, aka “Traps,” is a great option given the high percentage of threats that are no longer detected by traditional anti-virus products. Traps is a revolutionary approach for threat prevention that works: Instead of using signatures to detect malware, Traps focuses on the few techniques that threats have to use to infiltrate a system, thus blocking the attack before it even takes its first step.

If you are interested in learning more about implementing the above recommendations, here are some suggested resources to visit:

[Palo Alto Networks Blog]

English
English
Exit mobile version