W2Knews[tm] (the original NTools E-News) Electronic Newsletter Vol. 5, #41- September 11, 2000 - Issue #215 Published by sunbelt-software.com since 1996 - ISSN: 1527-3407 'Immediate Notification Of Important Windows NT/2000 Events' *******************over 600,000 subscribers************************** This 'Special Security Issue' of W2Knews contains: 1. EDITORS CORNER: * NEW: Scan Your Own Networks 'Outside-in' Like A Hacker Would 2. TECH BRIEFING: * What is Network Perimeter Defense, and what is Scanning? (If YOU don't hack your systems, who will?) 3. NT/2000 RELATED NEWS: * Operating System Vulnerabilities On The Rise * Security Specialist Shortage: How do I get to be one? * Protecting Your Network Perimeter Is A Continual Process 4. NT/2000 THIRD PARTY NEWS: * BRAND NEW NETWORK SECURITY SERVICE: QualysGuard[tm] (You definitely want to check this one out!) * Critical Security Questions and Answers 5. W2Knews 'FAVE' LINKS: * NEW: This Week's 3 Cool Security HotLinks 6. HINTS AND TIPS: * Where do I get Security Books? 7. THE NT/2000 STOCK WATCH - Week of September 8, 2000 - 8. HOW TO USE THE MAILING LIST Instructions on how to subscribe, sign off or change your address. *************************SPONSOR********************************* Looking for detailed hardware and software inventory of all your PCs? Computing Edge Inventory +Solution gathers PC serial number, BIOS & registry details, comprehensive software auditing, disk, OS, system configs, and full end-user info. Track your data from any browser with numerous pre-packaged reports. Zero footprint-- nothing has to be installed on the client, run it from the network. Fits on a single floppy to inventory non-networked systems. 30-day FREE trial! http://www.computingedge.com **********************What Is W2Knews?************************** Sunbelt W2Knews is the World's first and largest e-zine designed for NT/2000 System Admins and Power Users that need to keep these platform up & running. Every week we get you pragmatic, from-the- trenches news regarding NT/2000 and 3-rd party System Management Tools. W2Knews will help you to better understand NT/2000 and pass your Certification Exams. You will get breaking news like new tools, service packs, sites, or killer viruses via W2KNewsFlashes. Sunbelt Software is THE NT/2000 e-business tools site. At the end of this message are links to all indexed and searchable back issues. ------------------------------------------------------------------- 1. "EDITORS CORNER" * A Brand New Security Scanning Concept Hi NT/2000 Pros, Before we go into the Big Announcement, a reminder. This is the LAST WEEK you can vote for your 'fave' TOOLS at the W2Knews Target Awards 2000. Vote now! http://www.sunbelt-software.com/targetawards/ Winners will be announced in the W2Knews issue next weekend. ------------ And here is the big announcement. You told us Security was your headache #1. So, I went out and looked at the current market, did my homework and found out some very interesting things. Now I understand better why you say it really IS a major pain: - More and more vulnerabilities are found, it's on a steep rise. - The amount of your (distributed) machines has mushroomed - The attacks get increasingly sophisticated - You have less and less time to dedicate to Security - It is getting harder and harder to simply keep up, as there are a multitude of (sometimes conflicting) information sources. - There is NO centralized, simple way to manage vulnerabilities - But your management insists you need to keep things tied down (while increasing exposure via Internet-based applications) The real problem is that you almost have to be a hacker yourself to be sure no one else can penetrate your networks. But who has time to burn the midnight oil, find out about vulnerabilities, how to exploit them, penetrate your own site, and then plug all the holes found? Recently I read a survey and it was found that something like 60% of U.S. MIS managers would not hesitate to put Kevin Mitnick on their payroll. (In case you have been creating code locked up in a closet for a few years, Kevin Mitnick is probably the world's most famous hacker who recently came out of prison.) A very recent quote from Mitnick is "What you don't know will hurt you". The upshot of all this? It would be great if you could have your own hacker on your payroll, who would protect your network. Too bad though, that ain't gonna happen. The next best thing is QualysGuard[tm]. This is the new service that we are introducing. In a nutshell, it's an internet-based artificial intelligence solution that allows you to scan your own systems from the outside in, just like a hacker would, using all known holes and exploits, and then plug the holes you find. Built and maintained by Security Consultants, (white-hat hackers) and updated d a i l y (!) with the latest exploits found. It's a subscription service, you only use a browser. No installation, training, updates and all the other hassle. Check it out and watch the (web) demo: http://www.sunbelt-software.com/product.cfm?id=545 I guess you now understand why I'm so excited about QualysGuard. We ran it on our own network but I'm not going to tell you what I found. <blush> Warm regards, Stu. (Email feedback to [EMAIL PROTECTED]) ***************************SPONSOR********************************* "You, The Black Hats, And Your Network" -- Discover how intruders break in. We have a revolutionary new approach for you: now you can scan your own networks like intruders would. Use QualysGuard[tm] to get the "outside-in" view on your networks. You'll be surprised at what you'll learn about your external security risks and their rela- tive severity. This is the essential missing link in your security toolkit. Get an instant on-line demo right now at: http://www.sunbelt-software.com/product.cfm?id=545 **************************************************************** 2. TECH BRIEFING: * What is Network Perimeter Defense, and what is Scanning? (If YOU don't hack your systems, who will?) DEFINITION: Network Perimeter Defense is also called Security Auditing and it is a process that identifies network computing equipment and the security vulnerabilities associated with these devices. This info can be used to measure security, manage risks, and eliminate the security vulnerabilities found before unauthorized users can exploit potential security holes. 'Scanning' is what both white-hat and black-hat hackers do. They use a series of both freeware and shareware programs and write their own scripts to attack and penetrate networks. It is a highly specialized kind of activity, but more and more automated tools are being used to hack into sites. The question really is, if you do not have a process like this in place, when (not if) is some one going to penetrate your network and cause damage. There are a few specialized IT Security consul- tants out there, but they are scarce and expensive. It's up to you to batten down the hatches. Many of you bought STAT and this is a great tool for inside hole-scanning, that you certainly should continue to do. But scanning 'outside-in' was missing up to now, so you should add QualysGuard. Having you own 'attack tool' in place is an essential part of a strong defense. And being able to scan your own networks, scheduled automatically and get extensive reports on what was found is really a MUST if you want to continue to protect against intruders. Check out: http://www.sunbelt-software.com/product.cfm?id=545 **************************************************************** 3. NT/2000 RELATED NEWS: * Operating System Vulnerabilities On The Rise Everything is getting online, companies are integrating systems with their vendors, interdependencies are created, e-commerce and its next evolutionary step called 'e-business' are rapidly developing. All this makes strong network security a must. The only way to get there is with robust corporate security programs that include regular network audits for vulnerability assessment and for corrective action. Until now, these audits were typically done by using purchased software or homegrown solutions. Of course these are initially better than no proactive approach at all, but those solutions often have serious shortcomings that could give you a false sense of security. Some of the drawbacks of a setup like this are: - Can be expensive and cumbersome (time consuming) to apply. - Results are sometimes difficult to understand. - They offer little in the way of risk assessment or scoring. - Often lack recommendations for fixing vulnerabilities. - They look at the network from the inside out, and thus miss the holes hackers can see. - They can become quickly and dangerously outdated as new holes are uncovered constantly, literally at internet speed. And in the mean time, the amount of vulnerabilities found in the popular OS-es is on the rise. The trends are the same for Linux, Solaris and Windows, and the totals for all three look something like this: (I'm being conservative) 1997: 25 1998: 75 1999: 200 2000: 300 2001: 600 Conclusion: all of the above points to a need for a new approach to security auditing that is: - Affordable - Extremely easy to deploy and use - Effective for Risk Assessment and corrective recommendations - ALWAYS up to date on the latest vulnerabilities If you run an environment with Windows, (and/or) Linux/Unix I strongly suggest you have a look at the new service we provide: http://www.sunbelt-software.com/product.cfm?id=545 ----------------------------- * Security Specialist Shortage: How do I get to be one? Just like MCSE, there are Certifications for Security specialists. And Oh Boy, are they needed! I think this is one of the most urgent needs of corporate IT, and hardest to find. What kinds of Certs are there? LevelOne Certification for everyone involved in Security is called GSEC. (GIAC Security Essentials Certified). You can take this live or online. LevelTwo Certs for advanced security professionals are: - GCIA: GIAC Certified Intrustion Detection Analyst - GCIH: GIAC Certified Advanced Incident Handler - GCFA: GIAC Certified Firewall Analyst - GCIX: GIAC Certified Unix Security Analyst - GCNT: GIAC Certified Windows NT Security Analyst Around the globe, these GIAC certs mean excellence in security skills. GIAC certified professionals have studied up-to-date material, passed difficult exams, and have proven their mastery through practical demonstrations. If you have the time, this is a really good career move. More at: http://www.sans.org/giactc.htm. ----------------------------- * Protecting Your Network Perimeter Is A Continual Process The Internet has basically created a perimeter around your corporate network that you need to defend. I have been doing some digging and the most recent data I could get my hands on was the 2000 Computer Crime and Security Survey by the CSI and FBI. Just a few of the highlights of this recent survey: - 70% reported serious attacks - 42% acknowledged financial loss - 59% reported more Internet attacks than internal attacks- this trend is continually up - 120% increase in loss last year. And all of this is true. Just as an illustration, I just opened up my BlackICE tool, and checked the last few days. I'm on a Cablemodem with a 24 hour connection so this NT WS is a prime target for hackers. Today I had 9 attacks on this box, most of them port probes, and it's only 12:30. Yesterday there were 15. I'm sure you get the point. The problem is that your risk of intrusions is a moving target. It would be nice if you could do a vulnerability assessment, plug the holes and be done with it. But no, your network is growing, there are continual machine changes and multiple software installs and upgrades. Each of these can cause one or more new holes to appear. On the other hand, the threats multiply too. There are about 4 new vulnerabilities discovered each day, with newly invented exploits to go along with them and there is more and more "hobby hacking". These are also called 'script kiddies' and are usually not very harmful, unless they unleash something that brings your server down. The solution to all of this requires an ongoing process. There is no 'cure' for it, there is only a professional approach of managing the vulnerabilities. You have to continually test and retest: - points of access - potential vulnerabilities - problem areas - and continue to worry about it. In short, you need to institute a (or expand your existing) corporate Vulnerability Management program that will be your Internet Bodyguard. Nothing better than to check out the new QualysGuard that is just that: http://www.sunbelt-software.com/product.cfm?id=545 ***************************************************************** 4. NT THIRD PARTY NEWS: * BRAND NEW NETWORK SECURITY SERVICE: QualysGuard[tm] (You definitely want to check this one out!) I'm excited about this solution. Why? I know it's going to make your life a lot easier and protect your networks in a unique new way. QualysGuard is the first security tool built from the ground up to fully leverage the power of the Internet. It allows you to scan your own networks from the outside in and find holes. Lights- out, scheduled, with extensive reporting for both the CIO and the system- and network admins. This is _very_ cool leading edge stuff, and a great additional (complementary) tool if you already run something like STAT. What does it do: - Gives you a visual map of your network from the outside - Automatically and intelligently audits all the devices for vulnerabilities (runs device-dependent tests) - Delivers an immediate easy-to-understand risk assessment - Gets you detailed recommendations for fixes and solutions What does it do for YOU: - Frees up more time in your interrupt driven working conditions - Gives you a handle on security issues and how to fix them - You have a 'white-hat hacker' backup team supporting you 24/7 - You don't have to burn the midnight oil maintaining security expertise from 20 different sources - No need to spend your time training, installing and updating shrink-wrapped tools - The QualysGuard analysis does not bring your networks down as it has intelligent load monitoring. What it does for MIS, CIO Management: - Provides and overall 'helicopter view' of the security posture of the organization - Brings relief in finding and keeping internal security staff - Now easier to bring more processes and functions to the web - Incredible value, and much cheaper than hiring a hacker - Gives them a way to measure and manage effectiveness of the corporate security precautions. What it gives all of you: Job Security. QualysGuard is online and on-demand. You access it with your own account, and a password over the internet. When you subscribe to this service, a range of IP addresses you want scanned will be set up in your account. (Yes, we check if they really belong to you.) The service is available online to authorized security personnel 24 hours a day to run and scan: - 150+ CGI tests - 50+ Backdoor tests - 300+ Remote vulnerabilities - Full TCP/UDP (User Datagram Protocol) checks - Network TCP/IP - UNIX OS - Windows NT/2000 - Web Servers - Mail Servers - FTP Servers - Firewall Scans - Routers - Switches - And an average of 4 new vulnerabilities e v e r y day. You can schedule regular audits on a daily, weekly or monthly basis to monitor your network vulnerabilities so that you are sure you are covered. The tool avoids using up network bandwidth or crashing your servers. This tool is always private and secure. The service is designed to ensure the privacy and security of each subscriber's data. We'll be happy to explain how this works, and it's also in the Sunbelt Software Knowledge Base. Want to see how it works? Fill out the DOWNLOAD FORM and you'll get a 2-3 minute web based immediate demo. Cool Stuff! Check out: http://www.sunbelt-software.com/product.cfm?id=545 ----------------------------- * Critical Security Questions and Answers I have received some questions that I'll answer in this W2Knews so that everyone has the benefit of them. Q1: As a security consultant, I am familiar with products like ISS, Cybercop, Retina, as well as many of the freebie tools like SATAN, SAINT, Nessus, whisker, etc. That said, I am curious what QualysGuard does that is new or different in the way of vulnerability scanners. A1: The unique concept is the fact you can subscribe to a service, which will automate the scanning for you, and manages the database of vulnerabilities in pretty much real-time. --- Q2: Is it designed to audit NT or Unix machines (or both)? A2: Both, but it finds out what kind of server or device it looks at and then only runs vulnerabilities relative to the device. It has many years of security consulting expertise built in to the AI-engine. --- Q3: Is the scanning technology new? A3: It uses known methods to scan and penetrate sites from the outside in. What is new is that it is now available as a managed service that is schedulable and consistent. It also provides a historic database of vulnerabilities found and fixed for upper management purposes. --- Q4: Is the reporting capability considerably different than its competitors? A4: I would have to do some more research on this point, as I'm not intimately familiar with the other players in this area. We'll do this and come back on it. Can they send automated emails to warn for critical holes found? --- Q5: The web page says "over 600 vulnerabilities" putting this on par with ISS (who boasts roughly that amount). Given companies like E&Y offering solutions that scan a database of 2200 vulnerabilities, the disparity in numbers begins to stand out. A5: The numbers do not tell all. Unfortunately these are used for marketing purposes and it depends entirely on how you count, and what you count. You know the old saying: Lies, damn lies, and statistics. What really is important is the type of holes they test for from the outside, which are different from the things you scan for from the inside out. --- Q6: Is your product available for trial use in any capacity? A6: There are three phases. 1: the web-demo, 2: Our reps have a demo account that allows a scan of a live system set up at Qualys. 3: Incidental cases can scan one (1) IP address only but only after signing some legal paperwork. --- Q7: How reliable are these Qualys guys? How do I know that they won't break in my systems? A7: Qualys was founded in 1999 with a veteran management team that has its history in Security Consulting. It's Venture Capital backed and has as one of its main investors VeriSign, (VRSN) which is the world's number one provider of Internet trust services. --- Q8: Do I need any kind of equipment on my side at all? A8: No, this runs completely from an outside Qualys Internet Server that sits in a secure co-hosting facility. --- Q9: Do I need to be an expert in security to be able to set up and use QualysGuard? A9: No, you supply the IP-range you want to scan and get the paperwork signed. From there on out it is clicking on your Favorites button, provide the password and click the SCAN button. The reports show you what was found, how severe it is and how to fix it. --- Q10: I already have a firewall, do I still need QualysGuard? A10: Yes. Firewalls are essential to network security but are very complex and often badly configured. QualysGuard tests the effectiveness of your firewall as well as apps such as Web, ftp and mail that are naturally accessible through firewalls. Rule changes can expose your networks, so firewalls need a regular program of "hygiene". Q11: I already have an intrusion detection product, why would I need QualysGuard? A11: These tools are reactive, you need a proactive approach as when some one is hacking your system, there is a good chance it is already too late. Q12: How secure is the QualysGuard solution? How do I know that no one else finds out about the holes in my network? A12: The map and scan results are encrypted with 1024-bit protection, as a subscriber you are connected with SSL, there is no archiving (not even backups) and it is completely inaccessible without the password - even by Qualys. All of their machines are located at top-tier hosting facilities. Bonus Q13: How long does it take to scan? Bonus Answer: Only about 2.5 min per IP, the scanning engine is highly efficient. Check out: http://www.sunbelt-software.com/product.cfm?id=545 **************************************************************** 5. W2Knews 'FAVE' LINKS: ============== All the tools hackers use to break into systems are discussed at the hackingexposed site: http://www.hackingexposed.com ============== Need to get Security Trained? Start by looking at the SANS site: http://www.sans.org/giactc.htm ============== Want to talk to security experts, attend class, and want it October 15-22, 2000 in Monterey, CA? http://www.sans.org/NS2000.htm ============== Developing for Windows in Europe? If so, then the best conference for you to attend this year is the WinSummit developer's conference in Davos, Switzerland: October 2 to 6: http://www.WinSummit.com **************************************************************** 6. HINTS AND TIPS: Did you know about the new Sunbelt BookClub? Now, this is no ordinary BookClub. Not only are we are offering 11 books from New Riders, an industry-leading publisher, but I've managed to pass some savings on to you. There are some good titles in there that will help you plan good Windows 2000 Security. With the Sunbelt BookClub, you will receive up to 40% off the latest Windows 2000 titles. These books will help you: · Install and Configure Windows 2000 · Manage DNS and DHCP · Develop unified directory strategy to support enterprise applications · Clarify Security issues for reliable client performance · Create techniques using VB and VBScript to automate task Those are just a few of the items covered. You have to see it to believe it. Visit the Sunbelt Windows 2000 BookClub at http://www.sunbelt-software.com/bookclub/ Two other specific Security titles that I recommend are: - HACKING EXPOSED - McClure and Scambray - Publisher is Osborne, the is ISBN 0-07-212127-0 - HACK PROOFING your network - Russell and Cunningham - Publisher is Syngress - The ISBN is 1-928994-15-6 ******************************************************************* 7. THE NT/2000 STOCK WATCH - Week of September 8, 2000 - 52 WK 52 WK P/E WEEK SECURITY CLOSE HIGH LOW RATIO CHNG --------------------------------------------------------------------- Advanced Micro Devices... 32 1/16 48 1/2 8 1/4 31 -14.2% BMC Software............. 24 1/4 86 5/8 16 1/8 25 -14.9% BindView Development Corp 10 3/4 45 3/4 6 +4.8% Cisco Systems............ 63 7/8 82 32 1/2 -6.8% Citrix Systems Inc....... 22 11/16 122 5/16 14 1/4 39 +0.8% Compaq Computer.......... 32 5/8 35 18 1/4 48 -3.5% Computer Associates...... 31 3/4 79 7/16 23 11/16 15 -0.7% Data Return Corporation.. 21 7/8 94 1/4 13 1/4 +12.1% Dell Computer............ 38 7/8 59 3/4 34 7/8 58 -9.7% EMC Corp................. 96 13/16 100 30 -0.4% Electronic Data Systems C 49 76 11/16 38 3/8 32 -2.0% Gateway Inc.............. 62 37/64 84 41 5/8 41 -8.8% Hewlett Packard Co....... 121 3/8 136 3/16 52 1/4 36 -3.0% Intel Corp............... 65 3/8 75 13/16 32 1/2 58 -11.5% Intergraph Corp.......... 6 3/8 9 3 3/16 +6.2% International Business Ma 129 1/2 137 11/16 89 3/4 33 -3.0% Legato Systems Inc....... 14 1/4 82 1/2 8 1/8 +9.0% Micron Electronics Inc... 12 1/2 20 11/16 8 3/16 37 -13.4% Microsoft Corp........... 69 5/16 119 15/16 60 41 -1.2% NCR Corp................. 39 5/8 47 26 11/16 12 -3.3% NetIQ Corporation........ 49 7/8 81 1/2 21 -16.3% Network Associates Inc... 23 1/4 37 3/16 16 1/4 66 -10.5% Novell Inc............... 10 3/4 44 9/16 7 13/16 23 -11.7% Oracle Corp.............. 86 9/16 93 20 -6.5% Qualcomm Incorporated.... 61 9/16 200 38 1/8 70 +3.9% Quest Software Inc....... 56 98 1/8 18 -2.1% Seagate Technology....... 58 76 26 9/16 13 -2.1% Silicon Graphics......... 4 1/4 5 3/16 2 -11.6% Sun Microsystems Inc..... 120 3/4 129 5/16 40 7/8 -6.1% Sybase Inc............... 27 1/2 31 10 3/16 38 -0.9% Symantec Corp............ 48 81 5/8 31 3/8 17 -7.9% Unisys Corp.............. 14 3/8 49 11/16 9 1/8 10 +7.9% Veritas Software Corp.... 117 1/4 174 28 5/8 -3.6% Dow Jones 30 Industrials. 11,220.65 -0.1% ******************************************************************* 8. "HOW TO USE THE MAILING LIST" Instructions on how to subscribe, sign off or change your email address TO SUBSCRIBE TO THE LIST (Tell your friends!) Click: http://lyris.sunbelt-software.com/scripts/lyris.pl?join=w2knews and fill out the form, simple & easy: 1 minute work. Or by email, send a blank message to the following address: [EMAIL PROTECTED] _____________________________________________________ TO QUIT THE LIST Go here, choose the list you are on, and follow instructions: http://lyris.sunbelt-software.com/scripts/lyris.pl or follow instructions at the very end of this newsletter. ____________________________________________________ TO CHANGE YOUR ADDRESS First unsubscribe and then resubscribe as per the procedure above. ****************************************************************** FOR MORE INFORMATION On the World Wide Web point your browser to: For the newsletter and our website: http://www.sunbelt-software.com For Tech Support on Sunbelt products mentioned: http://www.sunbelt-software.com/scripts/rightnow.exe Back Issues are here, all searchable and indexed. NT-list: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=nt-list&text_mode=0 Back Issues of W2Knews are all here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=w2knews&text_mode=0 Cannot unsubscribe? Send an email to a live person: [EMAIL PROTECTED] Email for US sales information to: [EMAIL PROTECTED] Email for US Tech support to: [EMAIL PROTECTED] Email to the US Editor: [EMAIL PROTECTED] Email for European Sales to: [EMAIL PROTECTED] Email for European Tech support to: [EMAIL PROTECTED] At the time of this newsletter's release, all links were checked to verify their accuracy and validity. However, due to the ever changing pages of various sites, some links may later prove to be invalid. We regret any inconvenience should you be unable to open any of these links. ******************************************************************** Things Our Lawyers Make Us Say: This document is provided for informational purposes only. The information contained in this document represents the current view of Sunbelt Software Distribution on the issues discussed as of the date of publication. Because Sunbelt must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Sunbelt and Sunbelt cannot guarantee the accuracy of any informa- tion presented after the date of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT. The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Sunbelt's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Sunbelt Software Distribution, Inc. 1996-2000.