Friday, May 26, 2006

Symantec AV Flaw

Wow, hot on the heels of my last post regarding antivirus options, there comes this news regarding Symantec Antivirus:

A new vulnerability has been discovered by security firm eEye Digital Security in Symantec Antivirus 10.x and Client Security 3.x that could allow for remote code execution. This does not appear to affect the consumer versions of Symantec's products.

The vulnerability report:

Other news articles on the subject:,1895,1967941,00.asp

Note that this is only a preliminary report from eEye, and Symantec should be given the opportunity to respond accordingly.

While a vulnerability in a security product can be a scary thing, this shouldn't be too much concern for anyone who has implemented a reasonable amount of layered security, such as a firewall restricting port access to all systems, whether public-facing or not.

Enterprise Antivirus Solutions?

My company's Symantec Antivirus Corporate Edition subscription is about to expire, so I figured this would an opportune time to examine other antivirus options.

I've used a number of antivirus solutions on the enterprise (or at least small-to-medium business) level, including Symantec, Trend Micro, CA, and Panda. I've fooled around on the personal computing level with some of the other options, such as McAfee and Grisoft. I sort of inherited the existing Symantec setup at this company, and it has performed relatively well for us, purely on the level of virus scanning. We had an issue about a year ago with a zero-day virus infection, but one we isolated the executable, Symantec quickly gave us a Rapid Release definition to detect and remove it.

On the other hand, I'm not that thrilled with the centralized administration Symantec offers in this product. The deployment options are kind of klunky, and the ability to determine which computers on the network need the software installed is somewhat inadequate. These are minor annoyances that could certainly deal with if necessary, if the rest of the product is satisfactory.

The one thing I have a major problem with is the performance of the application. A while back (I believe it was with version 10.0.1000), there was a bug that caused computers to boot up extremely slowly due to a startup scan that slowed everything down. I believe the solution was to upgrade to version 10.0.1007, which disabled this scan at startup. I'm not sure if this has been rectified in later versions, but it seems to me that a startup scan would be a good thing, if it didn't hobble performance so much.

In any event, if I didn't think there was anything better out there, I would probably just grin and bear it. But I have had some very good experiences with Trend Micro (on a smaller scale, mind you), and Panda has been highly recommended by some of my peers. I'm not too crazy about CA, just because of some bad experiences with Cheyenne AV back in the Windows NT days.

Any recommendations? Or does anyone have any good resources, such as product comparisons and reviews from a reputable source? I tried searching for reviews, but most of the comparisons I can find are no more recent than 2003.

Monday, May 22, 2006

USB Drive Access Control Part 1

The security risk of allowing unfettered access to USB drives by employees is making me (and my CIO) nervous. How are you dealing with this risk?

Depending on the business needs of an organization, some people disable USB entirely, either through BIOS settings, registry changes, or the ultimate medieval solution: glue in the actual USB ports. As we have a business need for some controlled access to USB drives, I can't go that route.

So I'm looking for some more granular control over USB device access. I'm looking for the following criteria:
  • Control access by user
  • Integration with Active Directory
  • Control access by device type - I'm not talking about USB drives vs. CD drives. I mean "allow access to 512MB Kingston USB drive, but block all others," for example.
There are quite a few products out there, but I don't have enough information yet to make an educated decision. Here is the short list of products I requested more information from:
Except for that last one, do I detect a naming trend? I will post again after I have had a chance to evaluate these options. I'm also open to any other product suggestions that will meet my needs.

Tuesday, May 02, 2006

Banking and Two-factor Authentication

There's an interesting article in Network World this week, written by Daniel Blum:

Authentication: Where's the magic factor?

As someone who uses online banking as much as possible, I welcome the concept of two-factor authentication to increase security. As the article points out, however, which two factors will the banks choose? There is an overabundance of options from a number of different vendors.

I think the solution that wins out will be the one that accomplishes the following:
  1. The bank will have a favorable ratio of good publicity to low cost of implementation.
  2. The user will have increased confidence in their personal safety.
  3. The user will little or no trouble adapting to the new authentication method.
  4. The bank will be able to place more blame on users in the event of a security breach.
Obviously, since the banks will be footing the bill, the benefits that apply to them will probably outweigh everything else. But don't discount the weight of public opinion. If Bank A decides to implement this unwieldy biometric solution that requires each account holder to take a trip to the bank to have their retina scanned, and to pick up the scanner device to attach to their computer, they may lose customers to Bank B, who decided to send everyone an RSA SecureID token to use with their account. While Bank A might have gone with the more secure solution (depending on your opinion of the accuracy of biometrics), Bank B has caused less inconvenience to their customers while still greatly increasing the security of their online banking solution.