1 year ago


product review FORESCOUT

product review FORESCOUT TECHNOLOGIES COUNTERACT 8 Devices connecting to networks are now in a constant state of flux, forcing enterprises to re-evaluate their security postures. With new and unmanaged devices joining and leaving their networks at a prolific rate, administrators need to think inside the box and focus more on internal security threats. Network visibility and access control is the ideal solution to this dilemma, and ForeScout's CounterACT 8 is a leading contender. It continuously monitors users, applications, processes and an impressive range of device types, allowing it to spot vulnerabilities quickly and block them before a security breach occurs. Even better, CounterACT 8 does this all without requiring endpoint agents, allowing it to support heterogeneous networks comprising physical, virtual, cloud, infrastructure, wireless, mobile and IoT devices. This agentless approach makes CounterACT well positioned to protect potentially vulnerable operational technology (OT) devices, such as industrial control systems, that cannot have agents installed. CounterACT discovers, classifies and assesses all networked devices and nothing slips through its net, as it uses twenty passive and active profiling techniques. Its clever 3-dimensional classification technology means it is capable of gathering a huge level of attributes, such as precise Device function, OS, vendor and model, apps, users and all LDAP information - it'll even show you the power consumption of PoE devices. It has zero touch on critical OT devices by passively profiling them, but can still tell whether it is something such as an HVAC or a medical X-ray machine. ForeScout's device cloud helps CounterACT build a more robust classification engine by gathering anonymous information from opted-in customers and the cloud currently contains details on over three million devices. ForeScout gathers a vast amount of information and its freshly-designed GUI puts it all at your fingertips. The widget-based dashboard can be easily customised to present a complete incident response center or executive level view, and selecting any element allows you to deep-dive for more information. It also provides a remarkably detailed hardware and software inventory, made all the more accessible by the integral search facilities. CounterACT runs continuous assessments on all devices to determine their security posture and automatically applies the most appropriate access policy, based on its findings. ForeScout provides a large policy template collection to get you started and these can be run passively, with all actions deactivated to safely determine their impact before going to enforcement. Compliancy checks ensure end points such as workstations have required components, including anti-virus software and the latest service packs, before being allowed network access and CounterACT's self-remediation tools reduce the support burden. ForeScout's support team releases new policies in response to emerging threats, allowing CounterACT to provide instant protection. A unique feature is IoT device assessment, which checks them as soon as they join the network to see if they're using weak credentials such as factory default, commonly used or custom defined during initial install. With ForeScout businesses can implement 802.1X authentication on wireless networks and use ForeScout SmartConnect to provision network access using non-802.1X architecture on wired networks. SmartConnect avoids configuration and operational challenges associated with 802.1X implementation on wired networks, also ensuring a high level of security and user productivity. CounterACT's hybrid approach to access control gives administrators the power to dynamically segment their network. Should a device fail compliancy checks, it can be placed in a restricted zone while further checks are conducted and, if an IoT device comes online, it can be automatically placed in a separate and secure network segment. ForeScout's CounterACT 8 is a powerful and highly scalable network visibility and access control solution that delivers the best classification tools for instant awareness of all network-connected devices. Its automated compliancy checks and policy-based segmentation make CounterACT 8 perfectly poised to bring unity and security to chaotic networks. CS Product: CounterACT 8 Supplier: ForeScout Technologies Telephone: 02038654437 Web site: 28 computing security May/June 2018 @CSMagAndAwards

opinion WAKE UP TO THE RISK OF SERVER-SIDE ENCRYPTION THE USE OF CLIENT-SIDE ENCRYPTION SHOULD BE A KEY CRITERION IN THE SELECTION OF ANY VENDOR WHO STORES SENSITIVE DATA ON YOUR BEHALF, SAYS STEWART MCSPORRAN, CTO, MY1LOGIN Twitter headlines in May told users to change passwords following a bug that stored passwords in plaintext. The bug made the headlines, but under the radar was Twitter's weak security architecture - the use of full server-side hashing for obfuscating password data. Server-side hashing isn't bad itself: it's commonly used in conjunction with client-side hashing, but full server-side hashing means having access to users' passwords in plaintext on the server, before they are salted, hashed and stored. Insecure server-side encryption is commonly used, but, concerningly, even by some of the largest Identity and Access Management vendors. MARKETING SPIN Vendor websites will eulogise on security. They'll boast that AES 256 is used for encryption and for hashing, PBKDF2 or SHA256 is used. It sounds secure, but the real question is: Where is the encryption or hashing process performed? As we saw with Twitter, the benefits of using 'gold standard' algorithms to encrypt or hash data are quickly undone, if the data is processed in an insecure location. Vendors who utilise server-side encryption are exposing customer data to attack as the data is being uploaded to the vendor's application in plaintext, then scrambled once it gets there. WHY VENDORS USE SERVER-SIDE ENCRYPTION The benefits of server-side encryption mostly lie with the vendor. It reduces the complexity of development infrastructure and achieves faster encryption speeds, while still enabling the vendor to claim that data is stored in encrypted form at rest. The weakness of server-side encryption is that customer information is vulnerable, because the vendor has access to the keys and data in the same place at the same time - even if only for a short period of time. Twitter is one thing, but imagine if providers of cyber security solutions were using full server-side hashing or encryption? You don't need to imagine - most identity and access management providers actually employ server-side encryption. The massive consequences of this weak practice have already been seen in the industry, when in 2017 a large US-based identity and Access Management vendor was breached, exposing customer data and passwords. This type of breach would have been impossible with a client-side encryption architecture. GDPR IMPLICATIONS GDPR requires that organisations use 'state of the art' technical measures, including encryption, when necessary. Key management is a critical consideration as part of the overall security policy and the European Union Agency for Network and Information Security (ENISA) advise that "from a privacy perspective, the keys used to subsequently protect the confidentiality and integrity of data should never be available to the service providers, but derived on the enduser devices" - ie, client-side encryption. ASK YOUR VENDORS If your vendors are using server-side encryption or have access to the keys, they are putting your data at risk. Client-side encryption totally segregates the encrypted data (stored by the vendor) and the encryption keys (stored by the customer), resulting in vastly improved data security and preventing a security breach from becoming a data breach. Using this architecture, even Stewart McSporran, CTO, My1Login. the vendor cannot access your sensitive data. If they were breached, all that would be stolen is encrypted data - useless without the encryption keys. It's time to wake up to the risk of server-side encryption and ensure your vendors of choice are architecting their solutions based on the secure principle of segregating the encryption keys and encrypted data. Client-side encryption is the only way to securely store data in the cloud and it should be a key criterion in the selection of any vendor. For more information: @CSMagAndAwards May/June 2018 computing security 29