At last, I thought, cybercrime for the rest of us. After seven years of infosec journalism I have just enough knowledge to ask reasonably intelligent questions, most of the time. But I’m no closer to having the technical chops for even the most idiot-proof Web attack.

So, I had a more-than-professional interest to sit in on “Get Rich or Die Trying: Making Money on the Web the Black Hat Way at Black Hat.” With one kid starting college and another trailing an ain’t-that-just-too-perfect four years later — and the epiphany that the $5 blackjack tables was not the answer — here was Web crime even I could grasp, except for some aching ethical considerations.

There’s a lot of business logic out on the Web, said WhiteHat Security Inc.’s Jeremiah Grossman and Trey Ford, that can be exploited for big bucks with nary a cross-site scripting attack nor a SQL injection. All that’s required is the will, maybe some working capital, a grayish ethical worldview, and some good old-fashioned name-your-nationality know-how.

Information leakage, insufficient authentication and authorization, and abuse of the website’s functionality are prime money-makers, along with the technical hacks we all know and love.

The money-making schemes run from low-yield CAPTCHA solving, to trading on information obtained by picking unpublished press releases off business sites, to disturbingly easy harvesting of Web mail passwords off e-commerce sites, to bending the rules to apply hundreds of e-coupons for extremely cheap large purchases.

Or, taking advantage of a flaw in functionality to get merchandise for nothing. This one was near and dear to my heart. Something you get even though you don’t order it — say, you shut down an order while it’s still processing, but UPS shows up with the goods 3-5 business days later nevertheless.

When I was a kid, I collected stamps. I ordered five Egyptian mint stamps on approval, which means I send them back if I don’t buy. They sent me more than a hundred assorted stamps on approval and I kept them all.

The U.S. Securities and Exchange Commission (SEC) says unsolicited merchandise is yours to keep, but it’s one thing to profit by a mistake — though things get murkier if you repeat the process to exploit the glitch for profit.

That’s the extent of how far I’ll bend my ethics though, so the e-tailer world is safe from me still, and the college bills are still coming.

But the message here is there are many ways to rip off online businesses, some very technical, some not so much, some clearly illegal, some sort of, maybe. In any case, your company’s money is good as gone.

Network infrastructure vendors can help differentiate themselves in the security market with tight integration of their network and security products. Managing my firewalls, intrusion detection/prevention, network access control (NAC), etc., together with my routers and switches is an inducement to make my network provider a one-stop shop for security products as well.

Today, Juniper Networks Inc. announced centralized management for its security portfolio which it has been building through acquisitions in recent years, and its J-Series Routers and EX-series switches. On the security side, Network and Security Manager (NSM), formerly Netscreen-Security Manager, encompasses Secure Access SSL VPN, Juniper’s various firewall/VPN and intrusion detection/prevention appliance, and the latest version of its NAC product Unified Access Control 2.2, also announced today.

“Our goal in the enterprise space is to walk in as a portfolio player,” said Sanjay Kapoor, senior director of product management for Juniper’s Network Management Group. “If you are deploying an overall portfolio of security, access, routers and switches, you should have functionally, a single configuration system, and a single monitoring system from Juniper — all appliance based.”

With the new Unified Access Control (UAC) release, Juniper also announced two Infranet Controller appliances. The 4500 appliances for mid-sized to large enterprises support up to 5,000 simultaneous endpoint devices; the 6500 appliances for large multinational enterprise deployments support up to 20,000 simultaneous devices (30,000 in a cluster). Current Infranet Inc. appliances can be upgraded to UAC 2.2 to take advantage of the new NSM.

Underlying the unified management structure is the XML-based Device Management Interface, based on the Netconf network configuration standard. This establishes a standard configuration scheme for all Juniper devices (WAN optimization is on the roadmap), and will make it easier for Juniper to integrate future acquisitions without modifying the NSM platform.

NSM provides portioned management, so different groups, say security and network ops in SOCs and NOCs, can use it without deploying multiple instances of the same system.

The latest upgrade to Symantec Network Access Control (SNAC) significantly improves management of guest users, a prime driver in the NAC market and not a strong suit for Symantec Corp. until now.

“Network-based vendors tend to focus on guest users and unmanaged devices, because that’s where their strength is on the network,” said Patrick Wheeler, Symantec’s senior product manager for endpoint security.

Wheeler said Symantec has always been strong in the managed user area. He said the upgrade gives managed and unmanaged users a single product.

The upgrade allows Symantec NAC customers to centralize policy for both managed and unmanaged users and devices in one place, through Symantec Endpoint Protection Manager. Further, temporary guest client software — dissolvable Java agents — can be issued directly by the Network Access Control Enforcer appliance in gateway or DHCP mode.

Up until now, these guest features were only available in a separate product, Symantec On-Demand Protection for Web Applications. Wheeler said this is serviceable, but requires some integration and two management points.

Symantec customers can have a Web login and RADIUS or Active Directory authentication for guests, as well as a single point of policy control for both managed and unmanaged users.

In addition to guest users, Symantec NAC now supports MAC-based 802.1X authentication for undamaged devices, such as printers and UPS devices.

The simple fact that there is an IT governance, risk and compliance market, spawning start-up companies like Agiliance, underscores both the growing maturity of IT and IT security and the business and regulatory pressures that are compelling companies to be accountable for their operations.

Agiliance, just over two years old, announced the acquisition of Phulaxis, and incorporated its technology as the Controls Automation module for its Agiliance IT-GRC 3.0 product. The module provides automated user access controls for identity management systems, middleware, databases and applications.

Governance, risk and compliance have generally been scattered in silos throughout large organizations, even those in sectors like financial services, which have matured governance and risk models and a long history of regulatory control. IT operations have become far more complex, and extend to global partners and customers, many of them demanding evidence of strong controls. SOX and PCI-DSS have brought have forced companies to ride herd on their operations as never before.

The real value of IT GRC tools like Agiliance’s and others is to bring unify processes that are scattered in business silos, and automate, to some degree, the costly, resource-intensive operations required to meet internal and external requirements.

The acquisition of Phulaxis adds an important piece—the identity management aspect of compliance, particularly for SOX 404. Monitoring, auditing and, as needed, addressing abuses of user access privilege is an increasingly important part of IT governance and compliance that reaches across many segments of the IT security market, from GRC to SIEM to NAC.
- Neil Roiter