Many companies find that managing the security of their computer systems provides a rather unique challenge. While almost everyone agrees that measures need to be taken to prevent attacks on information resources, most organizations lack the experience and expertise necessary to successfully manage and address the threats and risks to their information resources. Netbriar provides a variety of network security services to help your organization manage the security of your network.

Without a set of adopted security policies and procedures, how can your employees know what level of security they should be implementing within your organization? Netbriar has extensive experience helping organizations develop and implement real-world security policies that define your position on information security, acceptable use, intellectual property, and other crucial security issues. Netbriar can help you answer questions such as:

• Who represents the greatest threat to our network? Internet-based attacks? Hostile insiders? Former employees?
• How should Internet servers be deployed?
• How should our firewalls be configured?
• Who owns the information within our organization?
• How can we implement a policy of "least privilege" within our network?
• What constitutes acceptable and unacceptable use of the Internet from within our organization?
• Who is specifically responsible for the security of our servers? What measures should they take to secure our servers?
• What specific steps should we take to secure new servers?
• Who provides oversight for the security of our network? How do we know how secure our network is?

• What vulnerabilities could an attacker use to gain access to my network?
• What do I need to do to fix these vulnerabilities?
• What is the best way to proceed with fixing the vulnerabilities?
• What should I do to prevent these types of vulnerabilities from reoccuring?

Every operating system and software package contains flaws or bugs of varying degrees of severity. Attackers use these flaws to obtain unauthorized privileges. For instance, an attacker may use a flaw in a piece of web server software to gain access to a database and retrieve credit card numbers. It is crucial for you to understand what vulnerabilities could be exploited on your network, and make sure that they are resolved as soon as possible. The goal of Netbriar's Network Security Assessment is to help you understand exactly how an attacker could get into your systems, and exactly how to keep them out.

Software manufacturers usually provide security patches to their products that partially or completely resolve the flaw that attackers exploit. In some cases, the vulnerability is not the result of a flaw, but of a misconfiguration. It is crucial to know exactly how to go about fixing each security hole that is discovered in your network. Netbriar provides detailed information, including step-by-step instructions, on how to resolve significant vulnerabilites.

It's great to know what security issues you have, and how to fix them. Unfortunately, as many organizations have discovered, it's extremely difficult to resolve all of them at once. In many cases, hundreds or thousands of minor vulnerabilities may be present, and fixing them all immediately simply isn't an option. Netbriar helps by prioritizing and organizing our findings to help you understand what absolutely must be fixed tomorrow, and what might be able to wait until next week. For organizations without the necessary IT resources to resolve all of the discovered security holes in a timely manner, Netbriar can also provide training and project management throughout the process, as well as additional expertise in securing technologies.

Fixing problems today doesn't necessarily mean that they won't reocur tomorrow. The same security holes that we're seeing today are nearly identical to holes we saw a few years ago. Very little changes except the details. It is important to identify what general and specific steps can be taken to lower the risk that the next iteration of the same flaw will give an attacker a gateway into your network. Network, policy, and procedure changes can reduce the long-term risk to key information systems. Netbriar recommends these changes and explains why they make long-term sense to your organization.

Netbriar performs a variety of security engineering services that assist customers with securing their network and implementing new security technologies. In the case of large customers with thousands of servers distributed across the world, and a large body of talented IT professionals, the best use of outside expertise may be to define detailed procedures on configuring and deploying network infrastructure. The internal IS professionals can then implement the detailed procedures and interface with outside expertise in the event that complications occur. Many other organizations may lack either the time or the in-house expertise necessary to address these issues. In these cases, it may be more efficient to utilize outside expertise to handle the actual configuration and deployment of network infrastructure.

If it were possible to boil all information security vulnerabilities down to a single root cause, the easiest cause to identify would be inadequate security education. Why do vendors continue to have different versions of the same security problem pop up every six months in their products? Their developers have not been educated adequately on how to develop secure applications. Why do system administration teams improperly configure servers, enabling attackers to break into those servers? The system administration team has expertise in keeping systems running, not defending those systems against hostile attackers.

Security technology vendors traditionally offer a wide variety of courses on how to use their security products. Unfortunately, these classes are specific to the individual product in question, and rarely address key issues such as:

• How do I use this product in conjunction with the other products I have deployed in my network?
• How does this work in *my* environment?
• What do I do when Connection X to Location Y goes down?

Netbriar can tailor security training on a variety of technologies to the specific needs of your organization. Whether it is a half-day class on a new technology or a more intensive training program for staff members, we help your staff gain the skills they need to manage the security of your network.

Databases are a key element in most business-related information systems. How can an organization know that the information stored in the database and the reports made from this data can be relied upon? Care must be taken to ensure proper access controls have been implemented and software vulnerabilities have been patched.

Unfortunately, there are both functional and operational challenges that must be overcome to implement sound security at the database level. While relational databases provide basic authentication, authorization and auditing features, they are incomplete and not very flexible. Implementing database security is a complex and time consuming task that is often overlooked.

Netbriar's Database Security Assessment consists of four phases:

1. Planning - In the planning phase, information is gathered about the purpose and structure of the system as well as existing security policies and procedures. Information about how the organization conducts business is also gathered. From this data, risks are associated with the database entity.
2. Evaluating and Testing Controls - In the evaluation and testing phase, information is classified according to criticality and sensitivity. Authorized users and their current authorization levels are evaluated. Physical and logical controls are tested and evaluated based upon their effectiveness at preventing unauthorized access. Database access is also monitored and apparent security violations are investigated.
3. Reporting - In the reporting phase, general conclusions are drawn about the level of security of the database entity based upon the controls that have been implemented. Specific vulnerabilities in the database software and access controls are presented.
4. Review and Education - Using the report generated in the preceding phase, Netbriar will meet with management and administrative personnel to explain the impact of the vulnerabilities and suggest procedures changes to prevent them from reoccurring.

Many organizations realize that commercial off-the-shelf software cannot meet all of their business needs. Therefore, they must develop their own applications, either in-house or by outsourcing the development to contractors. Writing secure applications, especially secure Internet applications, requires significant amounts of security expertise, and in many cases, these custom applications can provide significant exposure to risks.

The core problem is that there simply isn't enough information for developers on how to write secure applications, specifically secure web applications. A quick trip down to the local bookstore will reveal sixty books on network security, but only one or two resources on securing web applications. In fact, a large portion of the books on how to write web applications contain examples that actually create security problems. This isn't a matter of how well someone knows how to program... it's nearly impossible to write secure code without a proper understanding of the security implications of the application.

A few examples:

Any security checks that are being performed on the client side of your web application are nearly worthless from a security perspective. For example, many organizations use JavaScript in their web applications to force users to input data in a certain way. A form might ask for the customer's email address, and use JavaScript to validate the email address. The problem? JavaScript is executed on the client side, so a malicious attacker can simply ignore the JavaScript and send bad data directly to your application.

If an attacker can insert even a few bits of malicious data into your web application, they can often gain control of your entire site. The vast majority of web developers never adequately check the data that is coming in to their application. This is mainly a result of programmers not being educated on the differences between writing traditional GUI applications and writing web applications. When writing a GUI in Visual Basic, for example, the programmer has much more control over what data is returned from a screen. On the web, the programmer has absolutely no control over what data comes back, so they must check the data each and every time. If an attacker can manage to sneak in a semicolon, for instance, followed by a SQL statement, they may be able to cause their SQL statement to be executed on the database server. And since many organizations do not have adequate database security , the attacker can most likely execute shell commands on the database server, mail himself copies of all of your credit card numbers, or simply destroy your database.

SSL doesn't have anything to do with securing your web application. Secure Sockets Layer (SSL) technology is designed to encrypt traffic between your users and your website. Once it has reached your website, it's identical to plaintext web requests. If your application isn't secure to start with, encrypting the traffic to it won't make it secure.

Firewalls have almost nothing to do with securing your web application. Firewall restrict which types of traffic are allowed to your web server. They allow HTTP (web) traffic to your web server, and hopefully drop all other traffic. Unfortunately, the vulnerabilities that attackers are going to exploit on your website are HTTP traffic, and firewall will allow them through.

Netbriar offers a number of services to help you not just secure specific web applications within your organization, but to help your developers learn to write more secure Internet applications.

Application Security Assessment

Many organizations already have web applications deployed, and do not have a good understanding of how well the application is secured. Netbriar's Application Security Assessment consists of five phases:

1. Penetration Testing: Identify externally accessible vulnerabilities within the web application
2. Source Code Review: Review the source code to the application to identify additional vulnerabilities
3. System Environment Review: Review the configuration of the application server to identify vulnerabilities
4. Reporting: Create a coherent view of the security vulnerabilities within the application, including what steps are necessary to resolve the vulnerabilities.
5. Review and Education: Using the Application Security Assessment Report generated within Phase 4, meet with management and the development team to explain not only the impact of vulnerabilities, but how to prevent them from reoccuring

Blue Coat enables organizations to keep "good" employees from doing "bad" things on the Internet. Blue Coat high-performance proxy appliances provide visibility and control of Web communications to address today's new business risks -- such as inappropriate Web surfing, viruses brought in via back door channels suck as instant messaging and Web-based email, and network resource abuse to do peer-to-peer (P2P) file sharing and video streaming. Trusted by many of the world's most influential organizations, Blue Coat has shipped more than 18,000 proxy appliances worldwide.

The Blue Coat ProxySG family of proxy appliances provides total visibility and control of Web communications with wire-speed performance. Based on Blue Coat SGOS, a custom, object-based operating system with integrated caching, these proxy appliances leverage existing authentication systems to enable flexible policy enforcement down to the individual user. ProxySG combines comprehensive proxy support of all Web protocols with integrated content filtering, instant messaging control, peer-to-peer control, pop-up ad blocking and virus scanning. Blue Coat's end-to-end product portfolio includes powerful reporting, policy and configuration management software - delivering a scalable proxy solution for centralized or distributed enterprise environments.