The Industry’s Insight about Anti-Malware Testing

The journalist and blogger Kevin Townsend posted some interesting queries about the AMTSO or the Anti-Malware Testing Standards Organization. One question that surely caught the attention of many is, “Is AMTSO the anti-malware industry looking after itself?” Yes in some cases, but it can go bad when penetration testing and anti-malware testing goes awry. It is because good testing means better promotion for products, while bad testing will promote the bad ones – the ones that could cause unwarranted results and damages. That is not good.

You see, Townsend is not the only person having suspicious thought about AMTSO, Security Curve believes that AMTSO is a list of companies involved in the anti-virus industry. The list is not limited to them but also to non-vendors and influential testers in the security industry. However, their issues are 2 different things. Security Curve addresses the fact why AMTSO have members who are deeply connected to the anti-virus industry. It is an inappropriate conduct to have those who sell the product to test and criticize the product. And that the organization has to solicit the input of other testers, those who are known and considered to be experts in their field such as pen test or internet security.

However, Townsend sees the testers and the ones who are selling the software as two peas in a pod. He may have a point since, the testers and those sellers have some sort of symbiotic relationship. Testers need new product that they could test, while vendors need professionals who can test their products and provide data about them.

There is no such thing as monopoly on the millions of malware samples available. Information security labs have seen thousands of new and distinct malicious codes every day. Because of this interesting number, it has generated lots of problems, and that is not only in testing. It affects almost everything from the rational management of data to the exchange of samples, codes, data and also metadata. These issues are being faced together by testers and anti-virus sellers alike. Although the exchange between the two can be called as cheating by those who are outside the group, it is not some polluted and vile plot to make bias testing and results. The reason is that it is appropriate to share the data and samples to form and maintain a competitive edge and advantage with each other.

But in Townsend’s complaint, AMTSO doesn’t encourage other individuals and personalities outside of their circle to join them. We cannot argue that the security software has to be properly made sure that everything they are doing would help most users facing the brunt of attacks. However, AMTSO must inform and also educate the public and not just engage with them. Sadly, even if AMTSO is a non-profit organization, running the organization needs substantial amount of money, thus the fees are very expensive for regular people to take part with.

It doesn’t mean that opinion coming from the public doesn’t matter at all. In fact, public has the most influence on the cyber security industry today because of the money they use in purchasing the products of these companies, which are used in research in security and many more. The only reason why the representatives and the members of AMTSO are limited to some, it is because AMTSO are looking for experts; experts whom they can exchange information with and actually help in their roles in achieving a more secure Internet system. Before the public could say something against AMTSO, they must make sure that they know more about how the testing really works. In fact, they should apply for penetration testing training or any other security training, before they can say something against it or maybe help improve the system being tested.

Maybe, it would be much better if AMTSO would engage more with individuals like Townsend, but it is highly unlikely now. Most likely, it won’t become a “free for all”. But if this can be done sooner or later, then each side would surely look for ways to meet in the middle, like changing some things about AMTSO and how they conduct their practices. Perhaps, positive changes might happen like a cheaper membership for certain members, better information dissemination or others. We will just have to wait.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.

More information about EC-Council is available at www.eccouncil.org.

Protecting Business Networks By Using Network Segmentation

With the consumerization in IT nowadays; the various mobilization and connectivity of devices as well as the explosion of a number of Web based applications, it has driven many of us to use the Internet and related technologies in ways different than before. These innovative trends in technologies have made businesses grow more competitive and increase their productivity so that they could also create new opportunities for the global market. This has also dramatically changed how business networks work nowadays; companies have pushed well beyond their old boundaries all with regard to the output and the speed. Unfortunately, the security infrastructure of networks, security methods like penetration testing and security tools haven’t evolved together with the changing business networks.

Most of the time security administrators are forced to make a trade between the things they can and cannot accomplish, especially when it regards to the control and monitoring of new company network services. With the little visibility they have and the input of new services that are delivered to the systems it could led to possible negative effects to the system. Fortunately, there is a solution that can provide better foundation needed to protect the dynamic changes in the network structure and the services they have and it is network segmentation.

Network segmentation is complex procedure, but its basics are pretty straightforward. We could say that it is a process of logically putting network assets, applications and resources in groups. When it comes to introducing network segmentation into the system there are 4 key factors that have to be taken into consideration first.

Gaining Visibility

The first thing to consider is gaining visibility in the network. If the network administrators do not understand or recognize the traffic profiles on a proposed segment when it comes to inbound or outbound communication, then the access controls that have been implemented will all end as failures. It is important to understand how the segmented network is exactly used. Administrators will find themselves finding a connection on what they believe is occurring and what is indeed occurring on the system.

Protect Inbound or Outbound Communication and Resource Requests

Security has been always the primary goal of security administrators. If they do not have the knowledge, skill, tools, training like penetration testing training or other security training and the ability to protect the resources of a segment, then that goal won’t be met. Simple controls aren’t enough, administrators must have the ability to detect any possible threat and do instant action against it.

Implementing Granular Controls on the Traffic, the Users and the Assets

All of the data that will be going in and out of the segment must be controlled. If the security administrators have implemented protection, then the next thing to implement is the communication policy of the organization. Even if there is an understanding regarding the communication taking place with a certain segment and from a source coming from the outside, there should be controls that have to be implemented. It is a 2 step process, first is detective controls and the second is the preventive controls. This way the administrator can identify and investigate unexpected traffic and prevent them if they are found to be malicious.

Denying Inter-Segment Communications

When there is visibility, protected communications and implementation of access policy, the last thing to do is denying all inter-segment traffic. When the policy is implemented, the segment will be separated from the network and that unit will be able to operate on its own.

Any approach towards network segmentations must follow the four steps; however, administrators must focus on one segment at a time for better results. They should begin with areas, which are easily segmented. At the start, implementing the four steps in the few segments will be difficult, but in the long run, the rewards of limiting the areas of risks and compromise by segmenting each areas and putting controls on them will be worth the trouble. In fact, if the security administrators will perform security audits or pen test, the segmented areas easily addressed.

The changing technological innovations continue to drive businesses forward – pushing the scale, scope and performances of their networks. Companies has to be ready at all times, having a security approach that provides visibility, understanding as well as controls in order to protect their dynamic networks.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.

More information about EC-Council is available at www.eccouncil.org.