The cyber security marketplace is hot right now and companies that want to position themselves in this market have a tremendous opportunity. A software company or what is often referred to as an ISV (Independent Software Vendor), with a product that is focused for the cyber security market should not divert its attention to anything else except building an exceptional product for the customer. Distractions for a software company include the selecting, acquiring, and selling of a computer or computer platform to complement the software solution. FoxGuard Solutions suggests that software companies would benefit from a partnership with a reputable computing appliance provider to offer a total turnkey solution for the customer.
why should a software company outsource?
The implementation of the cyber security software will need to be completed by either the software company, the end customer, or the outsourced computer appliance supplier who partners with the software company. FoxGuard Solutions can provide an accountable point of contact to ensure the delivery and implementation of the software.
- Who will design and optimize the computing platform (to the software)?
- Will it be easier for the end customer to buy a turnkey solution or multiple products? Issue one or multiple purchase orders?
- Will a software company or the end customer know how to effectively move from design, to prototyping, to production systems?
- Who will manage the product parts setup and lifecycle?
- Who will manage the logistics, warehousing, inventory, and installation?
- What if the end customer wants the computing platform or appliance integrated with other equipment, such as a computer rack?
- What if the target market and customers need multiple form factors in their selection of computer appliances?
- What about warranty, failure rates, and support?
- How does the software company promote their brand?
- Would it be helpful if the computer was branded for the software company?
As this list implies, there is a lot to worry about from the software company’s perspective when they need to be devoting their time and energy to having the best software and support possible. Sure, the software company could simply tell the end customer that they (the end customer) can provide the computer, but the risk there is that the software may not perform optimally because the customer did not select the recommended and optimal hardware solution. This could cause startup problems and put a bad taste in the end customer’s mouth of the software company.
The cyber security market is estimated to grow to $170 billion (USD) annually by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020, according to a report from Markets and Markets. The aerospace, defense, and intelligence vertical continues to be the largest contributor to cyber security solutions. If you are a software company or ISV and you are trying to take advantage of this great growth opportunity, take a good look at partnering with a computing appliance supplier. The FoxGuard Solutions team would be happy to consult with you and help you assess whether this would be a good direction for your firm. These are very competitive times and also times where markets are moving to a heavy focus on software. The software companies who can put their focus and attention on their software and not on other distractions could be the ones who will win with the customer in the end.
WHAT IS CHANGING?
On August 15th, 2016, Microsoft announced some new changes for how they will offer updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Starting in October 2016, Microsoft will offer a single Monthly Rollup on the second Tuesday of each month that addresses all security and nonsecurity issues released for each operating system. This Monthly Rollup only addresses core operating system components, and does not cover other Microsoft software. This is the same update model that Microsoft currently uses for Windows 10. For customers that normally only install security updates, Microsoft will release a security-only rollup update on the same day.
At first, these Monthly Rollup updates will only contain fixes for the operating system released since October 2016, but over time Microsoft plans to add older updates to this rollup. Eventually, this will become a fully cumulative update, meaning that a completely unpatched system could apply a single rollup update (plus any prerequisites that rollup requires) and be fully up to date with everything the Monthly Rollup covers. In addition to these two rollups, per a comment from Nathan Mercer from Microsoft (in the discussion section of the article referenced above), there are plans to release an update rollup containing only new non-security fixes on the third Tuesday of each month.
In addition to the Monthly Rollup for the operating system itself, Microsoft plans to use the same model for .NET Framework updates. The .NET Framework Monthly Rollup will be offered as a full rollup with both security and non-security fixes, as well as a security-only version. This rollup will only install updates for the version of the .NET Framework installed on a system. It will not upgrade a system to higher versions of the .NET Framework.
Regardless of which type of rollup update is chosen, Microsoft no longer plans to offer individual security or non-security updates for Windows itself or the .NET Framework. This is further confirmed in another blog entry posted on August 30th. In this new blog entry, they address the question: “With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?” To summarize Microsoft’s answer, you can’t control which KB’s are applied, so you will need to back out the entire rollup. They justify this decision by stating that the rollups are designed to correct the fragmentation caused when users selectively install updates. They also state this new rollup model makes it easier to migrate to new versions of Windows without wiping and reloading an entire system.
Other Microsoft-provided updates, such as Adobe Flash Player updates for newer versions of Windows and Microsoft Office updates will still be delivered as individual updates and will not be included in the rollup. Another critical update type that will not be included in the rollups are Servicing Stack updates. These are updates to the way the operating system detects and installs updates. When a new Servicing Stack update comes out, it will be likely required before any future updates can be installed.
HOW DID UPDATES WORK BEFORE?
For Windows 7 and Windows 8.1, as well as their corresponding Windows Server variants, Microsoft releases multiple security bulletins each month on the second Tuesday of the month (commonly known as “Patch Tuesday”). Each security bulletin would address a single vulnerability (or multiple related vulnerabilities) in a Microsoft product, and would reference one or more patches for each affected product. In order to fully patch a system, users need to install each of the applicable updates released in a given month. If necessary, users can choose not to install one or more updates. According to Microsoft, this ability to pick and choose leads to multiple potential problems. Some examples they give are increased scan times, increased testing complexity, and various combinations of updates causing other errors, lowering update quality.
HOW WILL IT AFFECT CRITICAL INFRASTRUCTURE?
Moving to a rollup model does have some major benefits for those in critical infrastructure. A reduced number of updates each month greatly reduces the patch management burden, especially considering the June 2016 round of updates included 17 different security bulletins. This reduced update count also means less compliance documentation to deal with each month.
However, the loss of granular update selection means that when a critical application breaks due to a Windows rollup update, end users are left with difficult decisions. For example, what is the best way to get back up and running? Ideally, the offending update can be uninstalled. This would leave systems vulnerable, but operations would return back to normal. In some cases, there have been Windows updates that could not be uninstalled. One recent example is MS16-088. Certain updates within this security bulletin cannot be removed. The updates that can’t be removed here mainly deal with online Office products such as SharePoint and Microsoft Office Web Apps. However, MS14-024 was a security update released for Microsoft Office as a whole that cannot be uninstalled. While no recent examples of OS updates that could not be uninstalled could be found, if any future rollup updates behave that way, then it would be necessary to restore from a backup after applying an incompatible update.
In a situation where a rollup update is incompatible with a critical application, there are two options available: wait for Microsoft to release a new update that does not break the application, or wait for the application’s vendor to release an update that is compatible with the Microsoft rollup update. Microsoft has stated in their more recent blog entry on August 30th that “if there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.” Expecting a large entity like Microsoft to re-release an update to address issues that affect a very small number of applications, no matter how critical they are, is unlikely (but not improbable). In an industry where hardware and software is designed to run for decades, waiting for a vendor to update an application is not feasible in many cases. Until either the Microsoft rollup update no longer breaks the application, or the application is changed so that it won’t break, systems in critical infrastructure and other industries may have to remain unpatched for quite some time.
In situations where updates can’t be applied without breaking a critical application, Microsoft does provide documentation on mitigating factors and workarounds for some of their published security vulnerabilities. If this documentation exists for a given update, it can be found in the Microsoft Security Bulletin for that update. For updates with no mitigation documentation, other mitigation technologies would need to be utilized in order to protect systems where the underlying vulnerability can’t be patched without breaking other critical functionality.
While this new update model is great for many large enterprises with huge numbers of endpoints to manage, it fails to address the reason why businesses selectively installed updates in the first place: updates sometimes break critical applications. Unless Microsoft brings back some way of installing individual security updates, many systems may have to remain vulnerable until system owners can convince Microsoft to provide a workaround, or until vendors are forced to update applications across the entire deployed fleet. In some situations, a vendor for a critical application may no longer exist or is unwilling to change. In that case, entities may need to find a new vendor in order to remain secure against all of the latest vulnerabilities in Windows. Changing vendors in critical infrastructure is not to be taken lightly, as it often requires long, expensive upgrades that introduce unwanted downtime. In the meantime, systems in critical infrastructure that were staying up to date may start to fall behind and become vulnerable, with little recourse available.
FoxGuard Solutions will continue to watch for new developments regarding Microsoft’s servicing changes. Additionally, FoxGuard is working with other industry experts to analyze these changes and work with Microsoft on ways to mitigate risks for energy delivery industrial control systems. Expect more communications from us as new information is made available.
FOR A PDF VERSION OF THIS ARTICLE – CLICK HERE
To view this an other white papers, visit our Resources page.
 www.blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying servicing-model-for-windows-7-and-windows-8-1/
 www.blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net framework-monthly-rollup/
 www.blogs.technet.microsoft.com/askpfeplat/2016/08/30/a-bit-about-the windows-servicing-model/
FoxGuard Solutions’ Regulatory Compliance program is designed to ensure that each order shipped meets the regulatory requirements of the order’s destination.
Our services cover the following areas of regulatory compliance for over 36 worldwide locations:
“Behind the scenes” of the regulatory document packages uploaded to customer support sites lies daily research into new and changing legislation surrounding IT equipment design and import, investigative reviews into compliance of potential new inventory components, and a database of over 40,000 regulatory certificates and reports covering thousands of parts, from adapters to industrial computers and peripherals!
Our document database is monitored to ensure expiring documents are renewed and certificates with superseded standards are retired. One change in a national or regional standard, such as CE, can mean replacement of hundreds of component certificates!
FoxGuard’s Regulatory Compliance Team maintains a network with over 250 manufacturers and suppliers. In addition to collaborating with these associates to assess compliance of specific components and produce proper documentation, FoxGuard issues periodic Regulatory Bulletins alerting manufacturers and suppliers of upcoming legislative changes and new documentation requirements.
The custom regulatory document packages provided to customer-specified sites are the result of design and pre-BOM reviews, quote reviews, and an additional line-by-line review before an order is released for planning.
In addition to the support provided on an order-by-order basis, FoxGuard’s Regulatory Compliance Team works with Customer Account Representatives, suppliers, and customer compliance professionals to explore and coordinate special requests, such as additional product certifications.
The result of these extensive “behind the scenes” services is successful import to international destinations and proper documentation to back up every regulatory mark on a system component. On those occasions when a customs office requires additional information to clear a shipment, FoxGuard’s Regulatory Compliance staff works closely with customer and customs associates to provide the information requested in a timely manner.
Last but not least, FoxGuard’s Customer Care Center (CCC) offers pass-fail results on regulatory compliance pre-submittal inquiries. If you need log-in information or instructions on the use of the CCC, please contact your FoxGuard Customer Account Representative or e-mail firstname.lastname@example.org.
As Quickly as the Weather
Every year around the last few weeks of winter, “spring fever” starts to build with a few days of warmth and sun and the summer clothes start to emerge. Just as folks are getting comfortable in their shorts and sandals, a cold spell sets in, including and/or followed by a week or two of rain and wind. The long pants, socks, and jackets are reluctantly pulled out again, and umbrellas are kept close by. Before we know it, the cold dampness turns into glorious sun and … heat!!
2016 brings numerous regulatory changes for IT equipment
This year we are seeing the fruition of multiple regulatory transitions for IT equipment, causing FoxGuard’s regulatory document database to change.
In February, Australia/New Zealand’s C-Tick and A-Tick expired and were superseded by RCM, which is now the single “Regulatory Compliance Mark” for the region. Thankfully, this transition didn’t mandate a large amount of document change. However, details such as supplier code numbers and product marking warrant closer attention.
Most recently, in April, new directives pertaining to IT equipment entered into force in the European Union, including the directives for EMC and Low Voltage. Massive document collection ensued and continues to be collected, as well as preparation for some of the new administrative requirements, such as translation of instructional and safety materials into multiple European languages.
In June, further changes in European directives and standards will be implemented, including the new RED, and the expiration of EMC standard EN 61000-3-3:2008 (EN 61000-3-3:2013 as of June 18).
In July, Amendment 2 (A2:2013) to the IT safety standard 60950-1 becomes mandatory. China RoHS 2 requirements become effective, including scope, possible additional substances to report, and changes to the Environmentally Friendly Use Period (EFUP) Table. Argentina’s Resolution 508/15 comes into effect, superseding Resolution 92/98 pertaining to product safety, and mandating documentation updates as well as labeling requirements for specialized equipment and external power supplies, as well as the GCC “G” mark is introduced to IT equipment (scope as of yet unknown)…and so on.
How do we keep up?
FoxGuard utilizes multiple informational sources to stay current on regulatory requirements around the globe. We also work closely with our suppliers to keep our documentation database current. Regulatory Bulletins alert suppliers and manufacturers of upcoming changes, precipitating dialogues that help us all to be as well-informed and prepared as possible. Timely document requests are sent out, and newly received certificates are reviewed before being uploaded to the database.
Now that summer is upon us, feel free to don the shorts, and flip flops … but keep an eye on the forecast, and don’t leave home without a sweater and umbrella!
Welcome back to Compliance 101! Previous articles of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United States and the European Union. This article will focus on the regulatory changes that have and will continue to occur in 2015 and those which will come into force in 2016.
What’s happening in 2015?
A number of regulatory changes pertaining to IT equipment have taken place so far in 2015, including (but not necessarily limited to) the following:
Looking Ahead to 2016
Among other changes scheduled for 2016, next year marks the end of transitional periods for a number of regulations, including (but not necessarily limited to):
How is FoxGuard preparing for all of these changes?
To keep up with the ever-changing world of regulatory compliance, FoxGuard Solutions conducts regular reviews of regional requirements and takes action as soon as any changes are noted. Communication with regulatory agencies and other experts in the field are frequent, as we attempt to gather as much information as possible. Planning and preparation are made not only to ensure compliance of our own products but of the components, we purchase from other suppliers and manufacturers, so our customers’ shipments can be made in a timely and fully compliant manner. Despite the many “gray” areas of technical regulations and the limited availability of information, the FoxGuard Solutions Regulatory Compliance Team scrutinizes every obstacle that arises and takes action to prevent recurrence of any delay experienced. Thank you for joining us again for Compliance 101. If you have any questions concerning regulatory compliance as it pertains to your FoxGuard orders, please don’t hesitate to contact us.
Welcome back to Compliance 101! The previous article of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United Stated. Today, we will look at regulations for ITE in the European Union.
The European Union utilizes Harmonised Standards, which are developed, upon request from the European Commission, by a recognized European Standards Organization. Current ESO’s include CEN, CENELEC, and ETSI. Upon adoption by the European Parliament and the Council of the European Union, Harmonised Standards are published in the Official Journal of the European Union, and, generally, the legislation is entered into force on the twentieth day thereafter. Areas of standardization for ITE include electromagnetic compatibility (EMC), low voltage, radio and telecommunication terminal equipment, equipment for explosive atmospheres (ATEX), and restriction of the use of certain hazardous substances (RoHS). Other areas of standardization that are applicable to ITE are electronic waste and recycling, energy efficiency and the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH). Below are summaries of just a few of these areas.
Electromagnetic Compatibility (EMC), Low Voltage (LV), and Telecom (RED)
On March 29, 2014, new Directives for EMC, Low Voltage, and Radio Equipment came into force. Changes from the previous Directives (in force only for the remainder of transition period) are mainly administrative, dealing with areas such as responsibilities of various parties, details of the CE marking and Declaration of Conformity, and multi-lingual nature of documents. The directive recast was undertaken to align with the European Union New Legislative Framework (NLF). The NLF was designed in 2008 to enhance traceability within the supply chain and credibility of the CE mark, as well as improving market surveillance.* The RTTE Directive will no longer exist when 1999/5/EC expires. RED covers the Radio Equipment portion of RTTE, and Telecom Terminal Equipment regulations are addressed in other Directives.
RoHS (Restriction of Hazardous Substances)
Directive 2011/65/EU prohibits placing on the EU market EEE (electrical and electronic equipment) that contains more than the regulated levels of six substances of very high concern:
The purpose of RoHS is to reduce the amount of toxic waste produced by electronics being discarded post-use. The restrictions are on each component of a finished product, and not on the product as a whole. Compliance with the RoHS Directive must be included on the CE Declaration of Conformity for products being placed on the EU market. If no other CE Directives apply to a product, a CE Declaration of Conformity stating compliance with 2011/65/EU must still be produced, and the CE mark must be displayed on the product. The product manufacturer must also keep a technical file on the product that includes test data, to demonstrate conformity.
WEEE (Waste Electrical and Electronic Equipment)
As the EEE market continues to grow, and innovation cycles become even shorter, EEE has become one of the fastest-growing waste streams, and the potentially hazardous components in that waste stream have become a major concern. Directive 2012/19/EU (WEEE) addresses this concern by implementing measures for the monitoring, collection, re-use and recycling of such waste. Provisions of the WEEE Directive impact producers, distributors, and Approved Treatment Facilities (ATFs), and deal with areas such as:
- Registration, information, and reporting
- Design and production to facilitate re-use, dismantling, and recovery of WEEE materials
- Marking of EEE – All EEE placed on the market after April 1, 2007, must be marked with information to assist with the separate collection when it is discarded as waste.
- Separate collection and transportation to ensure specific treatment and recycling of WEEE
The European Union first introduced its Battery Directive in 1991, to minimize the negative impact of batteries and accumulators to the environment. The Directive prohibits the marketing of batteries containing more than the permitted levels of hazardous substances, such as mercury and cadmium. The latest amendment (Directive 2013/56/EU) deals further with content restrictions, as well as labelling and removal of batteries at the end of life for separate recycling, and registration (similar to WEEE). For complete information on these and other European Union directives pertaining to Electrical and Electronic Equipment, please visit the EU Harmonised Standards website. We thank you for joining us again for Compliance 101. If you have any questions concerning regulatory compliance as it pertains to your FoxGuard orders, please feel free to contact us.
Can It Be Built vs. Should It Be Built
Many established businesses spend several months building and perfecting new products in their pipeline without ever showing the product or its early prototype to prospective customers. When the products are eventually launched they fail to attract interest from the market. Upon post-mortem (pun intended), it is often discovered that the market feedback was never incorporated while developing the product. On the other hand, lean start-ups do not invest a majority of their scarce resources on building the final product. Instead, they develop an early prototype with basic features and attributes. This prototype, popularly referred to as a minimal viable product (MVP) is presented to prospects and early adopters to garner feedback. Based on the market feedback, they refine the prototype, launch an improved version of the MVP and repeat the feedback process until the product closely meets the customer requirements. By using this process of build-measure-learn and leveraging the resultant validated learnings, the lean start-up uncovers the true market need and efficiently utilizes its scarce resources to build products that customers really want.
You Can’t Predict The Future
Most businesses operate in an ever-changing environment. Thus, investing time and effort on formulating detailed business plans with uncontrollable assumptions would not be the most efficient use of company resources. Unless building a spaceship to transport critical payload, established businesses should take a cue from lean start-ups who do not rely on a step-by-step plan. Instead, they formulate a milestone-based plan and adopt hypothesis-driven experimentation and validated learnings for course correction until they reach those business milestones.
Don’t Collect Data For The Sake Of Collecting Data
We have all been guilty of this one. Spending hours gathering data from multiple sources and creating reports to share with our team – simply because that’s what everyone else does. However, if the data does not accurately reflect the key performance indicators (KPIs) of the business then the resulting intelligence may be meaningless and waste, of company resources. For example, analyzing total impressions of company social media profiles may not be as critical as analyzing the number of product demonstrations performed by sales associate against actual sales.
Step Outside The Cube – Talk To Your Customers
Even after investing resources for data collection, analysis, and jaw-dropping dashboards – you still need to meet with customers to understand them and their pain points. Following up on customer complaints can not only reduce attrition rates but can also be a source for product and process improvement. For example, your customers may share insights about new ways of using the product that the engineers may have overlooked. No matter how large or successful your company may be, it exists because of your customers.
Lean Management At FoxGuard Solutions
At FoxGuard, one of our core believes is creating value. In our daily operations, we minimize waste and create value by adapting many of the lean management practices. Our R&D teams take pride in rapid prototyping and iterative development to create products that meet customer requirements. The Marketing team focuses its efforts around meaningful metrics and our Customer Support team proactively interacts with our customers for suggestions and feedback.
Many books and best-practices have been professed about value-creating & waste eliminating lean management techniques that can be deployed at an organization, department and even at the product level. My thoughts in this article were influenced by the production philosophy pioneered by Taiichi Ohno, considered as the father of the Toyota’s lean production system, Eric Ries, consultant and author of The Lean Startup, and James Womack, management expert and co-author of Lean Thinking.
Welcome back to Compliance 101! In our first article of the series, we learned about the FCC and electromagnetic compatibility (EMC). Today, we will look at safety regulations for Information Technology Equipment (ITE) in the United States. We will highlight other types of regulatory compliance for the country as well.
The UL Mark and OSHA
The UL Mark certification for ITE demonstrates compliance with standards of the Occupational Safety and Health Administration (OSHA) found in Title 29 of the Code of Federal Regulations (Labor), Part 1910 (Occupational Safety and Health Administration, Department of Labor), Subpart S (Electrical). Subpart S is divided into four major divisions, including:
- Design Safety Standards for Electrical Systems
- Safety-Related Work Practices
- Safety-Related Maintenance Requirements
- Safety Requirements for Special Equipment
Passing Nationally Recognized Testing Laboratory Procedures
When an ITE product is designed, engineers take into consideration the requirements outlined in the “Design Safety Standards for Electrical Systems” division of the regulation. This ensures the product passes the test procedures that must be conducted by a Nationally Recognized Testing Laboratory (NRTL). Testing is done to prove compliance in a number of areas, such as:
- Suitability for installation and use
- Mechanical strength and durability
- Wire-bending and connection space
- Electrical insulation
- Heating effects under all conditions of use
- Other factors that contribute to the safety of those using the equipment or working in the vicinity of where the equipment is housed
UL: The Mark of Safety
The U.S. safety certification is most commonly referred to as “UL” after Underwriters Laboratories, which is the world’s largest NRTL. UL was founded in 1894 in the United States and now has a presence in over 70 countries. There are a number of varieties of the UL Mark, depending on (1) whether or not the product was simultaneously tested for Canadian safety compliance, (2) which NRTL conducted the tests, and (3) whether the product is UL listed or UL recognized. A product that is certified “UL listed” has been fully tested, while a product that is certified “UL recognized” has only had one or more component(s) of the product tested. Component recognition marking is found on products such as switches, power supplies, and circuit boards. Listed and recognized products are both covered by UL’s follow-up services program, which monitors continued compliance with UL requirements. Other NRTL’s have their own versions of the safety mark in a similar style to the UL mark. Additionally, the UL Mark is not only a requirement for ITE within the United States, but it is often accepted in other regions, as it demonstrates compliance with international safety standards. Some countries, such as Argentina and Brazil, have UL Marks specific to their countries. To learn about UL safety standards, please visit http://ulstandards.ul.com/.
Testing for Safety
The FoxGuard 3U Industrial HMI was tested and approved under UL60950-1/CSA C22.2 No. 60950-1, Second Edition: Safety of Information Technology Equipment. Tests performed included:
- Marking Durability
- Grounding Impedance
- Dielectric Voltage Withstand
- Abnormal Operation Tests
- Mechanical Tests
UL is only one of a number of Nationally Recognized Testing Laboratories. A current comprehensive list can be found at https://www.osha.gov/dts/otpca/nrtl/nrtllist.html. In addition to Electromagnetic Compatibility and Safety, there are regulatory requirements in the areas of telecommunication equipment, hazardous substances, battery content and disposal, recycling of electronic waste, and other regulations pertaining to environmental conservation. Many states have their own laws that cover some of these areas. A few examples are California’s “Toxics in Packaging Prevention Act”, North Carolina’s “Discarded Computer Equipment Management”, and Illinois’ “Electronic Products Recycling and Reuse Act.” When FoxGuard Solutions reviews an order shipping within the United States, the end destination state is taken into consideration to ensure compliance with both national and state-specific regulations.
In our next installment of Compliance 101, we will discuss new and existing regulations for shipping to the European Union. Thanks for joining us for Compliance 101! If you have questions regarding U.S. compliance regulations, please leave a comment below, and we’ll get back to you as soon as possible.
How does antivirus software work?
For years, home and business users have installed antivirus software in order to protect their computers from malware. There are many different products, but most of them do the same thing: they protect against known threats by comparing files on a system against a list of known threats stored in virus definition files. In general, this type of protection is known as “blacklisting”. With a blacklisting approach, everything but what is in the blacklist is typically allowed. In the case of antivirus products, they will generally allow all applications to execute if they are not identified as malware in the virus definitions. Most antivirus products also use behavior-based detection as well, which allows the product to detect and stop potentially, malicious behavior from applications, even if those applications are not considered malware according to the virus definitions. Behavior-based detection is not perfect, but it provides an added layer of protection for unknown malware.
How does whitelisting software work?
Whitelisting software sometimes referred to as application whitelisting or application control, uses the opposite methodology from blacklisting: it only allows items that are explicitly allowed by the system administrators that configured the software. This is sometimes referred to as a “default deny” methodology. For example, consider a computer being used in a warehouse. Let’s assume that this computer is intended to be used for inventory management only. System administrators could install and configure the whitelisting software to only allow the necessary inventory management software and the system applications required for the operating system to function. This approach prevents employees from installing other software, or even opening existing software on the system that is not relevant to their job duties. Whitelisting software can use multiple methods to identify what software is allowed; typically you define the path to the allowed applications, but additional integrity checks (such as hashing) are often used to ensure a malicious program hasn’t overwritten the application. This prevents a user or attacker from replacing a whitelisted application with a different one, as the cryptographic hash of the new file will not match the hash of the file when it was originally added to the whitelist.
Shortcomings of a traditional antivirus software
One of the most important things to note about antivirus software is that a blacklisting approach only protects you against known threats. Ignoring behavior-based detection for a moment, this means that an antivirus product can only protect against malware that has been previously detected, reported to the antivirus vendor, analyzed, and added to the virus definitions. Even behavior-based detection is not perfect. There are many ways to evade detection, and not all malicious applications will exhibit behavior that is considered malicious by a behavior-based detection engine. For example, if I were to write an application that simply looks for and deletes a specific folder, most behavior-based detection engines would not consider this an issue. However, if I were able to convince a specific user to run this application, and the folder it was designed to delete is a folder containing critical financial data (which that user has read/write access to), it would be performing a malicious action that will most likely not be detected by an antivirus application. This is a situation where a whitelisting solution would shine; if my application was not added to the whitelist, the user would not be able to run it, preventing the loss of data.
Shortcomings of whitelisting software
While the default deny approach used by whitelisting software is in many ways superior to a blacklisting approach, it is not perfect. As mentioned before, many whitelisting applications utilize a cryptographic hash to perform integrity checking against applications in the whitelist. A cryptographic hash is a one-way function that generates a fixed length string based on the contents of a file. It is nearly impossible to generate two different applications with the same cryptographic hash (there are exceptions, especially with weaker hash algorithms like MD5), as changing a single bit in an application will result in a completely different hash that no longer resembles the original hash. This also means that when an application is updated or patched, its hash is no longer the same as it was when it was added to the whitelist. This means that system administrators need to be vigilant about updating the whitelist each time an application is patched, otherwise, users may be unable to use the whitelisted application until the whitelist has been updated. Another potential shortcoming of whitelisting software is that a whitelisted application may have flaws that allow it to be used in malicious ways. In many cases, whitelisting software alone will not be able to protect against this exploit, but antivirus software that utilizes behavior-based detection may be able to do so.
Which should you use: antivirus or whitelisting?
Despite its shortcomings, a properly configured whitelisting solution will likely offer more security than a traditional antivirus solution, even with behavior-based detection. That being said, there are situations where whitelisting becomes prohibitive. For example, if someone’s job requires them to test new applications all the time, a whitelisting solution would make their job more difficult, as they would have to contact their system administrator to get approval for each new application. In this situation, whitelisting may not be the ideal solution, but antivirus would still be very useful. I personally would take additional precautions such as isolating that person’s computer from the rest of the network to reduce the risk of infecting other computers on the network, just in case the user does download malware unwittingly and the antivirus software does not catch it. In environments that must comply with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, each system within the Electronic Security Perimeter should only perform a specific set of functions, and whitelisting can be configured to only allow the applications required for those functions. When software updates are necessary, they should be performed in a test environment first, not only to validate that software updates don’t break critical applications but to ensure the whitelisting solution can be configured to allow the updated applications to run. This process should ensure a successful rollout of software updates and whitelisting configuration updates in the live environment. Both antivirus and whitelisting have their advantages and disadvantages, so why not use both? Each type of application offers protections that are complementary to the other, and using both can be a good defense-in-depth approach to securing a system.
FoxGuard’s research and development labs are equipped with the test equipment required for EMC pre-compliance testing. Our engineers are trained in industry best practices to set-up equipment, conduct tests and analyze data to help minimize the risk of failure during the formal testing phase. In the first part of this article, we discussed Electro Magnetic Compatibility (EMC) and the benefits of pre-compliance testing. In this installment, we will explore the equipment and procedures used to perform the tests, and the rationale used to evaluate the test results.
1Ghz Electro Magnetic Compatibility (EMC) Analyzer – The EMC analyzer is a spectrum analyzer that is programmed to perform measurements in accordance with FCC and CE standards. The formal tests require scans to be performed to 4Ghz to cover the high-frequency CPU clocks. However, except for specific cases, pre-compliance testing above 1Ghz is unnecessary since CPU clock emissions rarely, if ever, escape the enclosure, and lower frequency I/O signals do not generate significant harmonics above the 1Ghz level. The analyzer also produces plots that can be printed out for results analysis.
22dB Broadband Pre Amplifier – This device connects the antenna and the analyzer to amplify detected signals for increased signal-to-noise ratio. The Broadband Pre Amplifier also makes the received signals easier to see on the analyzer display.
Power Line Impedance Stabilization Network – More commonly referred to as a PLISN, this device allows the analyzer to detect emissions generated by the Equipment Under Test (EUT) that are conducted through the AC power cord. The PLISN normalizes the power line impedance to match the analyzer input impedance of 50 ohms for accurate signal level measurements.
30-300Mhz Bi-Conical Antenna – This antenna is known as the “bow tie” antenna due to its distinctive shape. It measures radiated emissions in the 30-300Mhz range and scans are performed with the antenna in both the horizontal and vertical orientations.
200Mhz-1Ghz Log-Periodic Antenna – Similar to TV antennas that used to be on house roofs many years ago. The frequency range is 200Mhz to 1Ghz and is also used in both the horizontal and vertical configurations.
Low loss coax cable, coaxial attenuators, non-metallic EUT test table, antenna stands, HP pen plotter.
Test Environment and Procedure
We conduct pre-compliance tests in a demarcated test space in the building. We use a 3m test distance between the antenna and the EUT, and at least 1m distance between the EUT test table and any facility obstruction. We position the antenna at about the 4ft level and set the EUT on the test table so the rear I/O panel area with cables attached faces the antenna. This is an approximation of a formal test setup that spins the EUT on a turntable and uses a telescoping antenna stand, so it’s possible that something may be missed when testing at only one angle and one antenna height. However, experience has shown that if a significant radiated emission is present at frequencies below 1Ghz, it will be at the rear panel cable area and a single antenna position will pick it up. If emissions are likely above 1Ghz, more complex EUT and antenna positioning arrangements are required. The testing procedure requires the running of ambient radiated emissions scans for each of the antennas, in both orientations, as well as a conducted emission scan on the PLISN. These ambient scans are performed with the EUT connected to power but de-energized. The ambient scans record signals, such as radio stations, that are present in the area and on the power line, but not generated by the EUT. For the actual emissions scans, the EUT is powered on and a test routine, usually a burn-in program, is initiated to:
- generate moving patterns on the video display
- run the CPU at a high rate of utilization
- read and write data to disk or RAM drive
- loop-back signals through the I/O ports
The same scans that were run for the ambient tests are run again with the EUT operating and the results are recorded.
The ambient and EUT scans for the PLISN and each antenna orientation are carefully compared to identify any additional signals found in the EUT scan (EUT related) that were not present in the ambient scan. Since the scans are performed in uncontrolled space (no screen room), reflections and other phenomena can reduce the absolute measurement accuracy of the system and some judgment calls concerning EUT related signal levels must be made. If a signal is well below the test limit as measured by the analyzer, it is recorded but ignored. When a signal gets to within 6dB of the test limit, some additional analysis is warranted. When EUT related emissions that are “close” to the test limit are encountered, the first step is to shut the EUT down and perform another ambient scan with the same antenna configuration. If the signal is present on the new ambient scan, it is reclassified from “EUT related” to “Ambient” and ignored. If the signal is not seen on the new ambient scan, then more advanced EMC containment troubleshooting techniques can be employed. This process is repeated until all EUT related emissions have been identified and eliminated or reduced to a point where the risk of failure in the formal testing phase is minimized, thereby saving time and resources to achieve compliance.