The StillSecure Security Alert Team (SAT) compiles the top 10 network vulnerabilities on a monthly basis, pulling from CVSS and other public scoring organizations. We also take into account customer feedback, inquiries, and public and private monitoring and analyses. Here's what was on the radar in late November:

We're mighty proud that our ProtectPoint offering was recently named a managed security services Best Buy by SC Magazine in a competitive roundup. We received a 5 out of 5-star overall rating and were specifically acknowledged for our "great reporting" and "feature rich" offering. The review went on to declare: "Verdict: Very nice full-service managed security offering for organizations that don't have the security expertise on staff." We couldn't have said it better ourselves. Read the full review »

Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer, more commonly referred to jointly as SSL, is a protocol used to secure communications in a wide variety of network and internet applications. It has faced some interesting challenges in the recent months, however, as new weaknesses in SSL are discovered and exploited.

In October, a vulnerability in the way Web browsers interpret SSL Web certificates was discovered, allowing an attacker to masquerade as any website on the Internet through the use of a forged certificate. The SSL NULL prefix vulnerability, as it was dubbed, quickly became the focus of fraudsters looking to leverage attacks against unwitting clients in an attempt to disseminate sensitive information, such as login credentials. Although the flaw has been patched in recent browser updates, the volume of unpatched clients currently operating on the Internet still makes this exploit an attractive option for malicious hackers. A tool written by hacker Moxie Marlinspike, called SSLsniff, utilizes the NULL prefix vulnerability to generate forged Web certificates on the fly via a Man-in-the-Middle attack, allowing the attacker to capture all "secured" communications between the client and server.

The month of November was no kinder to the world of SSL, as a white paper outlining vulnerabilities in the way TLS renegotiates security channels was released. The vulnerability may allow a malicious user, via a Man-in-the-Middle attack, to insert malicious code into the communications stream. This vulnerability may be leveraged in a multitude of ways, but most notably, the attacker may pass authenticated commands to the server as though it were originating from the client. This flaw exists in the SSL/TLS standard itself, and remains unpatched. A recent widely publicized attack against Twitter, by a Turkish grad student, utilized the SSL renegotiation vulnerability to steal users' login credentials from the cipher stream.

Regardless of the current weaknesses, the SSL protocol has held steadfast as one of the most relied upon standards to secure communications over unsecured channels. ProtectPoint SSL VPN customers can breathe easy, our solution does not utilize Microsoft's CryptoAPI for certificate handling and is not susceptible to the SSL NULL prefix vulnerability. Additionally, our IDPS service can detect various attack vectors, such as ARP spoofing, that might be used to leverage the Man-in-the-Middle SSL exploits against vulnerable browsers.

In November we were selected by HP ProCurve to be the premier managed security services provider to their extensive network of ProCurve ONE Alliance partners and resellers. This gives HP ProCurve channel partners an easy method for delivering network security to their customer base, with no upfront costs or expertise required.

By adding our ProtectPoint managed security services to their offerings, HP ProCurve partners can earn recurring revenue without additional investments in their infrastructure — specifically, the tools and staff required to build an in-house network security practice.

We're honored to be an HP ProCurve ONE Alliance partner. If you work with an HP ProCurve reseller, give them a call and ask about our service, or visit our listing the HP ProCurve web site.

Current HP Procurve channel partners can learn more about reselling our managed security services on our HP ProCurve Partner site.

A number of customers have asked about converting their Strata Guard® product subscription or Strata Guard Lite instance to a ProtectPoint managed IDPS service subscription. Most are eager to hand over the administration of their security to our experts, and they want to free up more time for their IT staff to focus on core priorities.

We've had enough inquiries about this Strata Guard-to-ProtectPoint conversion that we've put together a formal upgrade package around it. Here's how it works:

When you convert from Strata Guard to the ProtectPoint IDS/IPS service we'll give you a full dollar-for-dollar credit for the time remaining on your current maintenance/subscription term. We'll also give you one month of free service for each year you've been a Strata Guard user. Finally, we'll waive all consultation and provisioning fees if you agree to a 3-year contract. It's a great deal for current Strata Guard users. For Strata Guard Free users, we are offering two months free on the first year of ProtectPoint service. So contact StillSecure Sales to get the ball rolling.

We recently added a new vulnerability scanning service to our suite of ProtectPoint managed security services. This service, based on our award-winning VAM® vulnerability management system technology, scans devices on your network for vulnerabilities and produces concise, actionable reports covering the at-risk devices and the steps required for remediation.

But it's not just about plugging the holes in your network that open you to attack. A regular, repeatable vulnerability scanning process is a critical part of a regulatory compliance program, with data security standards, like the Payment Card Industry (PCI) standard specifically calling it out as a core requirement.

The vulnerability scanning service can be bundled with other ProtectPoint services or implemented as a standalone function. Pricing is based on the number of IPs scanned and the frequency of scanning. A one-time scanning option is also available.

Download the ProtectPoint Vulnerability Scanning datasheet or contact StillSecure Sales for more information.

We've recently published two whitepapers examining the tradeoffs between outsourcing security to a service provider or managing the security function in house. Many factors come in to play: the size of your organization, regulatory requirements, the nature of your business, your IT and security budget, the level of security expertise you have on staff, and more. These papers help you weigh these concerns and determine which option is best for your organization. To download, follow these links:

Whitepaper: The Business Value of Managed Security Services
Whitepaper: To Outsource or Not to Outsource: That Is the Network Security Question

We'll be exhibiting at these events in the coming months, so drop by and say hello. We'll even give you a t-shirt or something.