IT Security Blog

What do we mean by context exactly and why do we believe teaching contextual based is better than content?

By context, I mean three things. First, we need to understand the where/when for studying. We should all know and understand that the "interrupt machines" that drive our always-on communications (PCs, smart phones, tablets) are the very worst possible devices for a learning context until we redesign the flow to function in this context.

Second, context is the reference point, and anchoring that provides relativity and explains new ideas in relationship to things the learner already knows. Third, context is the application of ideas, terms or concepts to situations the learner understands.

When EdX can provide learner context, the claim of “revolutionary” will once again belong to Boston. I’m not trying to argue that we do a better job than MIT in our boot camps, but we're not going to make a mark on the educational demands in the security industry until we to begin taking the content in the world, often from our most renowned and respected sources, and creating context.

This context and training is fundamental to technology deployment and adaption. Failure to develop appropriate human capital is also one of the greatest (though frequently ignored) risk factors for most systems. For over three decades, I’ve been involved with early stage and start-up tech companies. To bring a new technology to market we had to teach new concepts and practices – often to a quite hostile audience. Running worldwide sales at Novell required a global education campaign on what a LAN was, how it might be deployed and it’s economic benefits. We quickly learned that the shortest path to a sale was to educate our customers and to do this we had to translate our features and benefits into direct comparisons with mini-computers. We had to anchor these new ideas in a context the customer understood. We had to make the message relevant to the customer. We had to motivate the learner (customer).

Why were we messing around with PCs and LANs when a mini-computer provides centralized management?

Why do we ever have to adapt to what's “new” and make changes?

Without knowing why something is important, without knowing how a concept or idea relates to what you already know, without motivation, it’s hard to make successful changes. It’s hard to learn something new out of context.

Over the past month, thoughts about the education paradigm have been something like the modern 4th of July fireworks — always a big bang and a new twist. I’ve followed the MIT/Harvard EdX online class of 155,000 students. I even thought about the incredible process of trying to grade the exams and student authentication challenges. If you’re not familiar with this project, you should be. MIT launched their intro to electronics class online with 155,000 enrollments! That’s a BIG classroom. Sounds like we’ve hit on an educational breakthrough!

Well, maybe it's not a complete breakthrough. It turns out that 7,154 completed and passed the course. Our own pass rate on CISSP boot camps is dramatically better than MIT and Harvard’s. In fact, the real fallout came between the open enrollment period and the first exam. If you've ever taught college, you know what the first cut looks like. It's a wake up call. Here, the class dropped by over 70%! A large audience WANTS to learn, but they need ongoing motivation — coaching, nudging, pushing and cajoling to keep them going.

What EdX did is profound. It’s a radical change in how we think about education globally but we need to be clear about what we know. We know there's a huge appetite for learning. However, content isn't the constraint. It's context.

 - KWK

The Certified Information Systems Security Professional (CISSP) certification continues to be THE widely recognized credential for broad information security expertise. The certification requires that the student obtain a wide range of security knowledge, making passing scores on the exam challenging, regardless of the level of security experience the individual has. The fact that the exam has recently gone on-line does not make it any less challenging.

If you are the type of individual that prefers instructor-led training over alternate methods of learning, then you need to consider the following items when searching for a good training partner. We have heard many stories of students that have paid for training programs that just have not worked for them. This isn’t necessarily due to a poor training program, but rather the training style or option was not suitable for the way they learn.

There are however, a few items we believe you should look for when exploring instructor-led training options:

1. Ensure the learning meets your learning needs.
The course needs to provide a solid foundation of security knowledge mapped to the domains of the Common Body of Knowledge (referred to as the CBK). Make sure that the course has relevant, updated materials. Find out what book is being used and whether or not the instructor includes custom content. Find out what the custom content consists of and whether or not it meets your needs. Some providers offer a pre-training program as well that will definitely help to prepare you for the upcoming classes. Be sure to take advantage of any additional materials being offered but ensure they are updated frequently.

2. Validate instructor credentials.
Instructors need to be able to adequately instruct on all of the security domains. Make sure he/she is an expert in all the security domains, check certification credentials obviously, but also find out how long they have been teaching and/or where they have worked in the past and gained their knowledge.

3. Evaluate the supplementary study materials.
With the amount of information you will need to cover for the CISSP, you will need to review materials learned. Make sure that the training provides you with supplementary review materials and strategies on how to study in order to be able to more effectively answer the exam questions. The exam content can be tricky and understanding the types of questions asked and how to study in order to prepare is key. They exam can be quite subjective in nature and you will need to understand how to determine the best answer out of four equally as good answers.

4. Make sure mentoring and practice exams are part of the course.
Make sure that the course includes plenty of practice opportunities. Instructor’s should be able to provide you with additional practice test questions and/or mentor you through some of the questions and provide tips and tricks, so you get a feel for the type of questions and how to be able to effectively answer them.

5. Choose a company that stands behind their guarantee.
Figure out what kind of guarantee it is and for how long the guarantee is actually valid. A guarantee is not necessarily going to provide you with the money back depending upon the training provider, but if the training provider stands behind their guarantee, they will provide you with the ability to take the class again and will go beyond that to provide you with mentor-ship and additional materials to ensure your success.

So, what is risk? What does it mean? We can define risk as the possibility that bad, unplanned or unexpected things happen. It implies, most often, after the fact, that something could have been done about the “risk” to prevent the bad things. In many of the most disastrous events, there were clear warnings and a multitude of actions that should have been taken.

Risks can be mitigated. Risky activities can be reduced and safeguards can be implemented.  Why then do we continue to see disastrous events in the papers that could have been avoided? Simply put, Western societies seem to have forgotten about it. We ended the twentieth century with a growing belief that all of the critical issues of the world had been solved. Resources would be efficiently allocated through free competitive markets and social issues resolved by the universal adaption of democratic practices. But this myopia, which took fifty years to develop, will likely take more than a decade to change and many organizations don’t have the resources to manage it effectively.

So, where do we start? We believe it should become an automated process. Identify and develop some key fundamental steps to help define your risk management strategy. Keep it simple at the beginning so you can measure and mitigate effectively and develop a more detailed plan as you learn and identify more risks.

 Steps in a simple risk management strategy:

1. Identify the potential risks. List all of the different scenarios that could potentially go wrong.
2. Develop a measurement tool to gauge the impact and severity of the risk. Ask yourself what is the probability of the risk happening and what is the impact.
3. Develop alternative solutions to the various risk scenarios:
   Identify the possible ways to mitigate the risk while measuring the effectiveness and budget restrictions.
4. Determine remediation solutions to be used and implement Allocate the needed resources and obtain management buy-in
5. Continuously monitor results. Develop a monitoring schedule. You must check frequently to ensure your plan is working? Identify any needed changes or updates based on threat and risk assessment criteria.

...Applying a triad methodology for risk management.

Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:

• Plugging the known holes.
  
• Posturing to plug holes based on historical data and not overreacting to an acute event.
• Making educated guesses where to reinforce the infrastructure to minimize potential risk.

Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.

There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog of modern psychology that proves that people do not behave the way economic models suggest they would or should.

Second, we have to think about data in a vast macro framework and stop letting limited samples and short time horizons set out thinking. Really, ask yourself how many 100-year cycles have been recorded for the river nearest you? If we’re trying to statistically study cycles of up to 100 years, each 100 years is a single observation from which no meaningful statistical inferences should be drawn.

Third, risk is about potential losses. While we look at rare events with big losses as serious threats, the trillions of dollars lost annually are more likely to go to fraud than any other single addressable source. So, it seems that as security professionals and as risk managers we might want to spend more time and energy understanding the what, where, when and why of fraud.

According to Thompson Reuters the U.S. health care system alone wastes between $505 billion and $850 billion every year. That’s just the tip of a complex range of crimes that have changed and evolved with the advent of new tools and technologies.

Sticking with the theme of threes – here are three profound changes technology has made to the nature of fraud:

1. Today’s technology greatly expands reach. Bad guys from across the globe can initiate fraud attacks from afar exposing us all to threats that used to be constrained by limiting physical access. The remote corporate campus isn’t remote anymore.
2. Attacks can be scaled using technology. A recent Medicare fraud network was generating thousands of false claims aided by online claims entries. Another great example was the global synchronized attack on ATMs where the compromised cards were used at hundreds of machines across continents so even as the bank’s control systems quickly responded it wasn’t fast enough or coordinated enough.
3. Technology blurs the line between insider and outsider as modern attacks often target the credentials of insiders giving outsiders the advantage of an insider as they organize and mount their exploits.

So, to complete the triads, we have three sets of threes. Our last trio to be examined should therefore be - what we should be doing about fraud:

1. Treat fraud as a central and integral component of your risk management. It’s far more damaging than most cyber-security professionals think.
2. When you start talking about fraud you’ll find a whole new professional community to interact with – fraud examiners and/or auditors, law enforcement, etc.
3. Engage your fraud folks. Check out the professional associations. Read and track fraud in your industry.

Finally, add it to your existing triad – it’s too limiting to keep talking about confidentiality, integrity and availability. While these are good abstractions, when we get into risk management we think about the source or the treat agent. What can we learn about their motives and intentions to understand their likely behavior.

Looking at fraud is a great 4th dimension to consider.

   - KWK

For anyone with roots along the Gulf Coast - if have learned anything through the years, it’s that the impacts of weather can frequently far exceed expectations. For those of us who have been impacted by these tropical systems, it is not uncommon to refer to the storms by name as a kind of mile stone. “Yeah, after Betsy we had to” … or “during Camille”… and all too frequently “well with Katrina ….”.  This year’s entry into the short hand will be Debbie.  Although barely a Tropical Storm, she has lingered along the northern Gulf of Mexico for the better part of a week, dumping record amounts of rainfall in Alabama and Florida – and that’s saying something. This flooding has had significant impact upon ground transport in the area; impeding the local distribution of commodities, freight deliveries, and the ability of people to get from A to B.

You may ask yourself - why is this a Business Continuity Planning issue? Increasingly medium and large manufacturers have adopted “just in time” supply chain practices to better be able to respond to the need for lean operations – it’s far cheaper to store a day’s or a week’s work of components that to have a 90 day supply on hand. But you have to ask yourself – how do we deal with circumstances that close road and rail travel in our area for a week or more? Do we have an alternate work site that we could use? Do we have an alternate supply chain? Can we afford to be idle for the duration? Most importantly, what about personnel? If the facility is fine, but no one can get here, what can we do?

For manufacturing, getting the materials and the skilled folks together is a prerequisite, but increasingly for knowledge workers this not as much of an issue as it might have been previously. There are a dizzy array of products and services available that make getting the people and the information they need together simpler, and safer than ever. Be it some cloud based solution, or more traditional network based remote access solutions – the requirement for people to be sharing a physical space in order to remain productive has been less and less of an issue as more and more options for collaboration and remote presence have become available.

Important disclaimer: This is not an endorsement of any particular product or service – just an observation about the commoditization of a particular set of products and services. Many SOHO, or “Small office/Home office” networking appliances are approaching the functionality of the enterprise products of just a few years ago. With SSL VPN support for up to 25 concurrent users becoming common in this group of products even a one person IT shop supporting 10 or 20 users could stand up a secure remote access solution for under $200. For non-sensitive communications, some shops could leverage free (or nearly free) cloud based offerings - such as Google docs, and Google hang outs, etc. By keeping an open mind, and encouraging the creative use of emerging technologies we can often find low or no cost solutions to bridge those gaps in our Disaster Recovery and Business Continuity planning.

Stay agile and stay alive. Even if you find yourself in a small shop, there are increasingly powerful tools available to you.

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There's something more clinical and more considered in the diagnosis of insanity.

I've spent over a decade delivering executive summaries on issues in information assurance and IT security. I've worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies.

For example, when cars become "wired" systems with steering and breaking being driven by software rather than direct physical linkages, there are certain risks that should be understood and analyzed. We framed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of medical devices.

We were one of the first groups to study SCADA vulnerabilities years before Stuxnet hit. As we evolve processes similar to SCADA for advanced medical devices like a Pacemaker, should somebody be thinking about securing it?

As an economist who spent several years teaching in an engineering school, I've developed a passion for root cause analysis. And, when things continue to break, I seek the pattern, the system drivers behind the break down. It seems we're doing the same thing with each new threat, with each new technology.

But over the past year, there's been too much insanity - too much doing the same thing and expecting different results.

Maybe the system itself is flawed. Maybe this is beyond crazy and actually insane. What are your thoughts?

A lot of attention has been given to the new computer-based testing (CBT) exam format for CISSP^® certification. This may be merited. There is an ongoing debate about the integrity of the exam itself when delivered in such an environment and the possible repercussions to the quality of the credential itself.

The concern over whether or not this delivery method could make it difficult to control fraud is of primarily importance. Is it possible that someone other than the actual candidate take the exam? What methods are being used to prevent this?

Also, can the questions be compromised so the students can prepare for the exam without mastering all of the core subject matter?

Questions such as these abound when moving to an electronic exam format, but the suppliers of online testing systems indicate that they have thought of ways to bring safeguards to the table. In fact, PearsonVUE pioneered using biometric identification for test taker authentication over ten years ago, and in recent years deployed Fujitsu’s PalmSecure biometric identification technology to over 500 PearsonVUE test facilities worldwide. More recently they introduced one-to-many (1:N) matching to provide an enhanced layer of fraud prevention, utilizing the SensoBrain distributed biometric acceleration technology which compares each test taker’s biometrics to those of everyone else in a client’s testing program, ensuring that any potential fraudulent testing based on impersonation can be proactively eliminated before it occurs.

While the move to a CBT format will obviously be a huge cost saving measure for most test-takers, who historically have had to travel some distance to take these exams, there are increasing concerns about brain dumping, causing potential brand erosion of the “elite” certification. While some argue that (ISC)² has done an excellent job against brain dumps to-date, by retiring their questions quickly, others believe that taking the exam from a paper to an online format will degrade its value and relegate it to the level of other lower level security certs.

What are your thoughts on the pros/cons of the change in delivery for the CISSP exam?

Download our most recent IT Security Briefing  (An IP3 White Paper):  A Face-Lift for CISSP Exams - June 2012 - [Download PDF]

By now most of the security industry has heard the rumors and threats that Anonymous intends to flood the 13 DNS servers throughout the world in a attempt to blackout the internet for a unknown period of time. This attack is the result of politically fueled opinions of some of today's most influential hacktivists. According to a post on pastebin.com the attack will essentially involve the use of a Reflective Amplification or 'ramp' toolkit to DDoS the root DNS servers which will stop them from responding to DNS resolution requests and thus stop users from accessing websites via DNS names i.e. 'www.google.com', 'www.facebook.com', etc.

This attack is under great scrutiny by professionals and hackers across the web. Some say it may be possible other say at best it will be very limited and do minimal damage while the rest say that Anonymous has its information all wrong. Does this threat have any substance or is it only another empty threat? Only time will tell as the attack date of March 31, 2012 grows nearer. 

Historically, years before this attack and hacking group even rose to popularity, in a post on the ICANN Blog, Kim Davies attempts to dispel any and all rumors that there are even 13 lone DNS servers around the world. In a more recent blog post by Errata Security, blogger Robert Graham presents even more reasons why the attack will not be possible. One blogger even goes as far as calling Anonymous' actions some kind of April fools joke.

Among the non-believers lies a handful of fearful individuals that see this brazen threat as an indicator of worse things to come. Boy Genius Report recently published a story outlining the underlying fears of U.S. officials in lieu of Anonymous' growth and increased threat potential to U.S. national security. It is no mystery that the U.S.'s cyber infrastructure is much weaker than most people think it is. We lack a structured cyber army and choose to hinder those with the potential to protect us in the event of a cyber war. I agree with Misha Glenny's ideas in his TED talk last year where he discussed an alternative to punishing hackers and instead setting up reform programs to bring these individuals back from the criminal world and get them on the good guys team again.

The bottom line is that progress remains slow when dealing with cyber attacks. The governments approach of allowing less and less freedom and availability to these cyber miscreants only seems to frustrate them further. Top agents in charge of cyber security are beginning to get beaten down by the constant threats and attacks in addition to the constant failures of consideration for better funding by higher ups in government. The only hope in the fight against cyber crime and an impending cyber war will be not only an increase in IT security budgets but also a change in the mindset that all hackers are our enemies. These rouge hackers possess important skills and knowledge that the government cannot afford to lose to the dark side.

Those interested in a first hand look into the health status of DNS servers during this weekends 'attack' can check it out on Team CYMRUs website dedicated to tracking the health of DNS servers around the world.

As if Android security controls weren’t bad enough it seems even more malicious software applications have made their way onto users devices. This new breed of malware is unlike any other. With the increasing power and capabilities of Smartphone’s, soon to include quad core processing power, attackers have begun to broaden their focus on exploiting desktop and laptop computers and are now targeting mobile devices for their Botnets.

Smartphone’s are the perfect target. They are small, powerful, mobile, and best of all thriving with connectivity. Their size and mobility make them great for spreading malware throughout multiple corporate and public areas, anywhere someone might travel to and connect to an open, unencrypted Wi-Fi network. Their increasing processing power has made them just as suitable as higher powered machines for running various attacks and malicious campaigns. Best of all, the connectivity and collaborative information we process through our devices allows malicious attackers to have a field day with our contacts and information.

Unlike most fully functional operating systems, mobile device operating systems are much more lightweight, and are also designed very differently than our traditional operating systems. Yes we still run various applications but many more exist on our mobile devices for specified purposes. On a standard PC, when you want to check your bank account balance or social networking, you generally log in through a browser. Smartphone application developers have simplified this process by allowing you access to specialized applications that will retain your login credentials for easy, efficient, instant access to these accounts.

What’s worse than writing down your passwords? I say it’s saving them for automatic logins in our applications, especially if these applications are infected with malware.

Picture this: You download an innocent looking banking or social networking application, one recommended by friends or one you have seen advertised on the web, through email, etc. You install the application and log in with your banking and/or social networking credentials. Expecting to see your account balance or messages from friends, you are surprised to find yourself now bombarded with spam advertisements, false banking information, and not a friend to be seen. To make matters worse your credit card has now run up a few hundred dollars worth of charges within a few minutes. Welcome to the new world of mobile malware.

The applications infected by the Trojan virus in these two news stories, by Computerworld and ZDNet may not be for banking or social networking, but in an application rich environment we must always consider the impact of fraudulent applications making their way to our most trusted environments. If they can trick us with fraudulent websites then there is no doubt they can trick us with fraudulent applications.

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

1.       In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?

2.       I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.

3.       Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.

4.       Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.

5.       Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.

6.       Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to the false pages, without warning, without suspicion. This information is then used for political and financial gain, all fueling the machine and allowing further attacks to break down the fragile system we all hold dear.

APTs are one of many emerging threats on the frontlines of IT security. Other hot topics in the industry include Cloud Computing security, new challenges in Cryptography, and emerging Exploits. Even business related aspects of IT are changing rapidly such as the many improvements to be made to Risk Management procedures all influenced by the recent natural disasters on the east coast along with the 10 year anniversary of 9/11.

So many emerging topics, so little time.

But there is hope for security professionals. IP³ now offers an all new way for security professionals to learn about all of these new emerging threats and technologies and at the same time keep up on their certifications by earning valuable CPEs, all for an incredible price, wrapped up in a package that fits the lifestyle of the even the busiest IT security professional.

Click here for more information on IP³ Inc.’s industry first CPE ToGo program.

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet. 

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in Vivek Kundr's Federal Cloud Computing Strategy.

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn't seem to be out for laughs or a quick payout. It's data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of data thus far. The damage and loss of proprietary information is far more valuable than anyone would have predicted, and until the attackers are shut down, it is only expected to get worse.

This attack brings to light a concept we have been throwing at IT security professionals for quite some time now. Anyone who has attended Ken Kousky's Strategy to Reality seminars has most definitely heard about Advanced Persistent Threats (APTs). This was the same attack approach used in the SCADA attacks on Iraq's nuclear facilities and in Operation Aurora against Google and a dozen or more organizations. For those that need a brush up on APT attacks think of them as interactive, polymorphic attacks with the ability of their controllers to evolve and adapt to any security system. You build a wall, they knock it down, you dig a moat, they swim across it. APT attacks represent an new revolution of unstoppable cyber attacks.

The only way to stop an APT attack is to cut it off at its driving source, the C&C; server. McAfee is working with a variety of US government agencies to shut down the C&C; server however the attackers 5 year head start along with jurisdictional issues is sure to make this quite the challenging task.

Another issue is many organizations failure to report or admit a compromise, thus making these attacks even more difficult to follow. Security professionals must keep in mind that despite your organizations reputation or pride, you have a duty to disclose attacks to the proper authority. These attacks cannot be ignored and cannot be fought alone.

Microsoft has even started a program offering a $250,000 incentive to anyone who contributes outstanding solutions to these attacks in defense of the future of computing technology.

If your wondering if your organization could be a target then just ask yourself one question. Does my information hold any value whatsoever? I'm guessing that for 95% of organizations this answer is yes.

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief Information Officer, Vivek Kundra, federal organizations have been urged to transition three services over to the cloud within the next year. Many have been transitioning their low hanging fruit and resources of minimal importance which has taken some weight off of the organizations but still does not offer the benefits that the mandate aims to succeed. Other organizations that have gone for broke have done exactly that, gone broke. Data has shown that 79% of federal organizations are complaining of a lack of funds. If only these organizations would have planned on reinvesting in auditing and risk management they would have been able to report financial gains instead of money woes.

“The policy and risk assessment work just hasn’t been done.” said Paul Sand, Vice President of IP³ Inc. A transition to the cloud takes planning, auditing, research, and careful budgeting. If you are smart about it, and take note of hidden factors, your organization has the potential to gain great success by joining the cloud movement. This methodology reminds me of an old proverb, “Those who fail to plan should plan to fail.”

While we are on the topic of cloud transition it is also important to note the consequences of a failure to budget properly.  On top of those with funding concerns,  71% of organizations reported having fears regarding cloud security. The mindset that the cloud should just be secure is only a fallacy. A secure cloud takes initiative and constant monitoring and measuring by all responsible parties. This includes doing your homework and researching proper security controls, configuring SLAs to ensure proper controls  are implemented by cloud service providers, and also auditing those controls. But without a budget these tasks may go unmarked on the security checklist.

The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security.

A transition to the cloud is not something that will happen overnight. It will take planning, budgeting, risk assessment and plenty of audits along the way. Be sure you know what your organization is getting into before you decide to take off into the clouds.

Most recently, with our advancement in mobile technologies and IP networks, we have been able to expand our available communication channels to include many new technologies. Mobile email, mobile instant messenger, texting, and VoIP chat are rapidly replacing our more standard communication networks such as postal services and Plain Old Telephone Service (POTS). With these new technologies we have been able to introduce an advancement in security over previous mediums including networked encryption of communication channels, encrypted voice data, etc. But there was one thing we forgot when introducing these new technologies, they all must fall under the same communications laws and Privacy Acts we had for our older communication media. Compliance with these laws will very well unravel the entire security structure we have put in place.

I'll give you an example, one being Skype. Most recently since their $8.5 billion acquisition of Skype, Microsoft has patented a new technology add on that will assist the VoIP and video chat application in compliance with government mandated wiretapping and surveillance requirements. The new technology add on, deemed " Legal Intercept ", will act as a middle man in Skype allowing silent recording of conversations.

The revamped software works by intercepting a Skype connection request and rerouting the connection through a recording channel, then routes the connection to the requested endpoint.

This type of monitoring is nothing new to communications technology however, it has yet to hit any of our newest IP technologies. An addition like this is likely to undo any and all security progress we've made in the VoIP world. The trusted connections, encrypted tunnels, and secure data we establish during a VoIP connection will now hold the ability to be altered so that it may be monitored, thus opening a backdoor for malicious attacks. We are taking a technology designed not to be intercepted and intercepting it on purpose, all to suite big brother. We must remember though that big brother will not be the only one capable of listening .

This should really by raising some questions. What security is in place to ensure these communication channels can only be intercepted by authorized government monitoring agencies? What security is being implemented on the recorded sessions once they are captured? What back doors are being used with our data to enable these recording channels? I am all for national security however, opening more back doors and vulnerable channels seems to outweigh the security introduced by this technology. For now this new technology really only seems to be introducing national insecurity.

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall around your home yet leaving your doors unlocked and expecting only the wall to keep people out. As we can now see, that methodology is unacceptable and simply is not enough.

Though this group has caused some major disruptions in many networks they do not seem to have a truly malevolent motive in these attacks. They do not seem to be out for financial or political gain. As their tweets and even their name 'Lulz' (a reference to 'laughs') suggests, they are doing this simply for the entertainment and the sport of it. They have even been operating what I like to call a hack-by-request system where anyone is free to contact them with a target to be hacked. The truly surprising fact is that they have actually been able to hack nearly every target they are given whether it be a simple gaming forum or a high level government website. They are breaking through what should be the most secure websites on the internet using simple DDoS and packet flooding attacks.

Beyond exposing a lack of perimeter defenses their hacks have also brought to our attention many other security issues that most of us are still ignoring. Their hack on Sony revealed not only inadequate security defenses on Sony's part but also an astonishing amount of password reuse by users, which we all know is one of the most prevalent security flaws that exists.

Lets face it, these attacks have been happening for years and organizations have simply been able to keep quiet while sweeping the mess under the rug. LulzSec's public hacking escapade has finally brought these attacks to the attention of the general public. They are exposing many organization's security systems for what they really are, weak. There is no more ignoring our simple mistakes. It is time we all step up our security to the level it needs to be at in this world of cyber threats. This should be a true eye opener for security professionals. It may be your only chance to get things right before your information is truly at risk of theft and misuse that will indeed result in financial loss and legal liability.