IT Security Blog

Your source for information security news and views.

Subscribe to feed Latest Entries

A Dike and Three Dutch Boys...is this enough?

Posted by Ken Kousky
Ken Kousky
Ken Kousky has not set their biography yet
User is currently offline
on Tuesday, 03 July 2012
in Uncategorized

...Applying a triad methodology for risk management.

Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:

  • Plugging the known holes.
  • Posturing to plug holes based on historical data and not overreacting to an acute event.
  • Making educated guesses where to reinforce the infrastructure to minimize potential risk.

Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.

There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog of modern psychology that proves that people do not behave the way economic models suggest they would or should.

Second, we have to think about data in a vast macro framework and stop letting limited samples and short time horizons set out thinking. Really, ask yourself how many 100-year cycles have been recorded for the river nearest you? If we’re trying to statistically study cycles of up to 100 years, each 100 years is a single observation from which no meaningful statistical inferences should be drawn.

Third, risk is about potential losses. While we look at rare events with big losses as serious threats, the trillions of dollars lost annually are more likely to go to fraud than any other single addressable source. So, it seems that as security professionals and as risk managers we might want to spend more time and energy understanding the what, where, when and why of fraud.

According to Thompson Reuters the U.S. health care system alone wastes between $505 billion and $850 billion every year. That’s just the tip of a complex range of crimes that have changed and evolved with the advent of new tools and technologies.

Sticking with the theme of threes – here are three profound changes technology has made to the nature of fraud:

  1. Today’s technology greatly expands reach. Bad guys from across the globe can initiate fraud attacks from afar exposing us all to threats that used to be constrained by limiting physical access. The remote corporate campus isn’t remote anymore.
  2. Attacks can be scaled using technology. A recent Medicare fraud network was generating thousands of false claims aided by online claims entries. Another great example was the global synchronized attack on ATMs where the compromised cards were used at hundreds of machines across continents so even as the bank’s control systems quickly responded it wasn’t fast enough or coordinated enough.
  3. Technology blurs the line between insider and outsider as modern attacks often target the credentials of insiders giving outsiders the advantage of an insider as they organize and mount their exploits.

So, to complete the triads, we have three sets of threes. Our last trio to be examined should therefore be - what we should be doing about fraud:

  1. Treat fraud as a central and integral component of your risk management. It’s far more damaging than most cyber-security professionals think.
  2. When you start talking about fraud you’ll find a whole new professional community to interact with – fraud examiners and/or auditors, law enforcement, etc.
  3. Engage your fraud folks. Check out the professional associations. Read and track fraud in your industry.

Finally, add it to your existing triad – it’s too limiting to keep talking about confidentiality, integrity and availability. While these are good abstractions, when we get into risk management we think about the source or the treat agent. What can we learn about their motives and intentions to understand their likely behavior.

Looking at fraud is a great 4th dimension to consider.

   - KWK

Hits: 29 0 Comments

Business Continuity – it’s not just for the big boys who can afford the big toys

Posted by Scott Koger
Scott Koger
Instructor for IP3
User is currently offline
on Thursday, 28 June 2012
in Uncategorized

For anyone with roots along the Gulf Coast - if have learned anything through the years, it’s that the impacts of weather can frequently far exceed expectations. For those of us who have been impacted by these tropical systems, it is not uncommon to refer to the storms by name as a kind of mile stone. “Yeah, after Betsy we had to” … or “during Camille”… and all too frequently “well with Katrina ….”.  This year’s entry into the short hand will be Debbie.  Although barely a Tropical Storm, she has lingered along the northern Gulf of Mexico for the better part of a week, dumping record amounts of rainfall in Alabama and Florida – and that’s saying something. This flooding has had significant impact upon ground transport in the area; impeding the local distribution of commodities, freight deliveries, and the ability of people to get from A to B.

You may ask yourself - why is this a Business Continuity Planning issue? Increasingly medium and large manufacturers have adopted “just in time” supply chain practices to better be able to respond to the need for lean operations – it’s far cheaper to store a day’s or a week’s work of components that to have a 90 day supply on hand. But you have to ask yourself – how do we deal with circumstances that close road and rail travel in our area for a week or more? Do we have an alternate work site that we could use? Do we have an alternate supply chain? Can we afford to be idle for the duration? Most importantly, what about personnel? If the facility is fine, but no one can get here, what can we do?

For manufacturing, getting the materials and the skilled folks together is a prerequisite, but increasingly for knowledge workers this not as much of an issue as it might have been previously. There are a dizzy array of products and services available that make getting the people and the information they need together simpler, and safer than ever. Be it some cloud based solution, or more traditional network based remote access solutions – the requirement for people to be sharing a physical space in order to remain productive has been less and less of an issue as more and more options for collaboration and remote presence have become available.

Important disclaimer: This is not an endorsement of any particular product or service – just an observation about the commoditization of a particular set of products and services. Many SOHO, or “Small office/Home office” networking appliances are approaching the functionality of the enterprise products of just a few years ago. With SSL VPN support for up to 25 concurrent users becoming common in this group of products even a one person IT shop supporting 10 or 20 users could stand up a secure remote access solution for under $200. For non-sensitive communications, some shops could leverage free (or nearly free) cloud based offerings - such as Google docs, and Google hang outs, etc. By keeping an open mind, and encouraging the creative use of emerging technologies we can often find low or no cost solutions to bridge those gaps in our Disaster Recovery and Business Continuity planning.

Stay agile and stay alive. Even if you find yourself in a small shop, there are increasingly powerful tools available to you.

Tags: Untagged
Hits: 69 0 Comments

Security by Insanity

Posted by Ken Kousky
Ken Kousky
Ken Kousky has not set their biography yet
User is currently offline
on Wednesday, 27 June 2012
in Uncategorized

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There's something more clinical and more considered in the diagnosis of insanity.

I've spent over a decade delivering executive summaries on issues in information assurance and IT security. I've worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies.

For example, when cars become "wired" systems with steering and breaking being driven by software rather than direct physical linkages, there are certain risks that should be understood and analyzed. We framed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of medical devices.

We were one of the first groups to study SCADA vulnerabilities years before Stuxnet hit. As we evolve processes similar to SCADA for advanced medical devices like a Pacemaker, should somebody be thinking about securing it?

As an economist who spent several years teaching in an engineering school, I've developed a passion for root cause analysis. And, when things continue to break, I seek the pattern, the system drivers behind the break down. It seems we're doing the same thing with each new threat, with each new technology.

But over the past year, there's been too much insanity - too much doing the same thing and expecting different results.

Maybe the system itself is flawed. Maybe this is beyond crazy and actually insane. What are your thoughts?

Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting somethingdifferent. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There's something more clinical and more considered in the diagnosis of insanity.

 

I've spent over a decade delivering executive summaries on issues in information assurance and IT security. I've worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies. For example, when cars become "wired" systems with steering and breaking being driven by software rather than direct physical linkages there are certain risks that should be understood and analyzed. Weframed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of medical devices. We were one of the first groups to study SCADA vulnerabilities years before Stuxnethit. As we evolve processes similar to SCADA

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There's something more clinical and more considered in the diagnosis of insanity.

 

I've spent over a decade delivering executive summaries on issues in information assurance and IT security. I've worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies. For example, when cars become "wired" systems with steering and breaking being driven by software rather than direct physical linkages there are certain risks that should be understood and analyzed. Weframed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of medical devices. We were one of the first groups to study SCADA vulnerabilities years before Stuxnethit. As we evolve processes similar to SCADA for advanced medical devices like a Pacemaker, should somebody be thinking about securing it?

 

As an economist who spent several years teaching in an engineering school, I've developed a passion for root cause analysis and when things continue to break, I seek the pattern, the system drivers behind the break down. It seems we're doing the same thing with each new threat, with each new technology.

 

But over the past year, there's too much insanity - too much doing the same thing and expecting different results.

 

Maybe the system itself is flawed. Maybe this is beyond crazy and actually insane. What are your thoughts?

 

for advanced medical devices like a Pacemaker, should somebody be thinking about securing it?

 

As an economist who spent several years teaching in an engineering school, I've developed a passion for root cause analysis and when things continue to break, I seek the pattern, the system drivers behind the break down. It seems we're doing the same thing with each new threat, with each new technology.

 

But over the past year, there's too much insanity - too much doing the same thing and expecting different results.

 

Maybe the system itself is flawed. Maybe this is beyond crazy andactually insane. What are your thoughts?

Hits: 60 0 Comments

CISSP Online Exam Format: Pro & Con

Posted by Brian Edmiston
Brian Edmiston
Brian Edmiston has not set their biography yet
User is currently offline
on Wednesday, 20 June 2012
in Uncategorized

A lot of attention has been given to the new computer-based testing (CBT) exam format for CISSP® certification. This may be merited. There is an ongoing debate about the integrity of the exam itself when delivered in such an environment and the possible repercussions to the quality of the credential itself.

The concern over whether or not this delivery method could make it difficult to control fraud is of primarily importance. Is it possible that someone other than the actual candidate take the exam? What methods are being used to prevent this?

Also, can the questions be compromised so the students can prepare for the exam without mastering all of the core subject matter?

Questions such as these abound when moving to an electronic exam format, but the suppliers of online testing systems indicate that they have thought of ways to bring safeguards to the table. In fact, PearsonVUE pioneered using biometric identification for test taker authentication over ten years ago, and in recent years deployed Fujitsu’s PalmSecure biometric identification technology to over 500 PearsonVUE test facilities worldwide. More recently they introduced one-to-many (1:N) matching to provide an enhanced layer of fraud prevention, utilizing the SensoBrain distributed biometric acceleration technology which compares each test taker’s biometrics to those of everyone else in a client’s testing program, ensuring that any potential fraudulent testing based on impersonation can be proactively eliminated before it occurs.

While the move to a CBT format will obviously be a huge cost saving measure for most test-takers, who historically have had to travel some distance to take these exams, there are increasing concerns about brain dumping, causing potential brand erosion of the “elite” certification. While some argue that (ISC)2 has done an excellent job against brain dumps to-date, by retiring their questions quickly, others believe that taking the exam from a paper to an online format will degrade its value and relegate it to the level of other lower level security certs.

What are your thoughts on the pros/cons of the change in delivery for the CISSP exam?

Download our most recent IT Security Briefing  (An IP3 White Paper):  A Face-Lift for CISSP Exams - June 2012 - [Download PDF]

Hits: 300 3 Comments

What's the worst that could happen?

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Thursday, 29 March 2012
in Uncategorized

By now most of the security industry has heard the rumors and threats that Anonymous intends to flood the 13 DNS servers throughout the world in a attempt to blackout the internet for a unknown period of time. This attack is the result of politically fueled opinions of some of today's most influential hacktivists. According to a post on pastebin.com the attack will essentially involve the use of a Reflective Amplification or 'ramp' toolkit to DDoS the root DNS servers which will stop them from responding to DNS resolution requests and thus stop users from accessing websites via DNS names i.e. 'www.google.com', 'www.facebook.com', etc.

This attack is under great scrutiny by professionals and hackers across the web. Some say it may be possible other say at best it will be very limited and do minimal damage while the rest say that Anonymous has its information all wrong. Does this threat have any substance or is it only another empty threat? Only time will tell as the attack date of March 31, 2012 grows nearer. 

Historically, years before this attack and hacking group even rose to popularity, in a post on the ICANN Blog, Kim Davies attempts to dispel any and all rumors that there are even 13 lone DNS servers around the world. In a more recent blog post by Errata Security, blogger Robert Graham presents even more reasons why the attack will not be possible. One blogger even goes as far as calling Anonymous' actions some kind of April fools joke.

Among the non-believers lies a handful of fearful individuals that see this brazen threat as an indicator of worse things to come. Boy Genius Report recently published a story outlining the underlying fears of U.S. officials in lieu of Anonymous' growth and increased threat potential to U.S. national security. It is no mystery that the U.S.'s cyber infrastructure is much weaker than most people think it is. We lack a structured cyber army and choose to hinder those with the potential to protect us in the event of a cyber war. I agree with Misha Glenny's ideas in his TED talk last year where he discussed an alternative to punishing hackers and instead setting up reform programs to bring these individuals back from the criminal world and get them on the good guys team again.

The bottom line is that progress remains slow when dealing with cyber attacks. The governments approach of allowing less and less freedom and availability to these cyber miscreants only seems to frustrate them further. Top agents in charge of cyber security are beginning to get beaten down by the constant threats and attacks in addition to the constant failures of consideration for better funding by higher ups in government. The only hope in the fight against cyber crime and an impending cyber war will be not only an increase in IT security budgets but also a change in the mindset that all hackers are our enemies. These rouge hackers possess important skills and knowledge that the government cannot afford to lose to the dark side.

Those interested in a first hand look into the health status of DNS servers during this weekends 'attack' can check it out on Team CYMRUs website dedicated to tracking the health of DNS servers around the world.

Tags: Untagged
Hits: 397 0 Comments

We Will Get Fooled Yet Again

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Friday, 17 February 2012
in Uncategorized

As if Android security controls weren’t bad enough it seems even more malicious software applications have made their way onto users devices. This new breed of malware is unlike any other. With the increasing power and capabilities of Smartphone’s, soon to include quad core processing power, attackers have begun to broaden their focus on exploiting desktop and laptop computers and are now targeting mobile devices for their Botnets.

Smartphone’s are the perfect target. They are small, powerful, mobile, and best of all thriving with connectivity. Their size and mobility make them great for spreading malware throughout multiple corporate and public areas, anywhere someone might travel to and connect to an open, unencrypted Wi-Fi network. Their increasing processing power has made them just as suitable as higher powered machines for running various attacks and malicious campaigns. Best of all, the connectivity and collaborative information we process through our devices allows malicious attackers to have a field day with our contacts and information.

Unlike most fully functional operating systems, mobile device operating systems are much more lightweight, and are also designed very differently than our traditional operating systems. Yes we still run various applications but many more exist on our mobile devices for specified purposes. On a standard PC, when you want to check your bank account balance or social networking, you generally log in through a browser. Smartphone application developers have simplified this process by allowing you access to specialized applications that will retain your login credentials for easy, efficient, instant access to these accounts.

What’s worse than writing down your passwords? I say it’s saving them for automatic logins in our applications, especially if these applications are infected with malware.

Picture this: You download an innocent looking banking or social networking application, one recommended by friends or one you have seen advertised on the web, through email, etc. You install the application and log in with your banking and/or social networking credentials. Expecting to see your account balance or messages from friends, you are surprised to find yourself now bombarded with spam advertisements, false banking information, and not a friend to be seen. To make matters worse your credit card has now run up a few hundred dollars worth of charges within a few minutes. Welcome to the new world of mobile malware.

The applications infected by the Trojan virus in these two news stories, by Computerworld and ZDNet may not be for banking or social networking, but in an application rich environment we must always consider the impact of fraudulent applications making their way to our most trusted environments. If they can trick us with fraudulent websites then there is no doubt they can trick us with fraudulent applications.

Tags: Untagged
Hits: 310 0 Comments

Fool me once shame on you, fool me twice shame on you

Posted by Ken Kousky
Ken Kousky
Ken Kousky has not set their biography yet
User is currently offline
on Wednesday, 25 January 2012
in MyBlog

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

 

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

1.       In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?

2.       I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.

3.       Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.

4.       Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.

5.       Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.

6.       Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

 

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

Tags: attack, phishing
Hits: 535 0 Comments

Trouble keeping up with the industry? IP3 Inc.’s CPE ToGo Program is here to help

Posted by Ken Kousky
Ken Kousky
Ken Kousky has not set their biography yet
User is currently offline
on Friday, 09 September 2011
in MyBlog

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to the false pages, without warning, without suspicion. This information is then used for political and financial gain, all fueling the machine and allowing further attacks to break down the fragile system we all hold dear.

APTs are one of many emerging threats on the frontlines of IT security. Other hot topics in the industry include Cloud Computing security, new challenges in Cryptography, and emerging Exploits. Even business related aspects of IT are changing rapidly such as the many improvements to be made to Risk Management procedures all influenced by the recent natural disasters on the east coast along with the 10 year anniversary of 9/11.

So many emerging topics, so little time.

But there is hope for security professionals. IP3 now offers an all new way for security professionals to learn about all of these new emerging threats and technologies and at the same time keep up on their certifications by earning valuable CPEs, all for an incredible price, wrapped up in a package that fits the lifestyle of the even the busiest IT security professional.

Click here for more information on IP3 Inc.’s industry first CPE ToGo program.

Hits: 1793 0 Comments

So much for the chain of trust

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Tuesday, 30 August 2011
in MyBlog

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet. 

Hits: 1700 0 Comments

Earthquakes, Hurricanes, and a Crumbling Infrastructure

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Wednesday, 24 August 2011
in MyBlog

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

Hits: 1483 0 Comments

Amazon takes aim at cloud compliance issues with GovCloud

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Thursday, 18 August 2011
in MyBlog

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in Vivek Kundr's Federal Cloud Computing Strategy.

Hits: 1255 0 Comments

Cloud Risk: Placing all of your eggs in one basket

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Monday, 08 August 2011
in MyBlog

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.

Hits: 979 0 Comments

Break out the RAT traps, there is shady business afoot

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Thursday, 04 August 2011
in MyBlog

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn't seem to be out for laughs or a quick payout. It's data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of data thus far. The damage and loss of proprietary information is far more valuable than anyone would have predicted, and until the attackers are shut down, it is only expected to get worse.

This attack brings to light a concept we have been throwing at IT security professionals for quite some time now. Anyone who has attended Ken Kousky's Strategy to Reality seminars has most definitely heard about Advanced Persistent Threats (APTs). This was the same attack approach used in the SCADA attacks on Iraq's nuclear facilities and in Operation Aurora against Google and a dozen or more organizations. For those that need a brush up on APT attacks think of them as interactive, polymorphic attacks with the ability of their controllers to evolve and adapt to any security system. You build a wall, they knock it down, you dig a moat, they swim across it. APT attacks represent an new revolution of unstoppable cyber attacks.

The only way to stop an APT attack is to cut it off at its driving source, the C&C; server. McAfee is working with a variety of US government agencies to shut down the C&C; server however the attackers 5 year head start along with jurisdictional issues is sure to make this quite the challenging task.

Another issue is many organizations failure to report or admit a compromise, thus making these attacks even more difficult to follow. Security professionals must keep in mind that despite your organizations reputation or pride, you have a duty to disclose attacks to the proper authority. These attacks cannot be ignored and cannot be fought alone.

Microsoft has even started a program offering a $250,000 incentive to anyone who contributes outstanding solutions to these attacks in defense of the future of computing technology.

If your wondering if your organization could be a target then just ask yourself one question. Does my information hold any value whatsoever? I'm guessing that for 95% of organizations this answer is yes.

Hits: 989 0 Comments

Those who fail to plan for Cloud should plan to fail

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Friday, 15 July 2011
in MyBlog

 

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief Information Officer, Vivek Kundra, federal organizations have been urged to transition three services over to the cloud within the next year. Many have been transitioning their low hanging fruit and resources of minimal importance which has taken some weight off of the organizations but still does not offer the benefits that the mandate aims to succeed. Other organizations that have gone for broke have done exactly that, gone broke. Data has shown that 79% of federal organizations are complaining of a lack of funds. If only these organizations would have planned on reinvesting in auditing and risk management they would have been able to report financial gains instead of money woes.

“The policy and risk assessment work just hasn’t been done.” said Paul Sand, Vice President of IP3 Inc. A transition to the cloud takes planning, auditing, research, and careful budgeting. If you are smart about it, and take note of hidden factors, your organization has the potential to gain great success by joining the cloud movement. This methodology reminds me of an old proverb, “Those who fail to plan should plan to fail.”

While we are on the topic of cloud transition it is also important to note the consequences of a failure to budget properly.  On top of those with funding concerns,  71% of organizations reported having fears regarding cloud security. The mindset that the cloud should just be secure is only a fallacy. A secure cloud takes initiative and constant monitoring and measuring by all responsible parties. This includes doing your homework and researching proper security controls, configuring SLAs to ensure proper controls  are implemented by cloud service providers, and also auditing those controls. But without a budget these tasks may go unmarked on the security checklist.

The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security.

A transition to the cloud is not something that will happen overnight. It will take planning, budgeting, risk assessment and plenty of audits along the way. Be sure you know what your organization is getting into before you decide to take off into the clouds.

 

Hits: 1173 0 Comments

How to ruin VoIP security

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Wednesday, 29 June 2011
in MyBlog

Most recently, with our advancement in mobile technologies and IP networks, we have been able to expand our available communication channels to include many new technologies. Mobile email, mobile instant messenger, texting, and VoIP chat are rapidly replacing our more standard communication networks such as postal services and Plain Old Telephone Service (POTS). With these new technologies we have been able to introduce an advancement in security over previous mediums including networked encryption of communication channels, encrypted voice data, etc. But there was one thing we forgot when introducing these new technologies, they all must fall under the same communications laws and Privacy Acts we had for our older communication media. Compliance with these laws will very well unravel the entire security structure we have put in place.

I'll give you an example, one being Skype. Most recently since their $8.5 billion acquisition of Skype, Microsoft has patented a new technology add on that will assist the VoIP and video chat application in compliance with government mandated wiretapping and surveillance requirements. The new technology add on, deemed " Legal Intercept ", will act as a middle man in Skype allowing silent recording of conversations.

The revamped software works by intercepting a Skype connection request and rerouting the connection through a recording channel, then routes the connection to the requested endpoint.

This type of monitoring is nothing new to communications technology however, it has yet to hit any of our newest IP technologies. An addition like this is likely to undo any and all security progress we've made in the VoIP world. The trusted connections, encrypted tunnels, and secure data we establish during a VoIP connection will now hold the ability to be altered so that it may be monitored, thus opening a backdoor for malicious attacks. We are taking a technology designed not to be intercepted and intercepting it on purpose, all to suite big brother. We must remember though that big brother will not be the only one capable of listening .

This should really by raising some questions. What security is in place to ensure these communication channels can only be intercepted by authorized government monitoring agencies? What security is being implemented on the recorded sessions once they are captured? What back doors are being used with our data to enable these recording channels? I am all for national security however, opening more back doors and vulnerable channels seems to outweigh the security introduced by this technology. For now this new technology really only seems to be introducing national insecurity.

Tags: Untagged
Hits: 635 0 Comments

Hacking group gets their 'Lulz' thanks to poor security

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Thursday, 16 June 2011
in MyBlog

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall around your home yet leaving your doors unlocked and expecting only the wall to keep people out. As we can now see, that methodology is unacceptable and simply is not enough.

Though this group has caused some major disruptions in many networks they do not seem to have a truly malevolent motive in these attacks. They do not seem to be out for financial or political gain. As their tweets and even their name 'Lulz' (a reference to 'laughs') suggests, they are doing this simply for the entertainment and the sport of it. They have even been operating what I like to call a hack-by-request system where anyone is free to contact them with a target to be hacked. The truly surprising fact is that they have actually been able to hack nearly every target they are given whether it be a simple gaming forum or a high level government website. They are breaking through what should be the most secure websites on the internet using simple DDoS and packet flooding attacks.

Beyond exposing a lack of perimeter defenses their hacks have also brought to our attention many other security issues that most of us are still ignoring. Their hack on Sony revealed not only inadequate security defenses on Sony's part but also an astonishing amount of password reuse by users, which we all know is one of the most prevalent security flaws that exists.

Lets face it, these attacks have been happening for years and organizations have simply been able to keep quiet while sweeping the mess under the rug. LulzSec's public hacking escapade has finally brought these attacks to the attention of the general public. They are exposing many organization's security systems for what they really are, weak. There is no more ignoring our simple mistakes. It is time we all step up our security to the level it needs to be at in this world of cyber threats. This should be a true eye opener for security professionals. It may be your only chance to get things right before your information is truly at risk of theft and misuse that will indeed result in financial loss and legal liability.

Hits: 912 0 Comments

Corporations begin biting their nails over IPv6

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Tuesday, 07 June 2011
in MyBlog

For those that don't know, tomorrow is world IPv6 day. A day when over 400 corporation, government, and university websites will switch their networking over to IPv6 protocol for a 24 hour period. The changeover will signify the start of a new generation of internet protocol and hopefully give credit to the IPv6 system, which has been driven into the market since 1999. With the now imminent depletion of all existing available IPv4 addresses, IPv6 day aims to push the remaining non-conformers over to the new system and bring much more attention to it as a necessary protocol. Though this will be a landmark day due to its introduction of the largest wide scale implementation of IPv6 to date, it could also be D-Day for the largest wide scale implementation of DDoS attacks. 

Though the trial changeover will only last from 8:00p.m. tonight  until 7:59p.m. tomorrow night, there is still the possibility for some major issues. One of the most probable being DDoS attacks. These attacks rely on jamming up network routers and devices with overwhelming amounts of traffic and thus causing the network to crash and deny all remaining requests. Since IPv6 header packets are four times the size of IPv4 header packets, they take four times as long to process by routers. In a digital world this takes only nanoseconds but multiply this by thousands of requests a minute or even per second combined with the increased processing time it takes to handle a larger IPv6 header and the system can potentially jam up very quickly.

Many large corporate websites on the IPv6 trial list, such as Google, Facebook, and Juniper, have seen their fair share of attempted attacks in the past. This vulnerable new system still in its infancy could be the perfect opportunity for hackers to finally break through to the information they want.

One advantage to being on this list of the 400 is that these corporations have done their homework on IPv6 and their systems have been built to handle this protocol. Another attack vector comes with those companies who have yet to make the switch to a dual stack implementation of their packet inspection network systems to handle both IPv4 and IPv6 traffic. These companies will be accepting uninspected IPv6 traffic through their devices thus holding the potential for a broad array of network attacks.

This trial period will be a major learning experience for all IPv6 amateurs. If your corporation has plans to implement increased network security, today would be the day to do so.  Be prepared to hear more about this all across the cyber world as the day goes on.

Hits: 984 0 Comments

Pentagon's "Big Stick Ideology" Meets its First Test of Willpower

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Monday, 06 June 2011
in MyBlog

No more than a week after the Pentagon's military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I'm sure most of you have heard the ancient Japanese proverb, "The nail that sticks out gets hammered down." The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test our claims of military force.

Another phrase that comes to mind is the African proverb "Speak softly and carry a big stick." Which was popularized by Theodore Roosevelt in his Big Stick ideology regarding peaceful negotiations backed by the threat of military force. So what happens when that threat of force is tested? Is it truly customary to take out the big stick and start swinging? This will be the true test of something I will call "cyberwar policy." 

Cyber policies will soon become a very hot topic in lieu of recent events. One event being the government controlled network outages that began in Egypt, which now seem to be trending seeing as the Nigerian government has done the same. This caused questioning in the U.S. which led to the introduction of "kill switch" litigation now being passed throughout Congress. A second event was the Pentagon's consideration of cyber attacks as acts of war. 

These recent events have begun to outline rules of cyberwar. There are many questions to be asked and much policy to be drawn up regarding these and future events. One thing is certain, our representatives had better get a handle on this policy soon before things get out of control.

Hits: 983 0 Comments

In the trenches of 21st century Cyberwar

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Tuesday, 31 May 2011
in MyBlog

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says: 
"Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes."

This statement by Paul Sand is understandable considering most cyberattacks and hacking incidents are not formulated by a governing body. They are generally run by a small group of rouge individuals acting independent of any government. Take for instance the group "Anonymous", which is nothing more than a large informal collection of hackers spanning across various continents. How will a target be decided in the event of an attack from multiple locations? Also keep in mind that most hackers are still in their teens. Are we to expect our government to discharge nuclear weapons on an innocent country because some adolescent hacked into one of our government sites from a computer in his basement?

Paul Sand continues:
"Further, cyber attacks that are “war-like” are not likely to be independent attacks.  The 2011 OECD report “Reducing Systemic Cybersecurity Risk” lays out a strong argument that cyber attacks will be coincident with conventional “kinetic” military actions. In that event, this new doctrine of response to the cyber attack is not necessary … existing doctrine governing the response to the kinetic attack will be sufficient and is much less susceptible to problems with accurately attributing the act to the true attacker."
"All in all, the Pentagon has not made the cyber world any safer by concluding that cyber attacks are an act of war."

 

In other news:

Lockheed Martin has acknowledged a significant cyberattack on their infrastructure. Evidence has surfaced linking this attack to the recent hack of RSA and the theft of RSAs SecureID authentication tokens. These tokens were used in an attack on Lockheed Martin in an attempt to obtain sensitive information from the security and defense company. Luckily Lockheed was able to thwart the attack very quickly after it propagated on their systems and assures everyone that no data was stolen. 

This attack on Lockheed Martin arrives on the landscape with an abundance of other cyberattacks including those on broadcaster PBS, EMC Corp.'s RSA security unit, Epsilon Data Management, LLC, and Sony Corp.'s PlayStation Network.

Todays networks are erupting with cyberattacks and cyberwarfare and governing bodies are struggling to keep a hold on their authority. Though the litigation is still unclear, the message should be clear to hackers. You've been warned! The next time you press enter and launch that malicious code, you could end up with a USAF B-52 Bomber over your head.

Hits: 783 0 Comments

Mobile browser security is a spoof

Posted by Patrick Snyder
Patrick Snyder
Patrick Snyder has not set their biography yet
User is currently offline
on Tuesday, 31 May 2011
in MyBlog

Since when does innovation call for imitation of security? In todays world users demand portability. This involves designing devices and services to operate on much smaller platforms. Which means taking that 15 inch laptop from the office and crushing it down to a 4 inch pocket sized supercomputer, not only that but also taking those web browsers and applications and stripping them down to their minimal aspects to ensure lightweight, simple operation. In the process of stripping down these devices we are leaving out an important aspect, the security.

Although the convenience of having a pocket sized computer seems to trump most of our performance concerns we are actually giving up more than we can afford. Full sized devices offer us many integral features which we now take for granted. These features include security checks and warnings which are key to our safe networking.

For example, while using a standard full sized browser it is clear to see within the URL bar when a user is accessing a secure site. You are generally presented with the SSL security lock, or some other form of green light identifiers which assure you that the page you are currently accessing is encrypting your information and is safe. 

Our strive for mobile simplicity has led us to throw out these security checks and therefore opens the doors to spoofed websites which can potentially present us with false information and fake logins. There are only a handful of users with the knowledge to detect such websites on our mobile devices. We are making the prediction that phishing attacks relate to this type of mobile spoofing will become one of the most abundant threats in the upcoming years to mobile users.

Thankfully many mobile browsers now support SSL and https transmissions, however, that is only when the user chooses to use the securely protected website. Not many custom mobile sites have been designed to handle this type of security yet. Anyone who has accessed a full sized webpage on a mobile device knows how difficult it can be to read small text and press submit buttons. This makes custom built mobile sites the optimal choice for convenience but definitely not for security.

There is work being done to prevent mobile site spoofing. But until this type of security is optimized and becomes the new standard in the industry we will constantly be bombarded with fake login pages and spoofed sites.

On another note our mobile apps could also use a security overhaul. It is only a matter of time before cyber criminals begin implementing malicious app installations by fooling our mobile carriers into thinking their app is good then flipping a switch on a server and transforming the app into one that commits malicious tasks, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout.

Innovations in mobile computing and browsing should make no exceptions to the rules of security, no matter how convenient it may be for user performance. Users these days have it all wrong. For those of you demanding power and portability, take a step back and demand your security first!

Hits: 1127 0 Comments