Posted on Mon, Aug 23, 2010 @ 10:20 AM
The Cloud Security Alliance (CSA) came out with some new guidance this month on security issues you should consider when deploying or contracting with vendors for various cloud computing solutions.
The three main layers of cloud computing relevant to application security are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Each of these layers has the potential to add new threats to the application’s runtime environment.
The CSA states the questions you should start asking when considering these various scenarios include:
Infrastructure as a Service
- What mechanisms does the platform provide against DoS and DDoS attacks at the infrastructure and network layers?
- What threat models are addressed at the infrastructure and network layers?
- What mechanisms does the platform provide to validate the integrity of the virtual machine images?
- What protections are in place against BIOS and root kit level attacks? Are there detection and response plans in place if such attacks were to occur?
Platform as a Service
- Where is the line of responsibility drawn between security of the platform and application components?
- What facilities does the platform provide for application level logging?
- Is application log data integrated with other platform-provided logging and reporting?
- Are there any real time intrusion detection systems deployed for detecting issues related to security at the application layer?
- What mechanisms does the platform support for isolating message data on the client’s service bus?
- What mechanisms does the platform support for securing communication between two application components? What mechanisms does the platform support for isolating data at rest and in use?
Software as a Service
- What Web application security standards (input validation, encoding output, preventing request forgery and information disclosure) are being followed by the vendor?
- What application and infrastructure controls are in place to isolate the enterprise’s data from that of other tenants?
- Data at rest
- Data in transit
- Data in use
As interest heats up in Cloud computing and its related security challenges we’ll pass along relevant updates.
Posted on Mon, Aug 16, 2010 @ 10:05 AM
Well, now I‘ve heard it all and maybe it’s time to retire. I was reading in Information Week that a group of UCLA computer scientists say they have developed technology that uses quantum bits rather than regular computer bits to secure communications between two devices based on the location of each device.
In other words, based on your authenticated geographic location, a secure encrypted communication channel can be created, on the fly, between two devices, that is spoof proof. To have the location-based encryption, authentication, and communication happen they used advanced quantum theory.
Now I always struggled in physics but here is a description of the difference between regular ole computer bits and quantum bits, (courtesy of Wikipedia).
In physics, a quantum (plural: quanta) is the minimum unit of any physical entity involved in an interaction. A photon, for example, is a single quantum of light, and may thus be referred to as a "light quantum". The energy of an electron bound to an atom (at rest) is said to be quantized, which results in the stability of atoms, and of matter in general.
A bit or binary digit is the basic unit of information in computing and telecommunications; it is the amount of information that can be stored by a digital device or other physical system that can usually exist in only two distinct states, “true or false”. In quantum computing, a quantum bit or qubit is a quantum system that can exist in superposition of two bit values, "true" and "false".
What does that all mean? I don’t know it’s beyond my pay grade. But the important story here is that according to Rafail Ostrovsky, the UCLA professor of computer science and mathematics who headed the team, "securely proving a location where such a proof cannot be spoofed, and securely communicating only to a device in a particular location and nowhere else is extremely important" because it effectively allows two parties to communicate securely, using only geographical positions as their credentials.
One potential wireless security application, for example, would be to allow two military bases to communicate with each other over insecure channels, without sharing a key in advance or requiring a secure infrastructure. Don’t laugh but I think it’s only a matter of time before we really enter the age of Star Trek and start beaming up and beaming down physical objects based on such early technology.
Posted on Mon, Aug 09, 2010 @ 10:00 AM
Two weeks ago at its Worldwide Partners Conference, Microsoft announced that its Windows Azure Cloud computing platform would be made available in a hardware appliance form factor. This, they reasoned, will allow private enterprises, service providers and even government entities to create their own multi-tenant SaaS applications that can run in any data center.
While exciting news, especially for those companies that like the idea of software-as-a-service, but really want more privacy regarding their data access, this event also brings into focus the challenges of securing cloud applications.
So as you evaluate this platform keep in mind these recommendations:
- Define what the cloud means to your organization
- Create awareness of cloud initiatives throughout the organization
- Take a broad view when assessing cloud’s impact
- Engage professionals from organizations with specific cloud security expertise
As with any IT initiative, early engagement of security professionals will yield a more cost-effective risk management approach than retroactive ones. Experienced professionals can identify security and other implementation issues and recommend appropriate solutions.
Awareness and trust are lacking even among professionals who are familiar with cloud and may be responsible for securing enterprise systems and information. While cloud adoption is expected to grow, customer inexperience with cloud computing, security concerns (and in some cases, lack of concern) and uncertainty about governance could make it difficult for organizations to effectively implement cloud computing or realize full value from it.
Posted on Thu, Aug 05, 2010 @ 09:55 AM
Data loss prevention systems are another form of employee monitoring which aim to detect the possible transfer or vulnerable storage of valuable and sensitive data assets. Reports from Osterman Research indicate that employees who use email also use instant messaging clients and wikis, post to blogs, use personal Webmail accounts for business purposes, check email from home, send files through FTP systems, take work home and on the road, use USB thumbdrives, transport corporate data on mobile devices, and use collaboration tools of various types.
Most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight. The result is that organizations are deploying a growing array of tools and endpoints for employees to become more efficient. And, at the same time, they are creating a growing number of opportunities for information to leak out of an enterprise in unauthorized and potentially damaging ways.
The vast majority of these data breaches are inadvertent, but the opportunity exists for malicious users to send confidential and sensitive data, as well.
According to a survey conducted by Osterman Research during April 2008:
- 100% of organizations have deployed anti-virus capabilities
- 99% have deployed anti-spam capabilities
- 96% have deployed anti-spyware capabilities
However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organizations have deployed these capabilities.
Clearly, the data above suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27% of organizations in the same survey reported that during the previous 12 months data or information was accidentally or maliciously leaked from their organization.
What should you do?
- Identify the leak points.
- Deploy systems that will take appropriate action. Based on the suspected level of data breach, the systems that monitor outbound communication should take the appropriate action.
- Promote appropriate employee handling of data. For example, if an employee sends an inappropriate message to a co-worker or a confidential document to a competitor’s domain, a monitoring system should remind employees of corporate policies that may exist regarding the appropriateness of the communications vehicle they have chosen or other corporate policies.
- Perform the appropriate level of inspection. Based on corporate policies, the role of the employee in the organization and other factors, content should be inspected based on the appropriate policies
- Train and make employees aware of corporate policies.
- Implement forensics capabilities. Organizations may want to implement forensics capabilities in order to check on how data has been handled after it has been sent, either for legal purposes or simply to understand how its data is being managed.
- Implement a sender authentication scheme. While not an outbound content scanning mechanism, it is important for any organization to implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of its emails are given some level of assurance that the sending organization is valid.
- Tight integration with existing infrastructure. In order to speed reduce costs, organizations should consider solutions that are well integrated with their IT infrastructure whenever possible. This approach will also speed implementation and lower on-going administration costs.
Posted on Mon, Aug 02, 2010 @ 09:01 AM
Securing our nation against cyber attacks has become one of the nation's highest priorities. To achieve this objective, the US Comprehensive National Cybersecurity Initiative (CNCI) has purposed that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses.
The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):
"monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations" and "continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented."
Because federal agencies do not have unlimited money, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.
Consequently, a consensus document of 20 crucial controls was designed to begin the process of establishing the prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The 20 specific technical security controls are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.
Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.
Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses. Here are the 20:
Critical Controls Subject to Automated Collection, Measurement, and Validation:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
Posted on Tue, Jul 06, 2010 @ 07:50 AM
How did you do with the quiz? Answers are in bold.
- 0-1 Security fail (maybe time to consider another career)
- 3-5 Hacker's delight (see recommendation above)
- 6-8 Formidable defender (not too shabby)
- 9-10 Best practices model (worth every penny you are paid)
1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?
•b. ISAKMP
The tunnel is used to negotiate security parameters for the main IPSec tunnel
2. How can ports 80 and 443 be defended against Web-based threats?
- a. Web application firewalls
- b. Content filtering
- c. White lists
- d. Black lists
•e. All of the above
3. Two-factor authentication can include something you have, something you know and...
•a. Something you are
- b. Something you make up
- c. Something encrypted
- d. Something unique
This can include retina or fingerprint scans or other biometrics
4. What do corporate security executives regard as the biggest threat to security?
- a. Removable media such as thumb drives
- b. Malicious insiders
•c. Web 2.0 applications
- d. Unpatched operating systems
According to Symantec, this can include social media such as Facebook and Twitter
5. The goal of network access control (NAC) is:
- a. Remediating security shortcomings of machines before they connect to networks
- b. Making sure devices adhere to access policies once admitted to networks
- c. Linking machines with user identities to impose appropriate polices on them
•d. All of the above
And some vendors say NAC should do more
6. What means did attackers in China use to infiltrate Google's network?
- a. Social engineering using Facebook
- b. Introducing malware via cross-site scripting of Web sites
•c. Exploiting a flaw in Internet Explorer
- d. Brute-force attack of Google executive's passwords
7. Which botnet advance has made eradicating them more difficult?
•a. Embedding command and control capabilities in zombie machines
- b. Reinfection via social media sites
- c. Sheer number overwhelms defensive measures
- d. Use of rootkits to make bot software more difficult to dislodge
When command and control nodes shift, it becomes more difficult to shut them and their subject machines down
8. Which of the following is not an example of an application vulnerability?
- a. Lack of sufficient logging
- b. Fail-open error handling
- c. Failure to properly close database connections
•d. Running with least privilege
This is actually recommended to strengthen applications
9. What is one downside of public key encryption?
- a. It is less secure than using secret keys
•b. It requires trusting party to verify public keys
- c. It cannot ensure confidentiality
- d. It cannot ensure authenticity
10. Which is not a Wi-Fi security option?
•c. ICMP
Posted on Mon, Jun 28, 2010 @ 10:24 AM
Network World published this quiz to test your knowledge of IT security. Take the test to see how much of a security expert you really are. We'll publish the answers in the next blog.
1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?
- a. IKE
- b. ISAKMP
- c. Lincoln Tunnel
- d. SSL
2. How can ports 80 and 443 be defended against Web-based threats?
- a. Web application firewalls
- b. Content filtering
- c. White lists
- d. Black lists
- e. All of the above
3. Two-factor authentication can include something you have, something you know and...
- a. Something you are
- b. Something you make up
- c. Something encrypted
- d. Something unique
4. What do corporate security executives regard as the biggest threat to security?
- a. Removable media such as thumb drives
- b. Malicious insiders
- c. Web 2.0 applications
- d. Unpatched operating systems
5. The goal of network access control (NAC) is:
- a. Remediating security shortcomings of machines before they connect to networks
- b. Making sure devices adhere to access policies once admitted to networks
- c. Linking machines with user identities to impose appropriate polices on them
- d. All of the above
6. What means did attackers in China use to infiltrate Google's network?
- a. Social engineering using Facebook
- b. Introducing malware via cross-site scripting of Web sites
- c. Exploiting a flaw in Internet Explorer
- d. Brute-force attack of Google executive's passwords
7. Which botnet advance has made eradicating them more difficult?
- a. Embedding command and control capabilities in zombie machines
- b. Reinfection via social media sites
- c. Sheer number overwhelms defensive measures
- d. Use of rootkits to make bot software more difficult to dislodge
8. Which of the following is not an example of an application vulnerability?
- a. Lack of sufficient logging
- b. Fail-open error handling
- c. Failure to properly close database connections
- d. Running with least privilege
9. What is one downside of public key encryption?
- a. It is less secure than using secret keys
- b. It requires trusting party to verify public keys
- c. It cannot ensure confidentiality
- d. It cannot ensure authenticity
10. Which is not a Wi-Fi security option?
- a. WEP
- b. WPA
- c. ICMP
- 802.11i
Posted on Wed, Jun 16, 2010 @ 01:16 PM
WordPress offers blog services to about 10 million users. It is a true SaaS application designed with a multitenant architecture. In this architecture all users are "tenants" sharing the same database and application logic and are in virtual isolation from each other but physically in the same building. Recently WordPress had an outage which affected all 10 million users. But what was different in this scenario vis-à-vis network issues, is the outage was caused by a code change to the application.
In multitenant SaaS applications new changes are rolled out on a regular and frequent basis. Every customer is always on the latest release. However when something goes awry, everyone also gets the hit. Performance, security and service levels are all dependent of the design of the application as well as the datacenter infrastructure where the application resides.
What may be a potential solution to the ripple effect inherent in SaaS applications is a move to a "multi-apartment building" concept. In this model you have the tenants grouped into different buildings as opposed to the current model where everyone is in the same building. Using this model changes could be tested in buildings or groups of customers before being rolled out to the general population.
Having such a design would also enable testing for security vulnerabilities, specific performance enhancements and for evaluating the impact of new code changes. Therefore, when in the market for SaaS solutions, it may be wise to ask potential vendors if their application supports multiple apartment buildings or is just a single building design. You may avoid a lot of anguish in the future by making the right choice.
Posted on Mon, Jun 14, 2010 @ 02:25 PM
Network World reported that all the major web browsers on Windows and Mac OS X are vulnerable to a new type of phishing scam: "tabnapping." A combination of the words kidnapping and tab as in screen tabs, tabnapping happens when an already open tab is secretly switched unbeknownst to the user. As an example, when I work I typically have several Internet Explorer (IE) tabs open. Say one of them was to my bank and I left that tab and went to my email account, when I go back to my bank page it says the page timed out so I have to log-in again. But what could happen is someone switched the page and I am actually logging-in to a page that diverts my identity log-in to a scammer.
Prevention
Here are some things you can do to avoid being tabnapped:
- Don't log-in on a tab that you haven't opened yourself. If you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab
- Get on the latest release of your web browser. Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
- Look at the URL in your browser's address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to "spoof," or fake the URL, it won't match the bogus log-in screen. That's your cue to close the tab immediately.
Posted on Thu, May 27, 2010 @ 01:37 PM
The City of Los Angeles recently signed a deal with CSC, a systems integrator, to provide a hosted email solution from Google. L.A. was using an on premise email solution from Novell but found it less expensive and more functional to move to a hosted solution. However, what is important to note here is that is that the service being delivered to the city is more secure than the service Google currently provides to consumers and businesses.
The government cloud will constitute a "dedicated parallel environment" to Google's commercial Google Apps cloud for consumers and enterprises. Data created in this cloud by federal, state and local government agencies will be hosted on separate servers within existing Google data centers in the United States. Storing such data on separate servers makes sense, given all of the sensitive information the government generates.
However, the federal version boasts greater security, privacy and compliance to satisfy the stringent requirements of U.S. federal government agencies, related government contractors and others that require the utmost security.
Future capabilities and certifications for Google's government cloud will include two-factor authentication, enhanced encryption and the achievement of Federal Information Security Management Act (FISMA) certification.
In addition to including the certifications and security features, and dedicated infrastructure in secured facilities, the data center will be accessible only via biometric access controls by U.S. citizens who have undergone the necessary background checks to access the system.
Theoretically, this brings the offering in line with the needs of agencies and contractors who require extremely high levels of security protocols and features. Google aims to target the 300 million U.S. government users creating and sharing information on 10,000 IT systems.
So here we see the evolution of the concept of a "private cloud" from essentially a data center for a private institution, to a datacenter reserved for a certain class or type of customer. And within that datacenter, or cloud, is the need for security. And the security we find is usually being delivered by purpose built appliances that support the mix of multitenant or software-as-a-service application logic.