Posted on Thu, May 20, 2010 @ 01:48 PM
The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.
Threat #1: Abuse and Nefarious Use of Cloud Computing
Remediation
- Stricter initial registration and validation processes
- Enhanced credit card fraud monitoring and coordination
- Comprehensive introspection of customer network traffic
- Monitoring public blacklists for one's own network blocks
Threat #2: Insecure Interfaces and APIs
Remediation
- Analyze the security model of cloud provider interfaces
- Ensure strong authentication and access controls are implemented in concert with encrypted transmission
- Understand the dependency chain associated with the API (application program interface)
Threat #3: Malicious Insiders
Remediation
- Enforce strict supply chain management and conduct a comprehensive supplier assessment
- Specify human resource requirements as part of legal contracts
- Require transparency into overall information security and management practices, as well as compliance reporting
- Determine security breach notification processes
Threat #4: Shared Technology Issues
Remediation
- Implement security best practices for installation/configuration
- Monitor environment for unauthorized changes/activity
- Promote strong authentication and access control for administrative access and operations
- Enforce service level agreements for patching and vulnerability remediation
- Conduct vulnerability scanning and configuration audits
Threat #5: Data Loss or Leakage
Remediation
- Implement strong API access control
- Encrypt and protect integrity of data in transit
- Analyze data protection at both design and run time
- Implement strong key generation, storage and management, and destruction practices
- Contractually demand providers wipe persistent media before it is released into the pool
- Contractually specify provider backup and retention strategies
Threat #6: Account or Service Hijacking
Remediation
- Prohibit the sharing of account credentials between users and services
- Leverage strong two-factor authentication techniques where possible
- Employ proactive monitoring to detect unauthorized activity
- Understand cloud provider security policies and SLAs
Threat #7: Unknown Risk Profile
Remediation
- Disclosure of applicable logs and data
- Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
- Monitoring and alerting on necessary information
Posted on Mon, Jan 25, 2010 @ 02:15 PM
Over 234 million consumer credit card records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. The seriousness of this problem begs us to examine the gap between meeting industry compliance requirements and the securing of confidential data.
A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk: 81% store payment card numbers; 73% store payment card expiration dates; 71% store payment card verification codes; 57% store customer data from the payment card magnetic stripe; 16% store other personal data. Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
As a result of this behavior by merchants, vulnerabilities were created in the card-processing ecosystem. Information security breaches occurred in point-of-sale devices; personal computers or servers; wireless hotspots, ecommerce applications; paper-based storage systems; and unsecured transmission of cardholder data to service providers.
To combat this trend, a PCI Data Security Standard (DSS) was created by the PCI Security Council whose founding members include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. To any security manager, these standards are very familiar as they mirror corporate best practices for network security. Here are the 12 requirements for PCI DSS.
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Change your passwords often.
Requirement 3: Protect stored cardholder data. Anything stored should be encrypted and cardholder data should not be retained or if retained then only for a limited time period.
Requirement 4: Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols such as SSL/TLS or IPSEC.
Requirement 5: Use and regularly update anti-virus software or programs. Many vulnerabilities and malicious viruses enter the network via employees' e-mail and other online activities.
Requirement 6: Develop and maintain secure systems and applications. Security vulnerabilities in systems and applications may allow criminals to access cardholder account numbers and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.
Requirement 7: Restrict access to cardholder data by business need-to-know. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Role-based authentication is helpful here.
Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.
Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.
Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time.
Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the tone for security affecting an organization's entire company, and it informs employees of their expected duties related to security.
Posted on Mon, Jan 11, 2010 @ 02:22 PM
A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.
Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.
For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.
The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.
To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!
Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "
The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols. So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.
Posted on Mon, Mar 02, 2009 @ 06:23 AM
Heartland Security Systems has been slow to release detailed information about their data breach, but we know that after being notified from VISA about a high number of fraudulent transactions, it took them at least two weeks to find the source of the problem--malware. More specifically, a Trojan with the ability to sniff data on its network systems. What's significant is the hackers targeted the sensitive magnetic stripe data as it was being transmitted, not information stored in a database. After all, since one of the core requirements of PCI is that the magnetic stripe data should not be stored, where else can hackers get it, right?
According to released reports, Heartland invested in the security products and audit processes required to comply with the Payment Card Industry Data Security Standard (PCI/DSS), but this did little to thwart a serious exposure of consumer credit card data or to help them identify they had been compromised.
Security professionals for the longest time touted PCI/DSS as a reasonable level of care necessary to secure a business handling this sensitive data from being compromised. I believe it has helped tighten security in a lot of ways, but at the same time I also believe it has given a somewhat false sense of security to many CEOs and corporate security decision makers. PCI compliance does reduce the risk of security incidents, but it in no way guarantees that an organization is secure. The fact that the attack on Heartland was only discovered after receiving a high rate of fraudulent transaction complaints is proof that PCI/DSS compliance is not enough to secure, nor that the Heartland-style data breach will not happen again. It took experts several weeks to find the attack, even with advance knowledge that the malicious code was alive on its network.
PCIs preventive measures could not thwart the attack, and the manual audit performed took weeks to discover the malicious code.
Are hackers just as bold as ever because corporations have been lulled into a false sense of security by regulations like PCI?
I say yes… but bare in mind it is impossible to create an environment where you are 100% protected from a data breach. Unfortunately without great advancements in technology, data breaches are going to continue for the near future. What's important is how you respond, how you detect, and how you manage and mitigate the risk.
In my opinion, the best proactive protection against data breaches is proper employee training and education and implementation of robust security tools on an on-going basis.