Security as a Strategy (SaaS)

Quantum mechanics comes to security

Well, now I‘ve heard it all and maybe it’s time to retire. I was reading in Information Week that a group of UCLA computer scientists say they have developed technology that uses quantum bits rather than regular computer bits to secure communications between two devices based on the location of each device.

In other words, based on your authenticated geographic location, a secure encrypted communication channel can be created, on the fly, between two devices, that is spoof proof. To have the location-based encryption, authentication, and communication happen they used advanced quantum theory.

Now I always struggled in physics but here is a description of the difference between regular ole computer bits and quantum bits, (courtesy of Wikipedia).

In physics, a quantum (plural: quanta) is the minimum unit of any physical entity involved in an interaction. A photon, for example, is a single quantum of light, and may thus be referred to as a "light quantum". The energy of an electron bound to an atom (at rest) is said to be quantized, which results in the stability of atoms, and of matter in general.

A bit or binary digit is the basic unit of information in computing and telecommunications; it is the amount of information that can be stored by a digital device or other physical system that can usually exist in only two distinct states, “true or false”.  In quantum computing, a quantum bit or qubit is a quantum system that can exist in superposition of two bit values, "true" and "false".

What does that all mean? I don’t know it’s beyond my pay grade. But the important story here is that according to Rafail Ostrovsky, the UCLA professor of computer science and mathematics who headed the team, "securely proving a location where such a proof cannot be spoofed, and securely communicating only to a device in a particular location and nowhere else is extremely important" because it effectively allows two parties to communicate securely, using only geographical positions as their credentials.

One potential wireless security application, for example, would be to allow two military bases to communicate with each other over insecure channels, without sharing a key in advance or requiring a secure infrastructure. Don’t laugh but I think it’s only a matter of time before we really enter the age of Star Trek and start beaming up and beaming down physical objects based on such early technology.

20 Controls for Effective Cyber Security and Defense

Securing our nation against cyber attacks has become one of the nation's highest priorities. To achieve this objective, the US Comprehensive National Cybersecurity Initiative (CNCI) has purposed that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses.

The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):

"monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations" and "continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented."

Because federal agencies do not have unlimited money, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.

Consequently, a consensus document of 20 crucial controls was designed to begin the process of establishing the prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The 20 specific technical security controls are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.

Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.

Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses. Here are the 20:

 

Critical Controls Subject to Automated Collection, Measurement, and Validation:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Penetration Tests and Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Appropriate Training to Fill Gaps

How well do you know IT Security - Pt 2? Quiz Answers.

How did you do with the quiz? Answers are in bold.

• 0-1  Security fail (maybe time to consider another career)
• 3-5  Hacker's delight (see recommendation above)
• 6-8  Formidable defender (not too shabby)
• 9-10 Best practices model (worth every penny you are paid)

 

1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?

• a. IKE

•b.      ISAKMP

• c. Lincoln Tunnel
• d. SSL

The tunnel is used to negotiate security parameters for the main IPSec tunnel

2. How can ports 80 and 443 be defended against Web-based threats?

• a. Web application firewalls
• b. Content filtering
• c. White lists
• d. Black lists

•e.      All of the above

3. Two-factor authentication can include something you have, something you know and...

•a.       Something you are

• b. Something you make up
• c. Something encrypted
• d. Something unique

This can include retina or fingerprint scans or other biometrics

4. What do corporate security executives regard as the biggest threat to security?

• a. Removable media such as thumb drives
• b. Malicious insiders

•c.       Web 2.0 applications

• d. Unpatched operating systems

According to Symantec, this can include social media such as Facebook and Twitter

5. The goal of network access control (NAC) is:

• a. Remediating security shortcomings of machines before they connect to networks
• b. Making sure devices adhere to access policies once admitted to networks
• c. Linking machines with user identities to impose appropriate polices on them

•d.      All of the above

And some vendors say NAC should do more

6. What means did attackers in China use to infiltrate Google's network?

• a. Social engineering using Facebook
• b. Introducing malware via cross-site scripting of Web sites

•c.       Exploiting a flaw in Internet Explorer

• d. Brute-force attack of Google executive's passwords

7. Which botnet advance has made eradicating them more difficult?

•a.       Embedding command and control capabilities in zombie machines

• b. Reinfection via social media sites
• c. Sheer number overwhelms defensive measures
• d. Use of rootkits to make bot software more difficult to dislodge

When command and control nodes shift, it becomes more difficult to shut them and their subject machines down

8. Which of the following is not an example of an application vulnerability?

• a. Lack of sufficient logging
• b. Fail-open error handling
• c. Failure to properly close database connections

•d.      Running with least privilege

This is actually recommended to strengthen applications

9. What is one downside of public key encryption?

• a. It is less secure than using secret keys

•b.      It requires trusting party to verify public keys

• c. It cannot ensure confidentiality
• d. It cannot ensure authenticity

10. Which is not a Wi-Fi security option?

• a. WEP
• b. WPA

•c.       ICMP

• d. 802.11i

How well do you know IT Security? Take the Quiz.

Network World published this quiz to test your knowledge of IT security. Take the test to see how much of a security expert you really are. We'll publish the answers in the next blog.

1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?

• a. IKE
• b. ISAKMP
• c. Lincoln Tunnel
• d. SSL

2. How can ports 80 and 443 be defended against Web-based threats?

• a. Web application firewalls
• b. Content filtering
• c. White lists
• d. Black lists
• e. All of the above

3. Two-factor authentication can include something you have, something you know and...

• a. Something you are
• b. Something you make up
• c. Something encrypted
• d. Something unique

4. What do corporate security executives regard as the biggest threat to security?

• a. Removable media such as thumb drives
• b. Malicious insiders
• c. Web 2.0 applications
• d. Unpatched operating systems

5. The goal of network access control (NAC) is:

• a. Remediating security shortcomings of machines before they connect to networks
• b. Making sure devices adhere to access policies once admitted to networks
• c. Linking machines with user identities to impose appropriate polices on them
• d. All of the above

6. What means did attackers in China use to infiltrate Google's network?

• a. Social engineering using Facebook
• b. Introducing malware via cross-site scripting of Web sites
• c. Exploiting a flaw in Internet Explorer
• d. Brute-force attack of Google executive's passwords

7. Which botnet advance has made eradicating them more difficult?

• a. Embedding command and control capabilities in zombie machines
• b. Reinfection via social media sites
• c. Sheer number overwhelms defensive measures
• d. Use of rootkits to make bot software more difficult to dislodge

8. Which of the following is not an example of an application vulnerability?

• a. Lack of sufficient logging
• b. Fail-open error handling
• c. Failure to properly close database connections
• d. Running with least privilege

9. What is one downside of public key encryption?

• a. It is less secure than using secret keys
• b. It requires trusting party to verify public keys
• c. It cannot ensure confidentiality
• d. It cannot ensure authenticity

10. Which is not a Wi-Fi security option?

• a. WEP
• b. WPA
• c. ICMP
• 802.11i

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

21 Layers of Security

The Transportation Security Administration (TSA) has on its website a diagram of its "defense-in breadth" strategy. I got a kick out it because you could liken it to the "defense-in-depth" strategy of many network security professionals.

 

The TSA says "each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system."  So if you get through one layer, the argument goes you'll get caught in another layer. Maybe 21 layers is the secret number for network security as well? Just a thought.

Auditing Cloud Security

Security responsibilities of both the provider and the consumer greatly differ between cloud service models. Amazon's AWS EC2 infrastructure as a service offering, as an example, includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for security controls that relate to the IT system (instance) including the operating system, applications, and data.

The inverse is true for Salesforce.com's CRM SaaS offering. Because the entire "stack" is provided by Salesforce.com, the provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.

Cloud Security Alliance Recommendations

Assessment of third-party cloud service providers should specifically target the provider's incident management, business continuity and disaster recovery policies, and processes and procedures; and should include review of co-location and back-up facilities.

This should include review of the provider's internal assessments of conformance to its own policies and procedures, and assessment of the provider's metrics to provide reasonable information regarding the performance and effectiveness of its controls in these areas.

The user's business continuity and disaster recovery plan should include scenarios for loss of the provider's services, and for the provider's loss of third-party services and third-party-dependent capabilities. Testing of this part of the plan should be coordinated with the cloud provider.

The provider's information security governance, risk management, and compliance structures and processes should also be comprehensively assessed:

• Request clear documentation on how the facility and services are assessed for risk and audited for control weaknesses, the frequency of assessments, and how control weaknesses are mitigated in a timely manner
• Require definition of what the provider considers critical service and information security success factors, key performance indicators, and how these are measured relative to IT Service and Information Security Management
• Review the provider's legal, regulatory, industry, and contractual requirements capture, assessment, and communication processes for comprehensiveness
• Perform full contract or terms-of-use due diligence to determine roles, responsibilities, and accountability; ensure legal review, including an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions
• Determine whether due diligence requirements encompass all material aspects of the cloud provider relationship, such as the provider's financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities, and use of subcontractors

Even if your application is now in the cloud, your security should still be grounded in fundamental risk management principles.

How to Attack Gas, Water & Nuclear Plants

The Department of Energy (DOE) has a goal to secure control systems used in the energy sector from malicious cyber attacks-attacks that could lead to potentially catastrophic disruptions in our critical infrastructures. As part of this effort, DOE created a document called "Roadmap to Secure Control Systems in the Energy Sector." As I was reading it I came across some interesting nuggets about previous attacks on utilities (Source: GAO 2004, Reed 2005). Some things you may not hear on David Letterman.

• 1. Unsuspected code hidden in transferred product (USSR, 1982)

While the following cannot be confirmed, it has been reported that during the Cold War the CIA inserted malicious code into control system software leaked to the Soviet Union. The software, which controlled pumps, turbines, and valves on a Soviet gas pipeline, was programmed to malfunction after a set interval. The malfunction caused the control system to reset pump speeds and valve settings to produce pressures beyond the failure ratings of pipeline joints and welds, eventually causing an enormous explosion.

• 2. Hacker exploits cross-sector interdependence (Massachusetts, USA, 1997)

A teenager hacked into and remotely disabled part of the public switching network, disrupting phone service for local residents and the fire department and causing a malfunction at a nearby airport.

• 3. Insider hacks into sewage treatment plant (Australia, 2001)

A former employee of the software developer hacked into the SCADA system that controlled a Queensland sewage treatment plant, causing a large sewage discharge over a sustained period. He was caught and sentenced to two years in prison in 2001.

• 4. Worm exploits interconnected business and operations networks (Ohio, USA, 2003)

The SQL Slammer worm infiltrated the operations network of the Davis-Besse nuclear power plant via a high-speed connection from an unsecured contractor's network (after the corporate firewall had previously blocked the worm). After migrating from the business network to the operations network, the worm disabled the panel used to monitor the plant's most crucial safety indicators for about five hours and caused the plant's process computer to fail; recovery for the latter took nearly six hours. Luckily, the plant was off-line at the time.

These stories were used to illustrate the concern by the U.S. government about the potential for cyber attacks on the energy sector. And as smart grid technology evolves that will tie everyone and everything together in a futuristic, postmodern indulgence of technology in daily life-we will need all the security we can get.

GAO. 2004. Government Accountability Office. Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04-354)

Reed, T. 2005. At the abyss: An insider's history of the cold war. Random House

Building a Better Password

A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.

Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.

For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.

The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.

To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!

Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "

The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols.  So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.

Security Trends and Outlook for 2010

There was a call recently, sponsored by Symantec, in which security experts and analysts discussed the security trends in 2009 and what they expected to see in 2010. Here's what they said:

2009 Trends

• Drive-by. In 2008 there were 18 million drive-by download attempts. In the first half of 2009 there already 17.5 million. This activity is increasing. (see last blog for discussion of drive-by downloads)
• Plug-ins. Drive-by downloads that target browser plug-ins as well as websites are increasing.
• Trusted websites. Legitimate websites are now being compromised. The vast number of blocked downloads, per Symantec, were from legitimate websites. Cyber criminals are finding ways to post, especially on social networking websites, malicious Java applets or Active X components that target users of these websites.
• Rogue security software. From July 2008 to July 2009 Symantec states there were 43 million software installation attempts by rogue security software. The latest ploy by cyber criminals is to package free anti-virus software found on the web and either resell it for a fee, or attach some malware which will hijack the user's computer once the application is installed.
• Content scams. The latter half of 2009 saw increasing content-based attacks. How this works is the scam artist creates fake sites based on popular search items or current news events. This poisons search engine results - presenting sites laden with malicious links, ads or drive-by downloads.
• Security breaches. Data breaches continue to grow risking identity theft. 400 breaches were reported in 2009 which compromised 200 million records. 80% of breaches are caused by insiders within an organization. And adding to this is the fact that 59% of employees when they leave a company take confidential information with them.

2010 Outlook

• URL shortening services. Bloggers, Twitter users and many social networking site users often utilize what are called "URL shortening services" to provide short worded links that redirect to links which are actually longer in length. For example, if I have a link that is 30 characters long that I want to embed in a message, and I'm sending a Tweet that has a 140 character limit, I can use a service that allows me to post a 10 character link that will point to the actual link. URL shortening services provide a hosted solution that redirects a user from a longer URL to a shorter one. What has happened is cyber criminals are finding ways to redirect those links hosted by the URL shortening service provider to malicious links.
• Capture technology. When you register for new accounts on many websites, you are asked to type in a code displayed in a funny, groovy looking text box. By doing this the website owner insures that an actual human is registering and not a computer application. Some cyber criminals are now using low-cost labor in sweatshops, in places like India, to manually create accounts. Once registered within a website that for example offers an Instant Messenger (IM) account, the attacker uses the IM account to send malicious links to other IM users.
• Non-English spam. Most spam to date has been sent in English. However there has been a significant increase in countries like the Netherlands, Germany and France with native language spam.
• Focused malware. Symantec sees increases in specialized malware that targets specific systems such as Automatic Teller Machines (ATMs), and phone-based voting systems (e.g. those used in realty TV shows for the public to vote ).
• Cell phones. Smartphones are becoming targets for rogue security software download attempts. With so many applications now being made available for wireless devices like the BlackBerry, attackers are looking to exploit the same scams used on computer users.
• Bandwidth. Increased bandwidths in developing countries, created by the installation of broadband networks, has brought back a resurgence of botnets by spammers.
• Social networking sites. Scammers are trolling popular social media sites like Facebook for opportunities to implant malicious content and micro applications. By infecting users who receive and trust messages from others in their circle, attackers can exploit entire networks.

What to do? Symantec has embarked on a concept they call "reputation-based security." All websites are assumed guilty until proven innocent. So look for increased certifications and diligence in the safe-guarding of content, web links and applets on websites.

In addition, as individuals, one of the best practice security tips you should follow is: (1) don't store your passwords in the browser (don't click on the "remember me" option). And (2) use strong passwords in your home wireless routers (change the one that comes with your system) as well as at all web sites you register with.