I came across a couple of interesting web-sites over the last couple of weeks that I think are worth sharing. The first of these relates to work conducted by the Australian governments Defence Signals Directorate (DSD). Through analysis of the vulnerabilities and exploit attempts reported to them, the DSD has drawn up a set of 35 mitigations that would have helped to prevent exploitation. In fact, just implementing the top 4 strategies would have "prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010". What are these top four strategies?
patching third party applications;
patching operating systems;
minimising administrative privileges; and
application whitelisting.
The first 3 should be just good practice. The 4th one can be more difficult to get past by the business. In any case, it's nice to see a set of mitigation strategies based off real analysis rather than simple reliance on 'best practice'. The DSD documents can be found over at:
http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Definitely worth a read.
What else has caught my eye? Well, I have no choice but to give a shout-out to the competition. PwC have released their 2012 Global State of Information Security Survey and have provided a nifty way of exploring the underlying data - available over at:
http://www.pwc.com/gx/en/information-security-survey/giss.jhtml
As ever, the GISS is a worthwhile read and the highlights for me relate to the cloud security aspects:
It's tight, but there are now more respondants saying that they use cloud services than there are saying that they do not. The Do Not Knows could still tip the balance either way though!
SaaS still holds a hefty lead as the most commonly implemented service model, followed by IaaS and then PaaS.
Of those who have implemented cloud services, over half believe that the move to cloud has improved their security. Less than a quarter believe that the move has weakened their security.
I've been blathering on for a while that a move towards cloud services can have security benefits as well as the more often documented downsides. It's re-assuring to see that a majority of those moving towards the cloud believe that the positives actually outweigh the negatives.
Friday, 4 November 2011
Thursday, 20 October 2011
Securing Cloud Services
One of these times I really must put myself in a position where I don't have to apologise for the tardiness of my posting. Oh well, let's take my general neglect of this blog as read and move on :-)
So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.
I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.
Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.
So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.
I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.
Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.
Friday, 12 August 2011
De-bunking anti-virus vendor claims
Just in case you haven't seen it yet, I'd recommend you take a look at the paper put out by Tavis Ormandy discussing the findings from his reverse engineering of the Sophos anti-virus product; the paper's available from:
http://lock.cmpxchg8b.com/Sophail.pdf
It's clear from the tone of the paper that the author had a few issues with Sophos but I don't think the tone should distract from some of the serious weaknesses (particularly in the area of buffer overflow protection) that the paper describes.
What I'd really like to see now would be similar investigations of the claims of the other major anti-virus products out there - are Sophos alone in having these issues or is it endemic across the A-V industry?
It would also be helpful if Sophos put out a more technical response to Tavis' paper rather than the somewhat bland post to be found at:
http://nakedsecurity.sophos.com/2011/08/05/tavis-ormandy-and-sophos/
'til next time...
http://lock.cmpxchg8b.com/Sophail.pdf
It's clear from the tone of the paper that the author had a few issues with Sophos but I don't think the tone should distract from some of the serious weaknesses (particularly in the area of buffer overflow protection) that the paper describes.
What I'd really like to see now would be similar investigations of the claims of the other major anti-virus products out there - are Sophos alone in having these issues or is it endemic across the A-V industry?
It would also be helpful if Sophos put out a more technical response to Tavis' paper rather than the somewhat bland post to be found at:
http://nakedsecurity.sophos.com/2011/08/05/tavis-ormandy-and-sophos/
'til next time...
Friday, 22 July 2011
So, do we actually care?
One of the consequences of the recent rash of published hacking incidents is that we may now have a contemporary sample size that's almost big enough to draw some meaningful conclusions about how much the general populace (and business) actually cares about information security. Incidents associated with Anonymous, LulzSec, Sony, RSA, News International and others are all now in the public consciousness. But will there be any real long-term impact of these hacks? For example:
How many mobile phone users have now set unique PINs on their voicemail rather than relying on the default values?
How many organisations have ditched their RSA tokens in favour of competing technologies?
How many PS3 users have abandoned the PlayStation Network for good? Or have they all (like me :-) been bought off by a few free games and promises that it'll be better next time?
If consumers don't actually care about security, what are the real drivers for continuing to invest in it? Do we really have to fall back on compliance as the sole driver?
It's fortunate for the security industry that there are still financial services organisations, IP-centric industries, gaming firms etc where the security of their systems and data is necessary for their continued survival.
But hey, I could be wrong and perhaps the recent incidents will drive new and improved behaviours - guess we'll just have to wait and see...
How many mobile phone users have now set unique PINs on their voicemail rather than relying on the default values?
How many organisations have ditched their RSA tokens in favour of competing technologies?
How many PS3 users have abandoned the PlayStation Network for good? Or have they all (like me :-) been bought off by a few free games and promises that it'll be better next time?
If consumers don't actually care about security, what are the real drivers for continuing to invest in it? Do we really have to fall back on compliance as the sole driver?
It's fortunate for the security industry that there are still financial services organisations, IP-centric industries, gaming firms etc where the security of their systems and data is necessary for their continued survival.
But hey, I could be wrong and perhaps the recent incidents will drive new and improved behaviours - guess we'll just have to wait and see...
Wednesday, 22 June 2011
LulzSec
LulzSec - doing it for the lulz. Looking at the attention and drama they've created, can anyone say that they haven't succeeded?
Friday, 3 June 2011
Time for RSA to come clean
Right. I've been patient. We've all been patient. But now I think it's time that RSA come clean about exactly what they lost when they were compromised earlier this year. We've now had reported attacks against Lockheed Martin, L-3 Communications and Northrop Grumman all of which have been linked with the use of SecurID tokens as an attack vector. Is the reporting correct? No idea. Is damage being done to RSA regardless? Oh yes.
What harm can come now from RSA posting details of what was compromised? I'm aware that RSA are in talks with their bigger customers but I don't think that this is enough. It certainly doesn't help me if I'm considering implementing a new two-factor authentication solution; why on earth would I consider SecurID at this time?
Final points to consider. It's probably fair to state now that whomever compromised RSA has used that information to attack their first tranche of targets. The surprise element is now gone and top tier targets should now be on the lookout for similar incursions. So what's the value now to the attackers in keeping whatever they got from RSA close to their chests? I daresay there'll be a bit of probing of some of their second tier targets (banks anyone?) before the attackers decide that they've realised most of the value of their initial RSA compromise. Depending on how mischievous they feel, I wouldn't necessarily be surprised to see the compromised RSA materials appear on the Internet in the near future - if only as a means to cause significant pain and disruption to the rest of the RSA user base. Do state-sponsored hackers still do it for the lulz? Guess we'll find out soon enough.
*********UPDATED************
Open letter from RSA to their customers:
http://www.rsa.com/node.aspx?id=3891
Still no real details though. Ho hum.
What harm can come now from RSA posting details of what was compromised? I'm aware that RSA are in talks with their bigger customers but I don't think that this is enough. It certainly doesn't help me if I'm considering implementing a new two-factor authentication solution; why on earth would I consider SecurID at this time?
Final points to consider. It's probably fair to state now that whomever compromised RSA has used that information to attack their first tranche of targets. The surprise element is now gone and top tier targets should now be on the lookout for similar incursions. So what's the value now to the attackers in keeping whatever they got from RSA close to their chests? I daresay there'll be a bit of probing of some of their second tier targets (banks anyone?) before the attackers decide that they've realised most of the value of their initial RSA compromise. Depending on how mischievous they feel, I wouldn't necessarily be surprised to see the compromised RSA materials appear on the Internet in the near future - if only as a means to cause significant pain and disruption to the rest of the RSA user base. Do state-sponsored hackers still do it for the lulz? Guess we'll find out soon enough.
*********UPDATED************
Open letter from RSA to their customers:
http://www.rsa.com/node.aspx?id=3891
Still no real details though. Ho hum.
Tuesday, 10 May 2011
PSN hack
O... M... G...
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
I'm surprised they weren't hacked sooner.
The content of the article does raise some really interesting questions about their compliance with PCI-DSS and how they got through the process...
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
I'm surprised they weren't hacked sooner.
The content of the article does raise some really interesting questions about their compliance with PCI-DSS and how they got through the process...
Subscribe to:
Posts (Atom)
