I came across a couple of interesting web-sites over the last couple of weeks that I think are worth sharing. The first of these relates to work conducted by the Australian governments Defence Signals Directorate (DSD). Through analysis of the vulnerabilities and exploit attempts reported to them, the DSD has drawn up a set of 35 mitigations that would have helped to prevent exploitation. In fact, just implementing the top 4 strategies would have "prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010". What are these top four strategies?
patching third party applications;
patching operating systems;
minimising administrative privileges; and
application whitelisting.
The first 3 should be just good practice. The 4th one can be more difficult to get past by the business. In any case, it's nice to see a set of mitigation strategies based off real analysis rather than simple reliance on 'best practice'. The DSD documents can be found over at:
http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Definitely worth a read.
What else has caught my eye? Well, I have no choice but to give a shout-out to the competition. PwC have released their 2012 Global State of Information Security Survey and have provided a nifty way of exploring the underlying data - available over at:
http://www.pwc.com/gx/en/information-security-survey/giss.jhtml
As ever, the GISS is a worthwhile read and the highlights for me relate to the cloud security aspects:
It's tight, but there are now more respondants saying that they use cloud services than there are saying that they do not. The Do Not Knows could still tip the balance either way though!
SaaS still holds a hefty lead as the most commonly implemented service model, followed by IaaS and then PaaS.
Of those who have implemented cloud services, over half believe that the move to cloud has improved their security. Less than a quarter believe that the move has weakened their security.
I've been blathering on for a while that a move towards cloud services can have security benefits as well as the more often documented downsides. It's re-assuring to see that a majority of those moving towards the cloud believe that the positives actually outweigh the negatives.
Friday, 4 November 2011
Thursday, 20 October 2011
Securing Cloud Services
One of these times I really must put myself in a position where I don't have to apologise for the tardiness of my posting. Oh well, let's take my general neglect of this blog as read and move on :-)
So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.
I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.
Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.
So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.
I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.
Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.
Friday, 12 August 2011
De-bunking anti-virus vendor claims
Just in case you haven't seen it yet, I'd recommend you take a look at the paper put out by Tavis Ormandy discussing the findings from his reverse engineering of the Sophos anti-virus product; the paper's available from:
http://lock.cmpxchg8b.com/Sophail.pdf
It's clear from the tone of the paper that the author had a few issues with Sophos but I don't think the tone should distract from some of the serious weaknesses (particularly in the area of buffer overflow protection) that the paper describes.
What I'd really like to see now would be similar investigations of the claims of the other major anti-virus products out there - are Sophos alone in having these issues or is it endemic across the A-V industry?
It would also be helpful if Sophos put out a more technical response to Tavis' paper rather than the somewhat bland post to be found at:
http://nakedsecurity.sophos.com/2011/08/05/tavis-ormandy-and-sophos/
'til next time...
http://lock.cmpxchg8b.com/Sophail.pdf
It's clear from the tone of the paper that the author had a few issues with Sophos but I don't think the tone should distract from some of the serious weaknesses (particularly in the area of buffer overflow protection) that the paper describes.
What I'd really like to see now would be similar investigations of the claims of the other major anti-virus products out there - are Sophos alone in having these issues or is it endemic across the A-V industry?
It would also be helpful if Sophos put out a more technical response to Tavis' paper rather than the somewhat bland post to be found at:
http://nakedsecurity.sophos.com/2011/08/05/tavis-ormandy-and-sophos/
'til next time...
Friday, 22 July 2011
So, do we actually care?
One of the consequences of the recent rash of published hacking incidents is that we may now have a contemporary sample size that's almost big enough to draw some meaningful conclusions about how much the general populace (and business) actually cares about information security. Incidents associated with Anonymous, LulzSec, Sony, RSA, News International and others are all now in the public consciousness. But will there be any real long-term impact of these hacks? For example:
How many mobile phone users have now set unique PINs on their voicemail rather than relying on the default values?
How many organisations have ditched their RSA tokens in favour of competing technologies?
How many PS3 users have abandoned the PlayStation Network for good? Or have they all (like me :-) been bought off by a few free games and promises that it'll be better next time?
If consumers don't actually care about security, what are the real drivers for continuing to invest in it? Do we really have to fall back on compliance as the sole driver?
It's fortunate for the security industry that there are still financial services organisations, IP-centric industries, gaming firms etc where the security of their systems and data is necessary for their continued survival.
But hey, I could be wrong and perhaps the recent incidents will drive new and improved behaviours - guess we'll just have to wait and see...
How many mobile phone users have now set unique PINs on their voicemail rather than relying on the default values?
How many organisations have ditched their RSA tokens in favour of competing technologies?
How many PS3 users have abandoned the PlayStation Network for good? Or have they all (like me :-) been bought off by a few free games and promises that it'll be better next time?
If consumers don't actually care about security, what are the real drivers for continuing to invest in it? Do we really have to fall back on compliance as the sole driver?
It's fortunate for the security industry that there are still financial services organisations, IP-centric industries, gaming firms etc where the security of their systems and data is necessary for their continued survival.
But hey, I could be wrong and perhaps the recent incidents will drive new and improved behaviours - guess we'll just have to wait and see...
Wednesday, 22 June 2011
LulzSec
LulzSec - doing it for the lulz. Looking at the attention and drama they've created, can anyone say that they haven't succeeded?
Friday, 3 June 2011
Time for RSA to come clean
Right. I've been patient. We've all been patient. But now I think it's time that RSA come clean about exactly what they lost when they were compromised earlier this year. We've now had reported attacks against Lockheed Martin, L-3 Communications and Northrop Grumman all of which have been linked with the use of SecurID tokens as an attack vector. Is the reporting correct? No idea. Is damage being done to RSA regardless? Oh yes.
What harm can come now from RSA posting details of what was compromised? I'm aware that RSA are in talks with their bigger customers but I don't think that this is enough. It certainly doesn't help me if I'm considering implementing a new two-factor authentication solution; why on earth would I consider SecurID at this time?
Final points to consider. It's probably fair to state now that whomever compromised RSA has used that information to attack their first tranche of targets. The surprise element is now gone and top tier targets should now be on the lookout for similar incursions. So what's the value now to the attackers in keeping whatever they got from RSA close to their chests? I daresay there'll be a bit of probing of some of their second tier targets (banks anyone?) before the attackers decide that they've realised most of the value of their initial RSA compromise. Depending on how mischievous they feel, I wouldn't necessarily be surprised to see the compromised RSA materials appear on the Internet in the near future - if only as a means to cause significant pain and disruption to the rest of the RSA user base. Do state-sponsored hackers still do it for the lulz? Guess we'll find out soon enough.
*********UPDATED************
Open letter from RSA to their customers:
http://www.rsa.com/node.aspx?id=3891
Still no real details though. Ho hum.
What harm can come now from RSA posting details of what was compromised? I'm aware that RSA are in talks with their bigger customers but I don't think that this is enough. It certainly doesn't help me if I'm considering implementing a new two-factor authentication solution; why on earth would I consider SecurID at this time?
Final points to consider. It's probably fair to state now that whomever compromised RSA has used that information to attack their first tranche of targets. The surprise element is now gone and top tier targets should now be on the lookout for similar incursions. So what's the value now to the attackers in keeping whatever they got from RSA close to their chests? I daresay there'll be a bit of probing of some of their second tier targets (banks anyone?) before the attackers decide that they've realised most of the value of their initial RSA compromise. Depending on how mischievous they feel, I wouldn't necessarily be surprised to see the compromised RSA materials appear on the Internet in the near future - if only as a means to cause significant pain and disruption to the rest of the RSA user base. Do state-sponsored hackers still do it for the lulz? Guess we'll find out soon enough.
*********UPDATED************
Open letter from RSA to their customers:
http://www.rsa.com/node.aspx?id=3891
Still no real details though. Ho hum.
Tuesday, 10 May 2011
PSN hack
O... M... G...
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
I'm surprised they weren't hacked sooner.
The content of the article does raise some really interesting questions about their compliance with PCI-DSS and how they got through the process...
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
I'm surprised they weren't hacked sooner.
The content of the article does raise some really interesting questions about their compliance with PCI-DSS and how they got through the process...
Tuesday, 26 April 2011
Thoughts on Infosec and the AWS outage
I managed to sneak in a quick afternoon visit to Infosec last Wednesday. I'll admit the free (and, quite honestly, excellent) lunch that I'd been invited to by the chaps over at IRM was influential in making sure that I didn't miss the show completely this year. Good food, interesting conversation. Thanks Phil :-)
I'm not entirely sure what I made of this year's show. To my eyes, it seemed quite busy in terms of attendee numbers and a number of the brave souls manning the stands seemed to be losing their voices by the time I got there after lunch. Which means it's probably safe to assume that they'd been kept occupied pitching their wares and handing over the usual treasure trove of pens, t-shirts and cheap puzzles. However. Other than finding out some more positive details on the Forum Systems products and coming across a promising new cloud security vendor (CipherCloud - check 'em out!) I'm not sure that I got too much out of the exhibition. Primarily the same old(er) faces pitching the same old(er) solutions and, unfortunately, the same can probably said of the education streams. Can't help thinking that the information security scene needs an injection of new DNA to breathe some new life, enthusiasm and ideas into what seems to be becoming a somewhat jaded, self-serving and self-congratulatory sector. The irony of my posting that last statement on a blog has not escaped me :-)
Whilst I'm being a little negative, the big story from the cloud computing world has been the downtime over at AWS which even made it on to the BBC web-site: http://www.bbc.co.uk/news/technology-13160929. We're still awaiting details of the problem (other than that there was a problem with EBS volumes and dependent services) but the biggest surprise(?) was that the issue spanned supposedly isolated availability zones within the affected region. I'm really hoping that the promised "post-mortem" discussing this event provides sufficient detail to enable AWS customers to design for resilience with a full understanding of exactly how isolated availability zones really are...
I'm not entirely sure what I made of this year's show. To my eyes, it seemed quite busy in terms of attendee numbers and a number of the brave souls manning the stands seemed to be losing their voices by the time I got there after lunch. Which means it's probably safe to assume that they'd been kept occupied pitching their wares and handing over the usual treasure trove of pens, t-shirts and cheap puzzles. However. Other than finding out some more positive details on the Forum Systems products and coming across a promising new cloud security vendor (CipherCloud - check 'em out!) I'm not sure that I got too much out of the exhibition. Primarily the same old(er) faces pitching the same old(er) solutions and, unfortunately, the same can probably said of the education streams. Can't help thinking that the information security scene needs an injection of new DNA to breathe some new life, enthusiasm and ideas into what seems to be becoming a somewhat jaded, self-serving and self-congratulatory sector. The irony of my posting that last statement on a blog has not escaped me :-)
Whilst I'm being a little negative, the big story from the cloud computing world has been the downtime over at AWS which even made it on to the BBC web-site: http://www.bbc.co.uk/news/technology-13160929. We're still awaiting details of the problem (other than that there was a problem with EBS volumes and dependent services) but the biggest surprise(?) was that the issue spanned supposedly isolated availability zones within the affected region. I'm really hoping that the promised "post-mortem" discussing this event provides sufficient detail to enable AWS customers to design for resilience with a full understanding of exactly how isolated availability zones really are...
Friday, 8 April 2011
Latest cloudy ramblings
See, I'm making the most of my recently discovered free(ish!) time by popping up in Computer Weekly talking about the adoption of cloud services by SMEs. Link below:
http://www.computerweekly.com/Articles/2011/04/06/246204/CW-Security-Think-Tank-Whats-holding-up-the-cloud.htm
Some interesting differences in tone and opinions amongst the contributors to this Think Tank piece. When it comes to the use of hybrid cloud models I think I tend more towards the opinions expressed by Christofer Hoff over at http://www.rationalsurvivability.com/blog/?p=3016 rather than the view expressed by the chap from Gartner that cloud providers should be targetting SMEs with hybrid cloud services.
Hybrid is fine if you're talking about mixing your delivery of capabilities across on-premise and cloud, I've always had more of a problem with Hybrid as a way of delivering increased capacity on demand in that it's always seemed the worst of both worlds from a security perspective, i.e. you need to worry about the security problems associated with both models rather than just the one!
And, as Hoff says, "If your Tier-1 workloads can run in a public cloud and satisfy all your requirements, THAT’S where they should run in the first place!"
http://www.computerweekly.com/Articles/2011/04/06/246204/CW-Security-Think-Tank-Whats-holding-up-the-cloud.htm
Some interesting differences in tone and opinions amongst the contributors to this Think Tank piece. When it comes to the use of hybrid cloud models I think I tend more towards the opinions expressed by Christofer Hoff over at http://www.rationalsurvivability.com/blog/?p=3016 rather than the view expressed by the chap from Gartner that cloud providers should be targetting SMEs with hybrid cloud services.
Hybrid is fine if you're talking about mixing your delivery of capabilities across on-premise and cloud, I've always had more of a problem with Hybrid as a way of delivering increased capacity on demand in that it's always seemed the worst of both worlds from a security perspective, i.e. you need to worry about the security problems associated with both models rather than just the one!
And, as Hoff says, "If your Tier-1 workloads can run in a public cloud and satisfy all your requirements, THAT’S where they should run in the first place!"
Friday, 25 March 2011
Fair warning
Wow. Where did Q1 go? Not on blogging obviously :-)
Well, after four years on one assignment I finally get to try something new from the end of next week. It's been a primarily fun and worthwhile four years and I've met some good people in that time (just in case any of my current colleagues are reading!) but it's been tough and I'm looking forward to a new challenge. I'm also looking forward to an assignment that will give me a bit more time to concentrate on this blog and posting a little more regularly than once a quarter.
So, what prompted me to come out of blogging hibernation? High profile hacks! By which I'm thinking HBGary Federal, RSA and Comodo. I can't remember a time when three such hacks happened in such a short space of time and received this amount of publicity. Which is the most interesting? Hard to say. HBGary Federal was interesting because of the contents of the email spool that Anonymous released and the somewhat embarrassing implications for the likes of Bank of America and Morgan Stanley.
Is RSA interesting? Hard to tell as they've been very quiet about what was actually accessed during their compromise and so their customers are in limbo. So, it's interesting in so far as a high profile security firm got 0wned; likely to be more interesting once it becomes apparent what was purloined by the attackers. C'mon RSA, help us all out here!
But the Comodo hack; now that is certainly interesting. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html for details. Almost certainly laying the foundations of a larger hack and demonstrating why the core security measure for most Internet users (SSL) should not be relied upon as strongly as it currently is - it certainly shows that certificate authentication is worthless without strong registration processes and capable registration authorities. To be fair however, and in direct contrast to RSA, Comodo have at least been forthright in explaining the implications of the hack and the certificates issued.
Anyone can get hacked, including those we trust to secure the Internet, so here's hoping that more organisations follow the Comodo approach to notification than the RSA approach.
See you in Q3 :-)
Well, after four years on one assignment I finally get to try something new from the end of next week. It's been a primarily fun and worthwhile four years and I've met some good people in that time (just in case any of my current colleagues are reading!) but it's been tough and I'm looking forward to a new challenge. I'm also looking forward to an assignment that will give me a bit more time to concentrate on this blog and posting a little more regularly than once a quarter.
So, what prompted me to come out of blogging hibernation? High profile hacks! By which I'm thinking HBGary Federal, RSA and Comodo. I can't remember a time when three such hacks happened in such a short space of time and received this amount of publicity. Which is the most interesting? Hard to say. HBGary Federal was interesting because of the contents of the email spool that Anonymous released and the somewhat embarrassing implications for the likes of Bank of America and Morgan Stanley.
Is RSA interesting? Hard to tell as they've been very quiet about what was actually accessed during their compromise and so their customers are in limbo. So, it's interesting in so far as a high profile security firm got 0wned; likely to be more interesting once it becomes apparent what was purloined by the attackers. C'mon RSA, help us all out here!
But the Comodo hack; now that is certainly interesting. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html for details. Almost certainly laying the foundations of a larger hack and demonstrating why the core security measure for most Internet users (SSL) should not be relied upon as strongly as it currently is - it certainly shows that certificate authentication is worthless without strong registration processes and capable registration authorities. To be fair however, and in direct contrast to RSA, Comodo have at least been forthright in explaining the implications of the hack and the certificates issued.
Anyone can get hacked, including those we trust to secure the Internet, so here's hoping that more organisations follow the Comodo approach to notification than the RSA approach.
See you in Q3 :-)
Friday, 21 January 2011
ENISA's latest paper on cloud
I don't usually like to criticise the efforts of others to provide useful (or at least informative) guidance however the latest paper from ENISA on Security and Resilience in Governmental Clouds has provoked me into something of a reaction. And that reaction is meh.
To expand further...
If you're not familiar with cloud computing, it's probably a good document to pick up and have a read through in order to get an idea of what the whole cloud thing is about. But there's nothing startlingly new or original in here - the decision framework is new but I wouldn't say startling. I think some of the flows are troublesome as well as it happens. I'm really not confident that the order of risk assessment, choose deployment model (or "IT Architecture" in ENISA parlance) and then identifying threats is particularly applicable in the real world. I'd have preferred something more along the lines of identify business requirements, identify threats, identify potential solutions, narrow down choice based on trade-off between risk and business benefits, prepare RfP etc... I guess I'm a little uncomfortable with attempting to put security as a blocker right at the start of the process; perhaps I'm just a bit too heretical to work in security these days.
My other problem with the paper is that it suffers from the usual naivety in terms of clumping together all IaaS, PaaS and SaaS providers into the 3 buckets and assuming that you have the same risks regardless of service provider. They fall into the same trap as most of the material in this space by practically treating IaaS, PaaS and SaaS as specifications rather than broad categories. As an example of the problem - if you look at the PaaS offerings of Microsoft Azure, Force.com, Heroku, Google's AppEngine and Terracotta and tell me that you can apply the same risk profiles to platforms offering Ruby, Apex, Java, Python and .NET and administered in a variety of ways using differing authentication and authorisation mechanisms then I'm not playing with you anymore and I'm going to tell your mum. Don't even get me started on the diversity you'll find with SaaS - how can you apply the same risk profiles to services that range from accounting through to collaboration through to authentication or whatever?
But as I say, if you're not familiar with the subject and want to get a grounding then it's not a bad document. But if you are familiar with this space, I'd say read it so that you're not left out in cloud conversation* but overall... meh.
* yes, there is such a beast as cloud conversation, unfortunately it does tend to go pretty much as summarised by Dilbert http://www.dilbert.com/strips/comic/2011-01-07/
To expand further...
If you're not familiar with cloud computing, it's probably a good document to pick up and have a read through in order to get an idea of what the whole cloud thing is about. But there's nothing startlingly new or original in here - the decision framework is new but I wouldn't say startling. I think some of the flows are troublesome as well as it happens. I'm really not confident that the order of risk assessment, choose deployment model (or "IT Architecture" in ENISA parlance) and then identifying threats is particularly applicable in the real world. I'd have preferred something more along the lines of identify business requirements, identify threats, identify potential solutions, narrow down choice based on trade-off between risk and business benefits, prepare RfP etc... I guess I'm a little uncomfortable with attempting to put security as a blocker right at the start of the process; perhaps I'm just a bit too heretical to work in security these days.
My other problem with the paper is that it suffers from the usual naivety in terms of clumping together all IaaS, PaaS and SaaS providers into the 3 buckets and assuming that you have the same risks regardless of service provider. They fall into the same trap as most of the material in this space by practically treating IaaS, PaaS and SaaS as specifications rather than broad categories. As an example of the problem - if you look at the PaaS offerings of Microsoft Azure, Force.com, Heroku, Google's AppEngine and Terracotta and tell me that you can apply the same risk profiles to platforms offering Ruby, Apex, Java, Python and .NET and administered in a variety of ways using differing authentication and authorisation mechanisms then I'm not playing with you anymore and I'm going to tell your mum. Don't even get me started on the diversity you'll find with SaaS - how can you apply the same risk profiles to services that range from accounting through to collaboration through to authentication or whatever?
But as I say, if you're not familiar with the subject and want to get a grounding then it's not a bad document. But if you are familiar with this space, I'd say read it so that you're not left out in cloud conversation* but overall... meh.
* yes, there is such a beast as cloud conversation, unfortunately it does tend to go pretty much as summarised by Dilbert http://www.dilbert.com/strips/comic/2011-01-07/
Subscribe to:
Posts (Atom)
