Upcoming webinar- The Perfect Storm: Managing Identity & Access in the Cloud

I will be leading an up coming webinar on Identity and Access Management (IAM) in the Cloud titled;

The Perfect Storm: Managing Identity & Access in the Cloud

In this webinar and panel discussion we will talk about the key issues surrounding the people, processes and systems used to manage applications and data in the cloud.  Topics covered will include;

  • Trends complicating secure cloud use;
  • Risks of unauthorized access, identity theft and insider fraud;
  • Challenges to IAM in the cloud;
  • Unique IAM considerations in the cloud;
  • Cloud features and functionality to improve IAM;
  • New approaches, including effective policy enforcement and the benefits of single sign-on;
  • Q and A panel session after the initial presentations.

This webinar is to be hosted by Tom Field of the Information Security Media Group, and we will by joined by thought-leaders from security vendors Ping Identity, McAfee and Aveksa, who will weigh in on how new cloud security solutions can help organizations improve IAM, as well as compliance, provisioning and policy management.

This should be a great presentation and discussion so please do register to view and participate;

http://www.bankinfosecurity.com/webinars/perfect-storm-managing-identity-access-in-cloud-w-303

The webinar will be first shown on Thursday 20th December 2012.  I hope to see you there!

K

Cloud Security Alliance Congress Orlando 2012 pt5 – closing keynote

Closing Keynote – State of the Union

Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content.  I can recommend reading / viewing the mentioned presentations.  This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.

What’s happened?

2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’

–          Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.

–          Virtualised security can seriously impact performance, resiliency and scalability

–          Replicating many highly-available security applications and network topologies in virtual switches don’t work

–          Virtualising security will not save you money.  It will cost you more.

2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’

–          Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so

–          While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices

–          Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions

–          You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical

2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’

–          Security becomes a question of scale

–          Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil

–          Hybrid security solutions (and more of them) are needed

–          Service transparency, assurance and auditability is key

–          Providers have the chance to make security better.  Be transparent.

2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’

–          Not all cloud offerings are created equal or for the same reasons

–          Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics

–          Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise

–          However this often required profound architectural, operational, technology, security and compliance model changes

–          What makes cloud platforms tick matters in the long term

 2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’

–          Don’t just sit there: it wont automate itself

–          Recognise, accept and move on: The DMZ design pattern is dead

–          Make use of existing / new services: you don’t have to do it all yourself

–          Demand and use programmatic interfaces from security solutions

–          Encourage networks / security wonks to use tools / learn to program / use automation

–          Squash audit inefficiency and maximise efficacy

–          DevOps and security need to make nice

–          AppSec and SDLC are huge

–          Automate data protection

2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’

–          Scalability

–          Portability

–          Fungibility

–          Compliance

–          Cost

–          Manageability

–          Trust

2012 – DevOps, continual deployment, platforms –  Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’

–          [Missing] Instrumentation that is inclusive of security

–          [Missing] Intelligence and context shared between infrastructure and application layers

–          [Missing] Maturity of “Automation Mechanics” and frameworks

–          [Missing} Standard interfaces, precise syntactical representation of elemental security constructs

–          [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general

–          [Missing] Sanitary application security practices

What’s happening?

–          Mobility, Internet of Things, Consumerisation

–          New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)

–          APIs – everything connected by APIs

–          DevOps – Need to understand how this works and who owns security

–          Programmatic (virtualised) Networking and SDN (Software Defined Network)

–          Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)

What’s coming?

–          Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.

–          AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??

–          Security as a Service 2.0 – “Cloud.” SDN. Virtualised.

–          Offensive security – Cyber. Cyber. Cyber. Cyber…  Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.

Summary;

–          Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture

–          Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials

–          Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge

–          Mobility (workload and consuming devices) and APIs are everywhere

–          Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’

–          Application and information ‘ETL sprawl’ is a force to be reckoned with

–          Security is getting much more interesting!

This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed?  Along with where we are now, and a nice wrap up of what’s coming up.  Are you up to speed with all the current and outstanding issues you need to be aware of?  How prepared are you and your organisation for what’s coming up?  Don’t be like the 3 monkeys.. 😉

While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!

Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.

K

Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

K

 

 

Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K

Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K

RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

RSA Conference Europe 2012 Keynotes; day one part two

Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself

For many years IT was standardising on systems from the client to the server room.  Now we have BYOD, cloud etc.  IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.

What does this mean for IT security?  What model do we need?

Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.

We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats.  Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).

What do we mean by multi flanked?  Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack.  When we are busy or focusing on a specific task we often miss obvious things.  Look up ‘how many times did the white team pass the ball’ for an example of this!

Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.

An example of this was a recent attack on a bank that used a phishing email to gain access to a bank.  The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful.  The gang then used the malware installed via the phishing email to steal bank and ATM details.  They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash.  This attack walked away with $9M in a couple of hours.

The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.

How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc.  Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc.  This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!

There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.

On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes.  The volume of data stored is likely to increase by 40 times from today’s levels by 2020!

What does this mean for the security industry?

We need to improve our intelligence;

–          What do they want?

–          What are our key information assets?

–          Out of all of our data which is critical, and which is ‘garbage’?

–          What is happening in your organisation?

–          How are the criminals working and what attacks are they using?

–          Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?

–          Who are the actors in the campaign?

Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover.  Is our security agile enough to change to deal with these new and unexpected things?

Brief comment on having powerful defences and AV (well this is Symantec..)  Good point on reputation based computing – if we have never seen this file before should we trust it?

————-

Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption

Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;

http://download.microsoft.com/DOWNLOAD/c/1/f/c1f6a2b2-f45f-45f7-b788-32d2cca48d29/Microsoft_Security_Intelligence_Report_Volume_13_English.pdf

A great overview of the report can be found here;

http://blogs.technet.com/b/security/archive/2012/10/09/microsoft-security-intelligence-report-volume-13-now-available.aspx

Microsoft has also released some very helpful, open source, security tools;

–          Attack Surface analyser

–          Anti-cross site scripting library

http://aka.ms/securitytools

Microsoft recently commissioned a cloud computing survey.  This was carried out by an independent survey company so vendor neutral around current barriers and benefits.  The full results can be found here;

http://aka.ms/cloudsurvey

Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend.  The perception and reality currently do not appear align..  How do we address these barriers?

Improve transparency;

–          Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)

–          Drive and support industry standards

–          Commit to transparency in cloud offerings

Microsoft has just released a cloud security readiness tool that can be found here;

www.microsoft.com/trustedcloud

This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration.  This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use.  To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.

The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.

Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.

Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.

Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.

———-

Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge

In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.

–          Links in emails – how do we know which are real and which are malicious?

–          What do we do about site certificate errors?

–          What do we do when a site wants us to download a file?

Security currently treats everyone the same regardless of knowledge or talent.  One size does not fit all.  Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.

We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.

Very light talk, but great point around understanding and managing risk appropriately.

K