CSA Appoints Leaders to the International Standardization Council Arrow to Content

February 27, 2014 | Leave a Comment

CSALogo

fuchhibbard

 

     Andreas Fuchsberger                                                                  Eric Hibbard

The CSA announced today the re-appointment of Andreas Fuchsberger and Eric Hibbard as the Co-Chairs of the CSA’s International Standardization Council. As Co-Chairs, Fuchsberger and Hibbard will be responsible for the governance and oversight of the Council.

The CSA International Standardization Council plays the important role of working to coordinate all aspects of standardization efforts within the CSA. The Council’s efforts are executed by CSA Global through the CSA Standards Secretariat involving relevant CSA research working groups in collaboration with standard developing organizations (SDOs).

Andreas Fuchsberger
currently serves as the Regional Standards Officer
at Microsoft where he is responsible for Microsoft’s Internal and external representation of ISO/IEC JTC1 for Central and Eastern Europe. Eric Hibbard currently serves as the CTO Security and Privacy
at Hitachi Data Systems where he represents the interests of both Hitachi and key organizations (e.g., ABA, CSA, INCITS, IEEE, TCG, SNIA, etc.) in the development of domestic and international standards and other types of specifications.

For 2014, the group will continue with the strategic role of a gatekeeper managing the CSA research intellectual property (IP) and the contribution of these IP towards global standardization efforts as well as an expert body contributing towards any SDOs’ and National Bodies’ (NBs) cloud computing and security related standards development work. Due to the highly strategic value of the ISC as well as the sensitivity of work and protection of IP, membership application is only available to active corporate members with a strong background working with international standardization communities and processes.

The CSA would like to invite corporate members that are interested in influencing standardization efforts worldwide to join the ISC. For more information or to be considered for council membership please contact the CSA Standards Secretariat, Aloysius Cheang at [email protected]

Software Defined Perimeter (SDP) Yet To Be Hacked; CSA Ups the Ante on Virtual Hackathon Arrow to Content

February 26, 2014 | Leave a Comment

Winner Now To Receive Full Pass to BlackHat, in Addition to DEF CON

San Francisco, CA – February 26, 2014 – The Cloud Security Alliance (CSA) today announced that it has upped the ante, as no one has yet been able to hack the Software Defined Perimeter (SDP) network since the contest began on Monday.

For the virtual hackathon, registered participants from all over the world have been given the IP addresses of the target file server as well as the SDP components protecting them. This in effect simulates an ‘insider attack’ – modeled after a real world environment – on both private cloud and public cloud infrastructure. Participants also have access to a reference SDP system to learn how the system works to plan their attack. The hackathon is built on a public cloud without any special protection except those provided by the Software Defined Perimeter. It helps validate the concept that software components can provide as much protection against network attacks as physical systems.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to both BlackHat and DEF CON ® 22 conference, including air and hotel, held in Las Vegas August 6-10, 2014.

“We believe the SDP is a fundamental change in how we approach securing networks, and are encouraged that no one has been able to hack the prototype yet,” said Bob Flores, judge of the event, former CTO of the CIA, and President & CEO at Applicology Incorporated. “We want to challenge any interested party, anywhere in the world, to test the security of an SDP network.”

The Software Defined Perimeter (SDP) Initiative is a CSA project aimed at developing an architecture for securing consumer devices, cloud infrastructure as well as the “Internet of Things”, using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities. Full contest rules and registration are available at https://cloudsecurityalliance.org/research/sdp/.

Members of the media and analyst community interested in attending the event should contact [email protected] for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.

Survey Shows: SAAS Vendors Ditch User Names And Passwords, Adopt SAML In Droves Arrow to Content

February 24, 2014 | Leave a Comment

by Thomas Pedersen, co-founder and CEO of OneLogin

Looks like we were on to something when we open sourced OneLogin’s first SAML Toolkit three years ago — theOneLogin 2014 State of SaaS Identity Management survey that we just completed with CSA shows that SaaS vendors are adopting SAML in droves. Of the 100 participants that completed the survey, 97 percent are backing the SAML standard for single sign-on into cloud application environments, many in response to customers asking for an easier, faster and more secure path to identity management and app provisioning.

We all know the headaches that enterprise IT managers face trying to keep up with their businesses’ demand for cloud apps while also maintaining security and compliance. SAML is now the Gold Standard for signing into cloud applications. Why? It completely eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the application. SAML-enabled SaaS applications deliver faster and more secure user provisioning in complex enterprise environments, and help simplify identity management across large and diverse user communities. Other key insights from the survey:

  • SAML in wide use for single sign-on: 67 percent of the SaaS vendors surveyed use SAML today for single sign-on identity management, while 19 percent said they planned to implement SAML within the next 12 months. Only 3 percent had no plans to implement the standard.
  • Customer demand, security and speed drive adoption: 26 percent of survey respondents cited demand from existing customers as the primary driver behind their SAML adoption, 21 percent cited improved security and compliance, and nearly 22 percent cited quick integration into cloud application ecosystems.
  • SAML adoption not limited to the web browser: 37 percent of the SaaS vendors surveyed leverage SAML on mobile versions of their apps, and 25 percent use SAML for desktop applications not including a web browser.

These findings speak volumes: SAML is stronger than ever and its momentum is fueled by the realization that the standard provides a massive security boost by enabling enterprises to more easily control access to their sensitive data. This is why OneLogin’s cloud solution for single sign-on and enterprise identity management is pre-integrated via SAML with more than 350 top enterprise applications, and why more than 150 SaaS vendors, including Dropbox, have used OneLogin’s free open source SAML Toolkits to SAML-enable their apps. Many thanks to CSA for collaborating with us on this survey, and we look forward to spreading the SAML gospel this week at RSA.

Thomas Pedersen is co-founder and CEO of OneLogin, the innovator in cloud-based enterprise identity management, ranked #1 inNetwork World Magazine’s review of SSO tools. Follow him on Twitter @thomasbpedersen

CSA Invites Hackers to Participate in an Insider Attack of a Software Defined Perimeter (SDP) Arrow to Content

February 21, 2014 | Leave a Comment

Bob Flores, Former CTO of the CIA and President & CEO at Applicology Incorporated to Serve as Judge

The Cloud Security Alliance (CSA) today announced additional details on its upcoming virtual hackathon, open to anyone globally, being held in conjunction with the RSA Conference, kicking off Monday, February 24th.

The hackathon will kick off with a workshop on CSA’s Software Defined Perimeter (SDP) on Monday, February 24th, from 2:00p.m. to 3:00 p.m.
at Moscone West, Room 2008. The workshop will provide participants a hands-on overview of the SDP protocol as well as detailed view of the hackathon.   To register for the free workshop, email [email protected]

For the virtual hackathon, participants will be given the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – modeled after the real world environments and one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEFCON ® 22, held in Las Vegas August 7-10, 2014. Bob Flores, former CTO of the CIA and President & CEO at Applicology Incorporated to will serve as judge of the event, naming the official winner of any successful hack. Contest rules are available at https://cloudsecurityalliance.org/research/sdp/.

The Software Defined Perimeter (SDP) Initiative is a new CSA project aimed at protecting application infrastructure from network-based attacks by using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.

Members of the media and analyst community interested in attending the event should contact [email protected] for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.

 

Fake SSL Certificates Uncovered: The Tip of the Iceberg and Weaponized Trust Arrow to Content

February 19, 2014 | Leave a Comment

KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI

Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.

Netcraft

Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computersdesigned to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity.

By attacking the trust established by digital certificates, cybercriminals aren’t making a quick hit. No, their intent is to own their target. Fake, compromised, stolen, misused, illicitly obtained certificates give cybercriminals the power to impersonate, surveil, and monitor—and to do so undetected.

Careto - The Mask Malware

Just recently The Mask group infiltrated hundreds of organizations. The group’s malware stole encryption keys, digital certificates, and SSH keys. While their collection efforts have just now been identified and stopped after 7 years, the real impact is yet to come.

The attackers now own thousands of keys and certificates and as result own the networks, servers, and applications of the breached. They can impersonate websites with stolen keys and certificates and have root-level access with SSH keys. Game over for these breach organizations. If they don’t fight back and change all of their keys and certificates immediately.

If businesses and governments don’t get a handle on the ways they are using certificate and can’t respond to these attacks, we all might as well be investing in bulldozers. Our data centers are worthless when the basic, foundational element of trust on the Internet—digital certificates—are compromised.

Gartner Security Quote

We can’t tell the good from the bad and so just need to bulldoze and start new. But, we don’t have a replacement technology for digital certificates so we have to stand and fight. Otherwise, the reality Gartner painted of “living in a world without trust” will come true (Gartner ID: G00238476).

Hack the SDP – win a trip to DEF CON! Arrow to Content

February 17, 2014 | Leave a Comment

Following the CSA Summit at RSA on Monday Feb 24th, the CSA will be hosting a Software Defined Perimeter workshop and a ‘virtual hackathon’, open to anyone.

The workshop will provide a detailed demo and explanation of SDP, and will kick off the ‘virtual hackathon’ contest, which will last until 3pm PST on February 27, challenging participants to hack the SDP protocol, modeled after military-grade networks.

The SDP Hackathon gives participants the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEF CON ® 22, held in Las Vegas August 7-10, 2014.  Contest rules and registration are available at www.HackSDP.com.  Space is limited, interested attendees should go to https://cloudsecurityalliance.org/events/csa-summit-2014/#_rsa to reserve a seat at the workshop.

The Launch of the NIST Cybersecurity Framework Arrow to Content

February 13, 2014 | Leave a Comment

by John DiMaria, BSI

I was one of those invited to attended NIST Cybersecurity Framework launch yesterday at the White House. It was a very nice well organized and positive event.

“The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union”. – White House Press Release.

Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities.  The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.

•The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors.  The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.

•The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources.  Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.

•The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk.  The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices. – White House Press Release

First, congratulations to Adam Sedgewick and his team for a great job spearheading this unprecedented collaboration between government and private sector. DHS has also done a good job of launching this program along with the publication of the Framework.

Also like to say thank you to all the great professionals that attended all 5 workshops. I had the honor to work with many of them. We forged some great new business relationships and had some laughs along the way. One personal take-away was that no matter how old we get or how experienced we think we are, if you have discussions with the intent on listening and not answering, you can learn something from everyone you meet.

I am sure there will still be the naysayers and “headline grabbers” out there that will formulate and dwell on negatives, but being in the standards business for more than 20 years at all levels (and this is not a standard), I can tell you no initial framework, guidance or standard will ever 100% right out of the box.

Even President Obama stated after the launch, “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity”.

As it was mentioned at the launch, this is a “living document”. A couple comments that stood out in my mind from the 3 CEO’s at Pepco, Lockheed and AT&T:

“We are only as good as our weakest link” (working with the supply-chain and getting them to adopt the framework in critical) and “National Security and the economy depend on good cybersecurity and globally recognized standards”. Time to pull together

As Benjamin Franklin said “If we do not hang together, we shall surely hang separately”.

There will be an industry expert panel discussing the framework on March 6th.

https://cc.readytalk.com/cc/s/registrations/new?cid=g9gw7cm5asq3

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own. 

SecureCloud Update: Neelie Kroes, VP of the European Commission to Give Opening Keynote Address Arrow to Content

February 11, 2014 | Leave a Comment

SecureCloud 2014 is now just under two months away and we are excited to announce that Neelie Kroes, Vice President of the European Commission, will be giving the opening keynote address on April 1st.

Neelie Kroes

Neelie Kroes, VP of the European Commission

Since 2010, Kroes has held the responsibility over the Digital Agenda for Europe. This portfolio includes the information and communications technology (ICT) and telecommunications sectors. As a strong promoter of the adoption of cloud computing in Europe, Kroes has been actively supporting actions to lower the barriers to the uptake of the cloud in the internal market. Kroes joins an all-star line-up of cloud security experts and visionaries, including Dr. Udo Helmbrecht, Dr. Richard Posch, Alan Boehme, Richard Mogull, as well as CSA CEO, Jim Reavis.

SecureCloud 2014 produced by the CSA, ENISA and Fraunhofer-FOKUS is an opportunity for government experts, industry experts and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security. It is also a place to learn from cloud computing experts about cloud computing security and privacy as well as to discuss about practical case studies from industry and government.

Early bird discount pricing is being offered through February 14.  To register for SecureCloud 2014 visit: https://cloudsecurityalliance.org/events/securecloud2014/#_reg

 

 

 

 

Cybersecurity absent during the State of the Union Address Arrow to Content

February 6, 2014 | Leave a Comment

by John DiMaria, BSI

I was disappointed that there was only a passing mention to cybersecurity at the recent State of the Union Address. As a matter of fact if you took a bite of your popcorn at the wrong time you missed it.

I realize the president’s address was focused mainly on the economy, but the biggest threat to our economy today is the lack of preparedness to identify, mitigate, detect and ward off a major cybersecurity attack.

The President clearly states in Section I of the Executive order; Improving Critical Infrastructure Cybersecurity, released last February that “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats

The right attack could cripple this nation and its infrastructure. We are reminded daily of the disasters that just affected the retail industry, what if that attack was targeted directly at the banking industry or even the stock exchange? Suppose you woke up one morning and found out that the NYSE or the reporting outlet’s computers had been hacked and false information had been reported over the last week or even just 24 hours? Not possible? Think again.

Just a couple of days ago (January 28, 2014) a story written by BankInfo Security noted  a hacktivist group known as the European Cyber Army that it had waged targeted distributed-denial-of-service attacks against Bank of America and JPMorgan Chase. The author Tracy Kitten reported that “The European Cyber Army claims to have targeted the United States’ two leading banking institutions without warning, according to a string of tweets the group posted Jan. 28. But the attackers suggest a target list may soon be released”. (Tracy Kitten, 2014)

In August of 2013 an outage of the Nasdaq stock exchange. Investigation showed that it had the incident had all the earmarks of the three waves of denial-of-service attacks that bedeviled U.S. financial institutions, including stock brokerages, since last September 2012. USA today reported that an Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam —  claimed credit for orchestrating sophisticated attacks that have overwhelmed the expensive security systems U.S. banks have put into place to keep their online banking services up and secure. The story noted that Reuters reported the giant brokerage house “reported a system programming error that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase & Co., Johnson & Johnson and Kellogg Co.,”. Prior that week there was a computer error that caused Goldman Sachs to sell options for a dollar (Byron Acohido, 2013)

Just April prior Syrian hackers claimed and AP hack that tilted the stock market by $136 billion. According to the Washington Post story, the official Twitter account of the Associated Press sent a tweet to its nearly 2 million followers that warned, “Breaking: Two Explosions in the White House and Barack Obama is injured,” some of the people who received this tweet were apparently on or near the trading floor of the New York Stock Exchange.

The Dow began to nosedive and dropped about 150 points, from 14697.15 to 14548.58, before stabilizing, when news that the tweet had been erroneous began to spread. During those three minutes, the “fake tweet erased $136 billion in equity market value,” according to Bloomberg News’ Nikolaj Gammeltoft. ( MAX FISHER, 2013)

Cyberattacks are evolving at an incredible rate. James Lyne, Director of Technology Strategy at Sophos who focuses on upcoming technology and threat trends, in a recent interview with BankInfoSecurity noted that “cybercriminals are approaching their activities with a business-like mindset, streamlining the process of obtaining the malicious code they need and targeting who they want to hit with their exploits” he reported that that five or six years ago you’d see numbers like 6,000 pieces of malware a day and today, on average, they see 250,000 individual, new PC malicious codes every day. ( Jeffrey Roman, 2013)

I like hundreds of other professionals attended all five of the NIST Cybersecurity Workshops. We were there because we cared, because we believed in the message sent by the executive order, we applauded the effort and wanted to get involved to make a difference.

Not even a mention of cybersecurity reminding everyone that it still stands as one of the biggest threats and that the “The national and economic security of the United States still depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats”, was disappointing and concerning that this is just another “flavor of the month” that will die or get lost once the midterm elections are over this November.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.

Bibliography

Jeffrey Roman. (2013, July 3). How Cyber-Attacks Are Evolving. p. 1.

MAX FISHER. (2013, April 23). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? p. 1.

Byron Acohido. (2013, August 22). Nasdaq outage resembles hacker attacks. p. 1.

Tracy Kitten. (2014, January 29). DDoS: New Attacks Against Banks. p. 1.

 

 

Top Security Questions to Ask Your Cloud Provider Arrow to Content

February 6, 2014 | Leave a Comment

02 06 2014 bWhen considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.

1. What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold?
2. How do you manage the encryption keys?
3. Do you offer periodic reports confirming compliance with security requirements and SLAs?
4. What certifications for data protection have you achieved?
5. Who can see or have access to my information? How do you isolate and safeguard my data from other clients?
6. What are your disaster recovery processes?
7. What are your methods for backing up our data? What offerings are available to back up data?
8. Where is your data center, and what physical security measures are in place?
9. How do you screen your employees and contractors?
10. What actions do you have in place to prevent unauthorized viewing of customer information?
11. What actions do you do to destroy data after it is released by a customer?
12. What happens if you misplace some of my data?
13. What happens in the event of data corruption?
14. How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information?
15. How much data replication is enough, and what level of data durability do you provide?
16. How much control do I retain over my data?
17. Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported?
18. Can I disable access immediately to my data in the event of a breach?
19. Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery?
20. How often are backups made? How many copies of my data are stored, and where are they stored?
21. How reliable is your network infrastructure? What certifications do you currently hold for your data centers?
22. What is your current uptime and SLA option? What if SLA is not met?
23. Do you alert your customers of important changes like security practices and regulations or data center locations?
24. What country (or countries) is my data stored in – both on your infrastructure and for backups?
25. Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure?
26. Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf?
27. What third party security validation can you provide me with? How often do you have external assessments performed?
28. How do you dispose of end-of-life hardware?
29. How do you dispose of failed data storage devices?
30. What is your process for responding to a legal hold request?

02 06 2014 c

Author

Andy Duewel

Page Dividing Line