February 11, 2014 | Leave a Comment
SecureCloud 2014 is now just under two months away and we are excited to announce that Neelie Kroes, Vice President of the European Commission, will be giving the opening keynote address on April 1st.
Since 2010, Kroes has held the responsibility over the Digital Agenda for Europe. This portfolio includes the information and communications technology (ICT) and telecommunications sectors. As a strong promoter of the adoption of cloud computing in Europe, Kroes has been actively supporting actions to lower the barriers to the uptake of the cloud in the internal market. Kroes joins an all-star line-up of cloud security experts and visionaries, including Dr. Udo Helmbrecht, Dr. Richard Posch, Alan Boehme, Richard Mogull, as well as CSA CEO, Jim Reavis.
SecureCloud 2014 produced by the CSA, ENISA and Fraunhofer-FOKUS is an opportunity for government experts, industry experts and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security. It is also a place to learn from cloud computing experts about cloud computing security and privacy as well as to discuss about practical case studies from industry and government.
Early bird discount pricing is being offered through February 14. To register for SecureCloud 2014 visit: https://cloudsecurityalliance.org/events/securecloud2014/#_reg
February 6, 2014 | Leave a Comment
by John DiMaria, BSI
I was disappointed that there was only a passing mention to cybersecurity at the recent State of the Union Address. As a matter of fact if you took a bite of your popcorn at the wrong time you missed it.
I realize the president’s address was focused mainly on the economy, but the biggest threat to our economy today is the lack of preparedness to identify, mitigate, detect and ward off a major cybersecurity attack.
The President clearly states in Section I of the Executive order; Improving Critical Infrastructure Cybersecurity, released last February that “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats”
The right attack could cripple this nation and its infrastructure. We are reminded daily of the disasters that just affected the retail industry, what if that attack was targeted directly at the banking industry or even the stock exchange? Suppose you woke up one morning and found out that the NYSE or the reporting outlet’s computers had been hacked and false information had been reported over the last week or even just 24 hours? Not possible? Think again.
Just a couple of days ago (January 28, 2014) a story written by BankInfo Security noted a hacktivist group known as the European Cyber Army that it had waged targeted distributed-denial-of-service attacks against Bank of America and JPMorgan Chase. The author Tracy Kitten reported that “The European Cyber Army claims to have targeted the United States’ two leading banking institutions without warning, according to a string of tweets the group posted Jan. 28. But the attackers suggest a target list may soon be released”. (Tracy Kitten, 2014)
In August of 2013 an outage of the Nasdaq stock exchange. Investigation showed that it had the incident had all the earmarks of the three waves of denial-of-service attacks that bedeviled U.S. financial institutions, including stock brokerages, since last September 2012. USA today reported that an Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam — claimed credit for orchestrating sophisticated attacks that have overwhelmed the expensive security systems U.S. banks have put into place to keep their online banking services up and secure. The story noted that Reuters reported the giant brokerage house “reported a system programming error that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase & Co., Johnson & Johnson and Kellogg Co.,”. Prior that week there was a computer error that caused Goldman Sachs to sell options for a dollar (Byron Acohido, 2013)
Just April prior Syrian hackers claimed and AP hack that tilted the stock market by $136 billion. According to the Washington Post story, the official Twitter account of the Associated Press sent a tweet to its nearly 2 million followers that warned, “Breaking: Two Explosions in the White House and Barack Obama is injured,” some of the people who received this tweet were apparently on or near the trading floor of the New York Stock Exchange.
The Dow began to nosedive and dropped about 150 points, from 14697.15 to 14548.58, before stabilizing, when news that the tweet had been erroneous began to spread. During those three minutes, the “fake tweet erased $136 billion in equity market value,” according to Bloomberg News’ Nikolaj Gammeltoft. ( MAX FISHER, 2013)
Cyberattacks are evolving at an incredible rate. James Lyne, Director of Technology Strategy at Sophos who focuses on upcoming technology and threat trends, in a recent interview with BankInfoSecurity noted that “cybercriminals are approaching their activities with a business-like mindset, streamlining the process of obtaining the malicious code they need and targeting who they want to hit with their exploits” he reported that that five or six years ago you’d see numbers like 6,000 pieces of malware a day and today, on average, they see 250,000 individual, new PC malicious codes every day. ( Jeffrey Roman, 2013)
I like hundreds of other professionals attended all five of the NIST Cybersecurity Workshops. We were there because we cared, because we believed in the message sent by the executive order, we applauded the effort and wanted to get involved to make a difference.
Not even a mention of cybersecurity reminding everyone that it still stands as one of the biggest threats and that the “The national and economic security of the United States still depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats”, was disappointing and concerning that this is just another “flavor of the month” that will die or get lost once the midterm elections are over this November.
John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.
Jeffrey Roman. (2013, July 3). How Cyber-Attacks Are Evolving. p. 1.
MAX FISHER. (2013, April 23). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? p. 1.
Byron Acohido. (2013, August 22). Nasdaq outage resembles hacker attacks. p. 1.
Tracy Kitten. (2014, January 29). DDoS: New Attacks Against Banks. p. 1.
February 6, 2014 | Leave a Comment
When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.
|1.||What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold?|
|2.||How do you manage the encryption keys?|
|3.||Do you offer periodic reports confirming compliance with security requirements and SLAs?|
|4.||What certifications for data protection have you achieved?|
|5.||Who can see or have access to my information? How do you isolate and safeguard my data from other clients?|
|6.||What are your disaster recovery processes?|
|7.||What are your methods for backing up our data? What offerings are available to back up data?|
|8.||Where is your data center, and what physical security measures are in place?|
|9.||How do you screen your employees and contractors?|
|10.||What actions do you have in place to prevent unauthorized viewing of customer information?|
|11.||What actions do you do to destroy data after it is released by a customer?|
|12.||What happens if you misplace some of my data?|
|13.||What happens in the event of data corruption?|
|14.||How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information?|
|15.||How much data replication is enough, and what level of data durability do you provide?|
|16.||How much control do I retain over my data?|
|17.||Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported?|
|18.||Can I disable access immediately to my data in the event of a breach?|
|19.||Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery?|
|20.||How often are backups made? How many copies of my data are stored, and where are they stored?|
|21.||How reliable is your network infrastructure? What certifications do you currently hold for your data centers?|
|22.||What is your current uptime and SLA option? What if SLA is not met?|
|23.||Do you alert your customers of important changes like security practices and regulations or data center locations?|
|24.||What country (or countries) is my data stored in – both on your infrastructure and for backups?|
|25.||Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure?|
|26.||Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf?|
|27.||What third party security validation can you provide me with? How often do you have external assessments performed?|
|28.||How do you dispose of end-of-life hardware?|
|29.||How do you dispose of failed data storage devices?|
|30.||What is your process for responding to a legal hold request?|
February 6, 2014 | Leave a Comment
The cloud, aka cloud computing, has many different colloquial definitions, all of which seem to be somewhat different depending on who you are talking to. A few of the different terms you may hear are Software as a Service (SaaS), virtual enterprise, carrier (or service provider) cloud, and I am sure many others.
Here is a quick list of some of the main types of solutions in the cloud with a couple providers for each:
- Office 365
- Google Apps
- Amazon’s AWS
- Microsoft Azure
Carrier/Service Provider Cloud
- Alcatel-Lucent’s Cloudband
- VMware’s vCloud
- Verizon Terremark’s Enterprise Cloud Services
This is by no means a complete list of cloud providers and really only scratches the surface. There are many providers all with a different portfolio of offerings and their own personal touches.
The term “cloud” varies in meaning and is really up for your own interpretation. How you define it and use it really depends on your imagination and capabilities as a company. It will, in most cases, provide greater flexibility, ease of deployment and a very scalable environment. Some companies have created business models that rely on cloud connectivity. Others use it to save on IT and hardware costs.
The cloud has grown over the last ten years with a couple different technologies/ideologies playing major roles in getting it to where it is today: Virtualization and Shared Resources.
These two technologies provided the springboard that launched the cloud into the “needed by all companies” status it maintains today. We still haven’t talked about how this can help a company grow and save money, so let’s take a look at what each type of cloud solution can do for a business.
Solutions such as Office 365 and Google Apps provide enterprise software (Microsoft Office and Google Drive, respectively) for companies to use through the cloud. This helps small to medium size companies who may not be able to afford dedicated IT staff to run a full blown mail, calendar, storage and chat solution in-house. However large companies may run this same solution to help when it comes time to upgrade these solutions as well as server space. Storage and server hardware would no longer be up to you to maintain.
Environments like Amazon’s AWS and Microsoft’s Azure provide a much larger scale solution for businesses and even personal use. With Amazons EC2, you can setup a virtual instance running nearly any OS out there and can use S3 to scale a storage solution for that machine, or even others to share. Azure also has competing solutions.
The possibilities are truly endless with these types of cloud infrastructure. Many companies run their entire website from this type of cloud infrastructure. Others use it as a Content Delivery Network (CDN) for web and mobile applications. There are many other ways you and your company can benefit from utilizing virtual machines, storage, backup, database and all the other cloud solutions AWS and Azure offer.
Carrier/Service Provider Cloud
Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) are a couple of terms that are used when it comes to the carrier or service provider cloud. A great description of this type of cloud solution comes from Wikipedia:
“Carrier Cloud is a class of cloud that integrates wide area networks (WAN) and other attributes of communications service providers’ carrier grade networks to enable the deployment of highly demanding applications in the cloud. In contrast, classical cloud computing solutions focus on the data center and do not address the network connecting data centers and cloud users. This may result in unpredictable response times and security issues when business critical data are transferred over the Internet.”
Per this definition, the cloud has focused on data centers and applications up until just recently. We were still limited by WAN connectivity, performance, availability, security and SLAs. Until the carrier cloud started to make its push over the last few years, some companies would not put critical applications into any cloud environment.
Now with carrier clouds we have a greater ability to load balance across multiple data centers and resources based on WAN connectivity as well as system utilization. We gain a higher level of SLAs, governance and risk compliance (GRC) and security. This part of the cloud is the infant of the group, so it will be fun watching how carrier clouds will grow with the wide adoption of software-defined networking (SDN) and the evolution of networking.
Considering a move to the cloud? Top Security Questions to Ask Your Provider
- See more at: http://www.fishnetsecurity.com/6labs/blog/what-cloud#sthash.eFmg8UAM.dpuf
February 5, 2014 | Leave a Comment
January 28, 2014 | Leave a Comment
By Krishna Narayanaswamy, Chief Scientist at Netskope
On average, there are 397 cloud apps running in enterprises today. This is one of the findings in the second quarterly Netskope Cloud Report, an account of trends on cloud app adoption and usage. What makes this number interesting is that it’s about 10x the number that IT professionals estimate. Adding to the intrigue, 77 percent of those apps aren’t enterprise-ready based on the Netskope Cloud Confidence IndexTM, an objective measure of cloud apps’ security, auditability, and business continuity adapted from Cloud Security Alliance guidance.
The thing that really strikes us is the average number of cloud apps per category in each enterprise. The largest number is Marketing, with 51. That’s not that surprising, though. Our own startup marketing department uses almost that many apps. The second highest was more concerning, though: HR, with 35. While HR is a broad category, with specific apps for benefits, salary, performance, time-tracking, and more, the number still raises security and compliance questions. With that many apps, IT professionals are concerned about whether they have the appropriate controls in place to protect sensitive data like personally-identifiable information.
Beyond the apps themselves, where the real risks lie is in the usage of cloud apps. The report tracks the most common activities in cloud apps – edit, view, download, post, and share. These activities are especially telling when juxtaposed against policy violations, activities concerning data classified as “sensitive” or “confidential,” and data leakage incidents.
Get the full Netskope cloud report here.
January 23, 2014 | Leave a Comment
By Sanjay Beri, Founder and CEO, Netskope
In today’s cloud-dominated business world, it is difficult for IT departments to get a hold of exactly where their data lies and who has access to it. Enterprise security is and will continue to be a big concern because of this, but a “zero trust” policy when it comes to cloud apps is not the answer. Cloud apps like Dropbox, Salesforce and Google Apps are used for business-critical functions and can’t simply be blocked because there isn’t enough information for IT decision makers to feel comfortable.
So how do you support cloud app usage while protecting the business? Below are six key considerations to keep in mind as you create or modify existing policies to protect your assets, keep the business running and employees smiling.
1. Accept. According to a survey from OneLogin and flyingpenguin, 78 percent of organizations anticipate cloud app usage will continue to grow internally, yet 71 percent of employees admit to using unsanctioned apps. Acknowledge that cloud apps will be used whether you implement a policy or not, so you may as well have some visibility and control over it. Your employees are using these apps to be more productive by working in smarter ways; they may not be aware that their actions could cause harm to the business.
2. Learn. Get insight into the cloud apps your workforce is using and which apps are exposing your corporate data. This way, you can see where your data is going and where your business is most vulnerable. You can also identify where the majority lies as well as redundant apps with the same use cases. For example, you may find that employees are using five different CRM apps even though the company is officially standardized on one. By understanding where duplication lies, you can save money by eliminating duplicative apps from your stack.
The information required for this learning can be found through technical tools as well as good old-fashioned techniques like talking to employees and finding out what they like and want to use. Deeper learning should really look and feel more like an assessment –- or dare I say audit –- of the cloud apps being used. There are technical tools that can help, and the good news for IT is that new tools have come onto the scene that go beyond one-off or do-it-yourself firewall/proxy log data analysis.
3. Educate. More often than not, employees don’t want to cause harm to the organization they work for. Often two cases emerge: people are using apps in an insecure way or they are using apps that aren’t up to your standards of security to begin with. According to the 2013 Verizon Data Breach Investigations Report, 14 percent of data breaches are a result of employee error, and 71 percent of attacks we committed via user devices. Furthermore, over 30 percent of cloud apps are rated low or poor, according to Netskope’s Cloud Confidence Index, an independent evaluation of cloud apps based on 30+ criteria measuring those apps on security, audibility and business continuity. Most of the time employees are completely unaware that they’re putting the business at risk — and so are you. Once you’re aware of the apps they’re using, and the way they’re using them, you can begin to provide guidance on safe usage, and begin to set policies on the apps that are being used to keep the business safe.
4. Prioritize. With new apps emerging every day, it’s overwhelming to keep up, and track every single one. Start by prioritizing your policy according to the apps that are most popular among your users. Encourage app usage that is both productive and safe according to your policy. In most cases, you’ll be empowering employees to continue using their favorite apps in a safer, more responsible way. Alternatively, this is an opportunity to introduce them to new apps with similar capabilities that are more in line with the company’s policy.
You should also prioritize the security and compliance issues that are most important to your business as you begin to create your policy. Make a list of the features that all sanctioned cloud apps must have. Some questions to start with are:
- Does the cloud app include access control options (i.e., multifactor authentication or IP filtering)?
- Are the cloud app’s data centers dispersed geographically? Are they SOC-1 certified?
- Does the cloud app backup data to a separate location?
- Is customer data separated in the cloud app or is it comingled?
- Does the cloud app offer granular user policy and permissions based on the role of the user or admin?
- Does the cloud app provider offer audit logs for admin, user or data access?
- Does the cloud app have the necessary compliance certifications (i.e., HIPAA, PCI, SP800-53, GAPP, Truste, etc.)?
5. Re-think blocking. Blocking usage of SaaS/cloud apps just isn’t realistic today, and having a posture that is more focused on allowing those apps will go a long way when it comes to employee acceptance and their willingness to play by the rules. If they see the sophistication in your approach, you’ll get more buy-in when you have to block something because they’ll know it’s for a good reason.
The most important concept here is to help employees understand how they can keep using the apps they love AND help keep business data safe. These considerations will enable you to secure company assets and arm your users with the best available tools.
January 22, 2014 | Leave a Comment
SecureCloud 2014 is just around the corner and the CSA is pleased to announce the keynote speaker lineup for this must-attend event, which is taking place in Amsterdam on April 1-2.
This year’s event will feature keynote addresses from the following five security experts on a wide range of cloud security topics:
- Prof. Dr. Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA) will speak on the uptake of Cloud computing in Europe and how ENISA supports Cloud Security in the Member States.
- Prof. Dr. Reinhard Posch, CIO for the Austrian Federal Government will present on the European Cloud Partnership and Austrian Government approach to cloud
- Alan Boehme, Chief of Enterprise Architecture for The Coca-Cola Company will present on the CSA Software Defined Perimeter initiative
- Jim Reavis, CEO of the Cloud Security Alliance will discuss trends and innovation in cloud security and CSA activities in 2014
- Richard Mogull, CEO of Securosis will give the closing keynote on Automation & DevOps
If you haven’t already registered, early bird discount pricing is being offered through February 14. Registration information can be found at:
We look forward to seeing all of you in Amsterdam in the Spring!
January 15, 2014 | Leave a Comment
Last month I co-presented a webinar with ISIGHT Partners, a leader in cyber-threat intelligence, to discuss a white paper that exposes how keys and certificates can be used for nefarious intentions. Our purpose was to highlight some of the tactics malicious actors use and outline their profiles in relation to keys and certificates. Due to time constraints, we did not cover how most organizations expose themselves to cryptographic vulnerabilities simply because keys and certificates are viewed as an operational problem and not as a security issue that needs to be addressed immediately!
For example, for most organizations today, the most critical element of certificate management is monitoring the validity period—that is, the certificate’s expiration date. The reason is simple: if a certificate expires, it will result in a service outage. Most organizations track validity periods either in a spreadsheet or a portal such as SharePoint. Disappointingly, there are many public examples of failure to manage even the expiration date of certificates—such as the Microsoft Azure outage earlier this year—let alone the actual security configuration of a certificate.
Secure Shell (SSH) keys, on the other hand, do not have expiration dates that organizations must track. Instead organizations need to have a clear understanding of where SSH private keys are stored and control the systems to which certain individuals have access. In most organizations, it is up to the application administrator or SSH administrator to track this information. Unfortunately, in most organizations, numerous individuals manage the keys, using disparate management practices, and no one can determine how SSH keys are being used in the network.
Take for example how Edward Snowden breached the National Security Agency (NSA) as an illustration of the SSH key management shortfall at the NSA.
Encryption keys and digital certificates provide the backbone of trust across corporate networks and the Internet. In planning for future expansion, organizations need to understand and appreciate that the digital universe is expanding at an alarming rate. If organizations can’t perform rudimentary key management today, how will they cope with both the volume of keys and certificates as more are consumed, and how will they secure and protect them?
This is exactly why malicious actors are increasingly taking advantage of keys and certificates as an attack vector, making them the perfect trust threat. For example, malicious actors can:
- Sign malicious code with a stolen legitimate certificate to avoid anti-virus detection
- Take advantage of inadequate procedures for issuing certificates and obtain a fake Secure Sockets Layer (SSL) certificate, which can be used in man-in-the-middle attacks
- Exploit an organization’s limited visibility into the usage of SSH to launch insider threats
- Use advances in technology to exploit legacy cryptographic technology and standards
Organizations need to stop viewing keys and certificates as a basic operational issue and start understanding that they can be a serious threat to their business if they are not secured and protected.
The question is, what do organizations do about the fact that they require keys and certificates to establish trust, but malicious actors are exploiting that trust and using it against them? There is light at the end of tunnel; organizations can still use keys and certificates to establish the trust they need in the digital world, but they don’t need to accept that keys and certificates will be used against them. That’s not to say it will never happen because chances are most organizations have already been compromised, but there are ways to limit key and certificate threat exposure and respond and remediate quickly if an organization is compromised.
Taking the first step
When it comes to key and certificate security, organizations must know their key and certificate inventory. They must also understand key and certificate attributes and make sure they are configured to meet recommended security guidelines while not impeding business goals. To do this, organizations need to scan their enterprise networks on a regular basis to address key areas:
- Secure configuration of cryptographic assets
- Detection of anomalous key and certificate usage—malicious or negligent
Secure configuration of cryptographic assets
When organizations configure cryptographic keys and digital certificates, they should follow best practice guidelines that factor in known exploits and improvements in technology. Organizations can consult standards bodies such as the National Institute of Standards and Technology (NIST), which provide recommendations for cryptographic resources. For example, NIST has established a minimum key size of 2048 bits, stating that 1024-bit keys should no longer be used after December 31, 2013. The hashingalgorithm SHA-1 has suffered the same fate<.
By enforcing standards that meet minimum security requirements, organizations can protect their network resources against potential exploits such as the BEAST exploit. However, organizations should keep in mind that evaluating singular attributes on their own will not adequately protect their network resources against breaches. As an example, when evaluating an IT infrastructure’s weakness against the BEAST exploit, organizations need to take into consideration the version of Transport Layer Security (TLS), the cypher suite, and the configuration used. Evaluating each of these factors individually would not bring to light the vulnerability.
Detection of anomalous key and certificate usage
Simply identifying the key and certificate inventory will not help organizations detect rogue usage of an SSH key or malware that is using a self-signed certificate to encrypt command and control (C2) traffic. To detect these issues, organizations need to understand the key and certificate inventory and the policies being enforced—all of which were addressed in the first step. Organizations must then frequently scan the environment so that they can detect any rogue keys or certificates that may have been maliciously placed in the network. If a rogue key or certificate is detected, organizations can investigate how it is being used and take action.
As the use of keys and certificate as an attack vector continues to rise, organizations need to take responsibility in securing and protecting the very trust that is established by keys and certificates. Treating them as an operational issue will only result in opportunity for malicious actors to compromise networks. Regularly evaluating the network to detect key and certificate vulnerabilities is the only way to mitigate key and certificate based attacks.
January 15, 2014 | Leave a Comment
Steve Malmskog has more than 15 years of experience as a chief network architect.
For more Movie Line Monday videos by Netskope, the cloud app analytics and policy company, feel free to visit http://www.netskope.com/