4 Lessons Learned From High Profile Credit Card Breaches Arrow to Content

October 7, 2014 | Leave a Comment

By Eric Sampson, Manager and QSA Lead, BrightLine

4-lessons-learned-breachesThe media has been filled with stories of high profile credit card breaches, including those from Target, Neiman Marcus, P.F. Chang’s and most recently Home Depot. Details on the Home Depot breach are still emerging, but the details around the Target and Neiman Marcus breaches are well known and causing the public to ask if it will happen again?

However, the real question we should be asking ourselves is when will it happen again?

Experienced Qualified Security Assessors (QSAs) will acknowledge that securing the cardholder data environment by meeting PCI DSS requirements provides a certain baseline level of security; however, it would be naïve to say that this alone will protect an organization from an attack. It is important to note there are areas where a merchant should realize the PCI DSS is an important start, but is only the foundation. One example is event logging.

The detailed requirements for event logging (section 10.6) assume that a merchant or service provider will utilize the documents for investigative purposes. That said, having a process to review audit logs on a daily basis does not guarantee that the employees responsible for reviewing logs and alerts will appropriately identify important or suspicious events in a timely and accurate manner. Similarly, during a PCI DSS assessment, QSAs are tasked with validating that daily log review processes and/or the use of log harvesting technologies are implemented. However, QSAs will not critique the details of the log review process or evaluate the robustness of log parsing tools.

So, how does this pertain to recent breach events?

It has been reported that many relevant security log events pertinent to the breaches were generated, but either ignored, or not acted upon in a timely manner, perhaps lost in the myriad of audit logs.

To go beyond the baseline standard, we can ask more probing questions such as:

  • How do log events ensure correct action?
  • How quickly should they be addressed?
  • Does the team responsible for reviewing these events and alerts have sufficient training and tools necessary to identify possible attacks?

Verizon’s 2014 data breach investigation reported that 1% of data breaches were discovered by a review of audit logs. Surely, a much higher number of breaches could have been detected through an effective internal review of audit logs. What does that say about our ability to detect breaches as they occur?

I have four thoughts for consideration:

  1. Devote to training. Individuals responsible for reviewing security events and alerts need to develop the skills to identify and act upon suspicious events that may indicate unauthorized activity.
  1. Invest in good tools. Does the organization currently have sufficiently capable log monitoring and file integrity monitoring tools? These tools should allow an organization to scan large amounts of information, but be able to extract specific events that could impact the organization.
  1. Be proactive. Understanding how alerts are generated, what data is contained in the alert and who reviews them is paramount. A careful plan can avoid finding out that a critical system is missing logs which may result in an incomplete view of an incident and potentially unnecessary future expenditure.
  1. Prepare drills. In a variety of specialties, including the military, medicine, and airline industry, exercises in handling emergency events have made many lives safer. Although we try to prevent a breach from happening, if it does happen, it can be resolved quickly and effectively. Reviewing audit logs and alerts can be a tedious activity at times. Make it interesting by staging mock attacks. Consider making this exercise a component of incident response plan tests and penetration tests.

Organizations face an ever expansive landscape of threats, vulnerabilities, and risks, not to mention an ever rising mountain of logs to review and manage. Bringing thoughtful consideration to security log management will enable an organization to take action where needed, understand important events, and address potential security threats when identified.

Was the Cloud ShellShocked? Arrow to Content

October 6, 2014 | Leave a Comment

By Pathik Patel, Senior Security Engineer, Skyhigh Networks

ShellShockInternet security has reached the highest defcon level. Another day, another hack – the new bug on the scene known as “Shellshock” blew up headlines and Twitter feeds.

Shellshock exposes a vulnerability in Bourne Again Shell (Bash), the widely-used shell for Unix-based operating systems such as Linux and OS X. The bug allows the perpetrator to remotely execute commands on vulnerable ports. The vulnerability is extremely easy to exploit, not requiring extensive knowledge of application or computational resources. The extensive functionality, along with the relative ease of launching an attack, led industry analysts to label the bug more serious than Heartbleed. The National Institute of Standards and Technology assigned the vulnerability their highest risk score of 10.

What are the implications of ShellShock for cloud security? At Skyhigh, we reviewed enterprise use of over 7,000 cloud service providers for vulnerabilities. The results surprised us.

We initially expected to discover rampant vulnerability to Shellshock amongst cloud service providers. The data portrayed a more mixed-bag of cloud application security.

Four percent of end-user devices in the enterprise environment employ the vulnerable version of Bash on employee devices – reflecting the dominance of Windows in enterprise networks. We also found that only three cloud service providers employ common gateway interface (CGI), the primary vector of attack. While cloud service providers may be vulnerable through other vectors (i.e. ForceCommand), the fact that they avoid the primary attack vector of the bug through design and architectural complexity is an indication of the maturity of today’s cloud applications.

However, when we scanned the top IaaS providers(e.g. AWS, Rackspace) for the Bash vulnerability, 90% of checks reported the vulnerable Bash version on the default images provisioned. Customers should not wait and rely on their IaaS providers to take the initiative. To ensure immunity from ShellShock, all organizations should immediately update their systems with the latest version of Bash.

But remediation measures shouldn’t end there. Given the current rate of breaches, organizations can expect the next event won’t be far off. Our recommendation: A Web Application Firewall (WAF) deployed to protect against pre-defined attack vectors can come in handy at times like this. System administrators can quickly write rules for WAFs to defend against this and similar bugs.  In our case, we quickly updated our WAF rules in addition to updating the vulnerable Bash version.

A sample ruleset for mod_security (WAF) is as below:

Request Header values:
SecRule REQUEST_HEADERS “^() {” “phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:’CVE-2014-6271 – Bash Attack’”

SERVER_PROTOCOL values:
SecRule REQUEST_LINE “() {” “phase:1,deny,id:1000001,status:400,log,msg:’CVE-2014-6271 – Bash Attack’”

GET/POST names:
SecRule ARGS_NAMES “^() {” “phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:’CVE-2014-6271 – Bash Attack’”

GET/POST values:
SecRule ARGS “^() {” “phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:’CVE-2014-6271 – Bash Attack’”

File names for uploads:
SecRule FILES_NAMES “^() {” “phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:’CVE-2014-6271 – Bash Attack’”

We recommend evaluating this ruleset based on your own application design. For additional best practices, check out our five keys for protecting data in the cloud.

 

2015 PCI SIG Presentations—Rallying the Vote for Securing Keys and Certificates Arrow to Content

October 3, 2014 | Leave a Comment

By Christine Drake, Senior Product Marketing Manager, Venafi

At the 2014 PCI Community Meetings in Orlando, the 2014 PCI Special Interest Groups (SIGs) provided updates on their progress and presentations were given on the 2015 PCI SIG proposals in hopes of getting votes to become 2015 PCI SIG projects. As I’ve mentioned in previous blogs, Venafi has co-submitted a 2015 PCI SIG proposal with SecurityMetrics on Cryptographic Keys and Digital Certificates Security Guidelines. In the 2015 SIG proposal presentations, Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, delivered the presentation for this SIG proposal on securing keys and certificates. Watching the sessions at the PCI Community Meetings, now is the right time for this PCI SIG topic.

kevin_bocek_pci_dss_600x300

In the 2014 PCI Community Meeting keynote from Bob Arno, Adventures of a Thiefhunter, it really called into question our trust of other people. He talked about how teams of pickpockets work together to steal from unsuspecting victims and how they use the stolen credit cards. The pickpockets are successful, because we generally trust the people around us. Keys and certificates also establish trust, but, in both cases, criminals are leveraging this trust to avoid detection while committing their crimes.

Merchants, financial institutions, and payment processors rely on thousands of keys and certificates as the foundation of trust in the cardholder data environments (CDE), protecting cardholder data (CHD) across their websites, virtual machines, mobile devices, and cloud servers. Yet it is this very trust that cybercriminals want to use, not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden. If only one of your critical keys or certificates is compromised, the digital trust you have established is eliminated. And this opens organizations up to PCI DSS audit failures and, more importantly, breaches.

The PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines has already rallied support from Global 100 merchants, PCI Qualified Security Assessors (QSAs), and security experts, and we’re looking for more support from the PCI community.

The 2015 PCI SIG proposals will be presented again at the 2014 PCI Community Meetings in Berlin (Oct 7-9). Then PCI Participating Organizations will vote on the 2015 PCI SIG proposals from October 13-23. After the vote, the PCI Security Standards Council (PCI SSC) will select 2-3 presentations to become 2015 PCI SIG projects. In early November, there will be a call for participation for the selected SIGs and the projects will kick off in January 2015.

Want more information? Want to get involved? Visit the website for the PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines at www.protecttrust.org.

CSA Congress Recap Roundup Arrow to Content

October 1, 2014 | Leave a Comment

Last week the CSA Congress and IAPP Privacy Academy in San Jose, California. It was the Cloud Security Alliance’s first time to partner with IAPP for their respective events. It was a successful event where cloud security and privacy professionals were able to rub elbows and learn best practices that encompass their fields.

During Congress, there were a spectrum of releases, events, awards, speakers, and survey results and encompassed CSA’s endeavors. Below are some links that aggregate some of the activity that occurred during CSA Congress 2014.

Ron Knode Award Winners

Each year at Congress, the CSA recognizes a few of our members around the globe for their excellence in volunteerism. Named in honor of Ron Knode, a member of the CSA family who passed away in 2012, as a means to award and recognize members whose contributions were invaluable. To learn who were the winners of the 2014 Ron Knode Service Awards, please visit – https://cloudsecurityalliance.org/media/news/csa-announces-annual-ron-knode-service-award-recipients/.

Big Data Taxonomy Document

The Cloud Security Alliance’s Big Data Working Group released the Big Data Taxonomy Report, a new guidance report that aims to help decision makers understand and navigate the myriad choices within the big data designation, including data domains, compute and storage infrastructures, data analytics, visualization, security and privacy. For more information on the report, please visit – https://cloudsecurityalliance.org/media/news/csa-releases-new-big-data-taxonomy-report/

CSA Survey Finds IT Professionals Underestimating How Many Cloud Apps Exist in the Business Environment

In what could be called a tale of perception versus reality, the CSA released the results of a new survey that found a significant difference between the number of cloud-based applications IT and security professionals believe to be running in their environments, and the number reported by cloud application vendors. The survey titled, Cloud Usage: Risks and Opportunities was released at CSA Congress 2014. For more information, please visit – https://cloudsecurityalliance.org/media/news/csa-survey-professionals-underestimating-cloud-apps-usage/

Hackathon On! Cloud Security Alliance Challenges Hackers to Break its Software Defined Perimeter (SDP) at CSA Congress 2014

The CSA launched its second Hackathon at the CSA Congress, to validate the CSA Software Defined Perimeter (SDP) Specification to protect application resources distributed across multiple public clouds. In a twist from its last event (where no one was able to hack the SDP), the CSA is inviting Congress participants, along with hackers from all over the world to attempt to access a file server in a public cloud, which is protected by the SDP via a different public cloud. The first participant to successfully capture the target information on the protected file server will receive $10,000. Additionally, all participants will be entered into a random drawing to win $500. For more information, please visit – https://blog.cloudsecurityalliance.org/2014/09/18/csa-hackathon-on-launches-today-at-csa-congress-2014/

To participate in Hackathon, visit – https://hacksdp.com/

The Shared Burden of Cloud Data Security & Compliance Arrow to Content

October 1, 2014 | Leave a Comment

By Gerry Grealish, Chief Marketing Officer, Perspecsys

cloud-security2_COMPRESSEDData security remains a top concern for enterprises deploying popular cloud applications. While most will instinctively think of cloud data security and compliance as being handled only by IT departments, many enterprises are realizing that all aspects of security – from selecting a cloud service provider (CSP) to monitoring cloud use over time – requires involvement across the organization.

 

 

Cloud Data Security & Compliance Begins with Vetting Providers
There are key areas of due diligence for an enterprise depending on its industry, but all share common security requirements when selecting a CSP. Perhaps, as TechTarget recently suggested, FedRamp Standards will regulate security outside the government as well, but for now enterprises must have their own standards for evaluating a CSP.  An excellent existing resource is the Security, Trust and Assurance Registry (STAR) Program supported by the Cloud Security Alliance iso(CSA). This public registry provides a comprehensive set of offerings for CSP trust. The CSA’s Cloud Controls Matrix (CCM) includes a framework of cloud security standards and their Consensus Assessments Initiative Questionnaire (CAIQ) offers questions an enterprise should ask any CSP under consideration. CSPs should also be able to provide details on any third party security certifications they have obtained. I.e. the ISO/IEC 27001 standards for information security management systems (ISMS).

Questions for the CSP frequently begin with specifics on strategies used – such as encryption for data protection and multifactor user authentication for cloud access. It is also important to know who will have access to data, how often audits are conducted and what if any security incident have occurred in the past and, if there has been a security incident, how cloud  customers were notified and how quickly. Having representation from across the enterprise involved in the vetting of a CSP is critical – not only IT – but also Security, Data Privacy & Governance and End Users can help ensure all relevant questions are answered and that necessary security protocols are implemented. The standard language used in the FedRamp contract example is one place to start for any enterprise signing on with a new CSP.

Internal Security Standards
Security and compliance of sensitive corporate data going to the cloud falls primarily on the enterprise itself. Despite any guarantees in contracts with CSPs, when a security breach occurs it is the enterprise that experiences the consequences and many would say holds the most interest in minimizing damages for the enterprise and/or customers. If there is a security incident, clients and customers will certainly look at the enterprise itself to protect their data.

Internal security standards begin with adherence to well-defined protocols and security strategies established and agreed to by – again – not just IT, but representatives from Legal, Security, Governance and End Users. Questions to be answered include what data will actually be allowed to leave the physical premises of the enterprise and in what form. Industry and regulatory penalties compel most industries to have clear security standards in place. In some cases, security incidents have brought on class-action lawsuits against the enterprise. Strict internal security standards are one way to further protect the enterprise and its customers from having to go that route.

Employee Buy-In is Key
With the proliferation of mobile computing and bring your own device (BYOD), it is essential that employees are brought in to participate, understand and agree to the security policies established for the enterprise. This includes employees throughout the organization – the time, resources, or money it takes to establish this buy-in through training, policy communication and proper monitoring or support is well worth it when compared to damages organizations experience from careless BYOD policies.

Security Strategies – Encryption and tokenization
Encryption and tokenization are two data security methods that many enterprises are utilizing strengthen the enterprise’s cloud security strategy while maintaining control of their cloud data. Both methods can be used to safeguard sensitive information in public networks, the Internet, and in mobile devices. These powerful and interoperable solutions are being used by leading organizations to also ensure compliance with sector specific requirements such as HIPAA, PCI DSS, GLBA, and CJIS.

While hacking and data attacks continue to occur, an enterprise with proven security strategies in place minimizes the impact for itself and its customers. An enterprise with security responsibility held by not just IT, but other departments as well, including end-users, puts itself in the best possible situation to avoid major data breaches and be prepared to deal with one should it occur. See this infographic on how to respond to a cloud security breach, should one occur.

About the Author
Gerry Grealish is the Chief Marketing Officer at Perspecsys and is responsible for defining and executing the marketing and product vision. Previously, Gerry ran Product Marketing for the TNS Payments Division, helping create and execute the marketing and product strategy for its payment gateway and tokenization/encryption security solutions.

 

 

Why Dyre Is Different and What It Means for Enterprises Arrow to Content

September 30, 2014 | Leave a Comment

By Bob West, Chief Trust Officer, CipherCloud

Bob WestThe Dyre Trojan, which salesforce.com warned its customers about earlier this month, shows that cyber criminals have found a brand new way to target cloud applications.

It is the first known malware tool to deliberately target an enterprise cloud provider and use trusted cloud file sharing services like Dropbox to install itself on client systems. The malware hammers home exactly why companies need to pay close attention to both server-side and client-side security when using cloud services.

Dyre, or Dyreza, was first spotted in the wild in June attempting to steal the banking credentials of customers of major banks such as Citibank, RBS and NatWest. More recently, it appears to have been tweaked to specifically target customers of salesforce.com.

In design and function at least, Dyre is somewhat similar to other Remote Access Trojans (RAT) like Zeus. It typically arrives disguised as a harmless download or attachment that unsuspecting users are tricked into installing on their computers. It then lurks quietly on the system waiting for the user to type in a target URL, like Natwest.com or salesforce.com. Dyre then quickly intercepts the user’s browser session and routes it through a server controlled by the attacker.

Dyre employs a tactic called “browser hooking” to strip SSL protections from supposedly secure sessions. So someone entering their login credentials to access a saleforce.com account or their bank account is actually handing over their username, password and other session data in clear text to the attacker without realizing it.

The version of Dyre that targeted customers of salesforce.com appears designed only to harvest user logins, probably so the credentials can later be sold for use by other cyber criminals. An attacker can potentially use the illegally obtained credentials to take over the associated accounts and carry out all the actions of the authorized users of those accounts without anyone realizing anything until it is too late.

Cyber thieves have used this kind of account hijacking to drain hundreds of millions of dollars from the bank accounts of numerous small businesses, municipal governments and school districts over the past several years.

With Dyre, the threat has moved for the first time to cloud applications.

In this particular instance, the attackers used Dyre to go after customers of salesforce.com. But make no mistake – the malware can be used just as easily to harvest data from customers of other cloud applications as well.

Cyber criminals have clearly figured out that there is a lot of potentially profitable data that can be harvested by going after cloud customers. But instead of trying to infiltrate cloud server-side protections they appear to be going after vulnerable client systems belonging to the end users of enterprise cloud applications.

Many of those infected by Dyre were lured by spear-phishing emails containing a link to a malicious document hosted on Dropbox. Those who downloaded the document thinking it was safe because it was on a reliable site like Dropbox, infected their systems with Dyre. Because Dyre uses some sophisticated packaging and obfuscation techniques, it has been able to avoid detection by most AV tools until recently.

Salesforce.com, is one of the most successful and most trusted cloud services used by businesses. There’s really not a whole lot that salesforce.com or any other cloud provider can do in a situation like this beyond urging customers to follow security best practices. The vulnerability lies more on the client side and not in the cloud.

In an alert, salesforce.com urged customers to ensure that the antivirus tools on their client systems were fully updated and capable of detecting Dyre. The company also asked companies to consider implementing IP range restrictions to ensure that only users from a corporate network or VPN were allowed access to the Salesforce Platform. In addition, salesforce.com recommended that enterprises consider employing two-factor authentication as an additional security measure for users attempting to login from an unfamiliar device or location.

Customers of cloud applications can also mitigate their exposure to Dyre by using cloud encryption gateways for customer-side encryption that protects data. Businesses with particularly sensitive data in the cloud should also consider encrypting the client email addresses and other identifiers, such as Social Security Numbers, that are used for login and authentication to cloud applications.

SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong? Arrow to Content

September 29, 2014 | Leave a Comment

By Patriz Regalado, Product Marketing Manager, Venafi

The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app.  People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer.  What could possibly go wrong?

mobile_phone_app_security_600x300Well, evidently there’s a lot that can go wrong.  SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information.  What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:

  • 92% for  Gmail
  • 83% for Chase
  • 92% for H&R Block
  • 86% for Newegg
  • 85% for WebMD
  • 83% for Hotels.com
  • 48% for Amazon

FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks.  FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates.  And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.

It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps.  Mobile apps, just like websites, use the same method to secure communications—SSL/TLS.  However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks.  For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.

Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities.  It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.

 

 

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 2 of 2) Arrow to Content

September 25, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

In my previous post, I addressed three major trends that play an immense role in cybersecurity initiatives. These trends include the growth of digital business, information risks, and regulatory requirements. In this post, I’ll focus on issues related to collaboration and compliance. Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems?

First, ensure that your strategy and policies are clear with respect to collaboration and compliance. These statements should address those areas requiring external and internal collaboration and the regulatory environment in which you operate. They should also address those information risks that are most significant for the organization. Since all of these topics evolve rapidly, you should conduct regular executive and Board-level reviews of these plans and policies.

Second, ensure that you have the appropriate staff, organization, and business processes to implement the above plans and policies. Management and staff development for these issues is vital and particularly challenging since the environment is so dynamic. A recent survey by Gartner summarizes these issues well. However, this organizational development will be essential to realize the 80% new business models in the next five years described in the above Accenture survey. Many organizations are developing enterprise-wide governance, risk management, and compliance (GRC) programs. GRC programs include governance (the processes by which executives and boards manage the enterprise), risk management (the processes by which management addresses risks to the enterprise), and compliance (the processes with which the enterprise complies with applicable laws and regulations). As enterprises become increasingly information-intensive, the protection of information assets is becoming more important in all three primary aspects of GRC programs.

Finally, enterprise systems must perform a broad range of business-critical functions, including the implementation of the above policies and business processes necessary to enable digital business agility, to protect sensitive corporate information, and to enable regulatory compliance. The challenge for CIOs is to design and operate these systems balancing requirements for functionality, performance, and costs while providing necessary security and compliance with corporate policies and regulatory requirements. End users will focus on functionality and performance, the CFO will focus on the costs, while the GRC program must ensure proper security and compliance. There is a growing market for systems to implement the policies and procedures of a GRC program, but the definitions of policies and procedures must precede selecting a GRC platform.

It is clear that we will continue to see the growth on importance in secure collaboration and regulatory compliance in the development of digital business. The ancient curse, “May you live in interesting times” certainly applies to today’s business environment.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

Worse than Heartbleed? Arrow to Content

September 24, 2014 | Leave a Comment

Jim Reavis, Cloud Security Alliance

Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/2014/q3/649 and http://seclists.org/oss-sec/2014/q3/650). Bash is a local shell, it doesn’t handle data supplied from remote users, so no big deal right? Wrong.

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

To test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you’re vulnerable it’ll print:

vulnerable
this is a test

If you’ve updated Bash you’ll only see

this is a test

There is more information available at the following links:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

And patches for Bash (most versions in the last 15 or so years) are available:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 1 of 2) Arrow to Content

September 24, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

The growth of digital business, information risks, and regulatory requirements are major global business trends that have an immense impact on cybersecurity. These trends are prevalent throughout a broad range of industries – including the financial, aerospace and defense, and retail sectors, among many others – and present many opportunities and threats.

Realizing the potential benefits from digital business requires significant transformation involving greater collaboration with customers, suppliers, partners, and regulators. Performing this collaboration in a timely, cost-effective, and secure way in compliance with necessary laws and regulations is a necessary competency for many organizations.

Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. While cyber threats from external organizations are very serious, many types of information risks also arise from lack of training and awareness of regulations and business practices or from errors in implementation.

Risk and compliance are increasingly important areas for corporate executives and board members in many industries, notably including those discussed here.

The Global Growth of Digital Business and Distributed Collaboration

Five years ago, Forrester and Adobe published a report on the future of business collaboration. In that report they state “Today’s collaboration requirements are only a midpoint on a trend line toward a highly distributed, digitally connected, partner-fueled, and customer-driven future.” In the past five years, the world has accelerated significantly toward that future.

Last year the McKinsey Global Institute published a report in which they predict that within a decade there will be more than 2 billion people with Internet access and that we will see $5T-$7T of economic impact from automation of knowledge work. Another recent McKinsey paper stated, “Digitization is rewriting the rules of competition.” The authors also observe, “For businesses, digitization is transforming even physical flows of people into virtual flows, enabling remote work through tools for global collaboration.”

In January, Accenture published a survey of “500 C-level executives from 10 economies (both developed and emerging) about the key influence on their corporate strategy over the next five years.” There are two results to cite here. First, “the ability of technology and innovation to reshape industry norms and boundaries was most commonly cited as the most important structural shift that businesses will face over the next five years.” Second, “60 percent plan to pursue growth in, or in collaboration with, other industries, and “80 percent are planning growth via new business models.”

Similar analyses and examples like the incredible growth of new technology-driven companies like Google and Facebook all show the accelerating pace of digital business and the importance of connected collaboration in the business environment.

The Global Growth of Information Risks

A recent report by the World Economic Forum contains this conclusion:

“Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks — and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.”

These cyber threats are very diverse. Incidents within the past 12 months arising from diverse external threats include:

  • The Heartbleed incident exploiting vulnerabilities in the Internet infrastructure
  • The Target breach exploiting supply chain vulnerabilities
  • CryptoLocker (and further generations of ransomware) exploiting software default and human behavior
  • The JP Morgan breach exploiting web server vulnerabilities

As noted earlier, many other types of information risks arise from lack of training and awareness of regulations and business practices or from errors in system or process implementation. For example, the most recent Verizon Data Breach Report notes that “miscellaneous errors” (e.g., sending email messages with sensitive information to incorrect recipients) cause more than 25% of data breaches. The report states collaboration with external partners about sensitive information can often lead to problems without proper management attention: “…business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other.”

By 2020, threats to critical infrastructure will be even more significant than what we face today. With industries accelerating digitization to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and information security, but to operations and safety. Examples such as Stuxnet and Shamoon have damaged operations in significant ways. These cases are modest compared to what could happen this decade.

The Global Growth of Regulatory Compliance Requirements

The US regulatory environment has grown steadily in the past several decades. While measuring the scale and economic benefits is uncertain and controversial, some metrics give insight into this growth. Data from the Mercatus Center at George Mason University shows that the total word count for federal regulations now exceeds 100 million. Moreover, the growth of this total has exceeded the growth of the US GDP since this analysis began in 1997. The US Office of Management and Budget produces an annual report on the costs and benefits of regulation but acknowledges the large uncertainties and omissions in their estimates. However, there is no doubt that costs in the US alone are in the $100’sB annually. Compliance elsewhere is also significant, notably in the European Union.

There are many types of sensitive personal and corporate information protected by thousands of regulations. These include regulations for personal health and financial information, export control, intellectual property, Board proceedings, public company filings, mergers and acquisition plans, etc.

The growth in the size of corporate compliance staffs and in their compensation illustrates the increasing importance of regulatory compliance. Failures have led to significant fines and imprisonment. As a result, many new Chief Compliance Officers have direct reporting relationships to top executives and their boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of the growth of this area.

Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.

Addressing the Combined Impact of These Trends on Strategic Business Planning and Operations

Together these trends add up to the following conclusions:

  • The growth and trajectory of key areas of information technology – cloud, mobility, social media, big data, etc. are having inescapable impacts on business plans and operations. These are now C-Level and Board issues with significant operational impact.
  • Information risks have also become C-Level and Board issues. For example, the recent Target breach was a key factor in the resignations of the CEO and other executives and in litigation filed against several Directors for lack of proper oversight.
  • While the global net value of regulatory compliance may be debatable, the requirements for enterprise compliance are not. The growth of digital business with larger information risks will lead to further types of regulation.

Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems? We’ll discuss this and more in the second part of this blog series coming soon.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

Page Dividing Line