CSA Invites Hackers to Participate in an Insider Attack of a Software Defined Perimeter (SDP) Arrow to Content

February 21, 2014 | Leave a Comment

Bob Flores, Former CTO of the CIA and President & CEO at Applicology Incorporated to Serve as Judge

The Cloud Security Alliance (CSA) today announced additional details on its upcoming virtual hackathon, open to anyone globally, being held in conjunction with the RSA Conference, kicking off Monday, February 24th.

The hackathon will kick off with a workshop on CSA’s Software Defined Perimeter (SDP) on Monday, February 24th, from 2:00p.m. to 3:00 p.m.
at Moscone West, Room 2008. The workshop will provide participants a hands-on overview of the SDP protocol as well as detailed view of the hackathon.   To register for the free workshop, email [email protected]

For the virtual hackathon, participants will be given the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – modeled after the real world environments and one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEFCON ® 22, held in Las Vegas August 7-10, 2014. Bob Flores, former CTO of the CIA and President & CEO at Applicology Incorporated to will serve as judge of the event, naming the official winner of any successful hack. Contest rules are available at https://cloudsecurityalliance.org/research/sdp/.

The Software Defined Perimeter (SDP) Initiative is a new CSA project aimed at protecting application infrastructure from network-based attacks by using the cloud to create highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.

Members of the media and analyst community interested in attending the event should contact [email protected] for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.


Fake SSL Certificates Uncovered: The Tip of the Iceberg and Weaponized Trust Arrow to Content

February 19, 2014 | Leave a Comment


Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.


Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computersdesigned to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity.

By attacking the trust established by digital certificates, cybercriminals aren’t making a quick hit. No, their intent is to own their target. Fake, compromised, stolen, misused, illicitly obtained certificates give cybercriminals the power to impersonate, surveil, and monitor—and to do so undetected.

Careto - The Mask Malware

Just recently The Mask group infiltrated hundreds of organizations. The group’s malware stole encryption keys, digital certificates, and SSH keys. While their collection efforts have just now been identified and stopped after 7 years, the real impact is yet to come.

The attackers now own thousands of keys and certificates and as result own the networks, servers, and applications of the breached. They can impersonate websites with stolen keys and certificates and have root-level access with SSH keys. Game over for these breach organizations. If they don’t fight back and change all of their keys and certificates immediately.

If businesses and governments don’t get a handle on the ways they are using certificate and can’t respond to these attacks, we all might as well be investing in bulldozers. Our data centers are worthless when the basic, foundational element of trust on the Internet—digital certificates—are compromised.

Gartner Security Quote

We can’t tell the good from the bad and so just need to bulldoze and start new. But, we don’t have a replacement technology for digital certificates so we have to stand and fight. Otherwise, the reality Gartner painted of “living in a world without trust” will come true (Gartner ID: G00238476).

Hack the SDP – win a trip to DEF CON! Arrow to Content

February 17, 2014 | Leave a Comment

Following the CSA Summit at RSA on Monday Feb 24th, the CSA will be hosting a Software Defined Perimeter workshop and a ‘virtual hackathon’, open to anyone.

The workshop will provide a detailed demo and explanation of SDP, and will kick off the ‘virtual hackathon’ contest, which will last until 3pm PST on February 27, challenging participants to hack the SDP protocol, modeled after military-grade networks.

The SDP Hackathon gives participants the IP addresses of the target file server as well as the SDP components protecting them.  This in effect will simulate an ‘insider attack’ – one of the most difficult to prevent – on both private cloud and public cloud infrastructure.  Participants will also have access to a reference SDP system to learn how the system works to plan their attack.

The first participant to successfully capture the target information on the protected server will receive an expenses paid trip to DEF CON ® 22, held in Las Vegas August 7-10, 2014.  Contest rules and registration are available at www.HackSDP.com.  Space is limited, interested attendees should go to https://cloudsecurityalliance.org/events/csa-summit-2014/#_rsa to reserve a seat at the workshop.

The Launch of the NIST Cybersecurity Framework Arrow to Content

February 13, 2014 | Leave a Comment

by John DiMaria, BSI

I was one of those invited to attended NIST Cybersecurity Framework launch yesterday at the White House. It was a very nice well organized and positive event.

“The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union”. – White House Press Release.

Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities.  The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.

•The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors.  The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.

•The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources.  Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.

•The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk.  The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices. – White House Press Release

First, congratulations to Adam Sedgewick and his team for a great job spearheading this unprecedented collaboration between government and private sector. DHS has also done a good job of launching this program along with the publication of the Framework.

Also like to say thank you to all the great professionals that attended all 5 workshops. I had the honor to work with many of them. We forged some great new business relationships and had some laughs along the way. One personal take-away was that no matter how old we get or how experienced we think we are, if you have discussions with the intent on listening and not answering, you can learn something from everyone you meet.

I am sure there will still be the naysayers and “headline grabbers” out there that will formulate and dwell on negatives, but being in the standards business for more than 20 years at all levels (and this is not a standard), I can tell you no initial framework, guidance or standard will ever 100% right out of the box.

Even President Obama stated after the launch, “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity”.

As it was mentioned at the launch, this is a “living document”. A couple comments that stood out in my mind from the 3 CEO’s at Pepco, Lockheed and AT&T:

“We are only as good as our weakest link” (working with the supply-chain and getting them to adopt the framework in critical) and “National Security and the economy depend on good cybersecurity and globally recognized standards”. Time to pull together

As Benjamin Franklin said “If we do not hang together, we shall surely hang separately”.

There will be an industry expert panel discussing the framework on March 6th.


John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own. 

SecureCloud Update: Neelie Kroes, VP of the European Commission to Give Opening Keynote Address Arrow to Content

February 11, 2014 | Leave a Comment

SecureCloud 2014 is now just under two months away and we are excited to announce that Neelie Kroes, Vice President of the European Commission, will be giving the opening keynote address on April 1st.

Neelie Kroes

Neelie Kroes, VP of the European Commission

Since 2010, Kroes has held the responsibility over the Digital Agenda for Europe. This portfolio includes the information and communications technology (ICT) and telecommunications sectors. As a strong promoter of the adoption of cloud computing in Europe, Kroes has been actively supporting actions to lower the barriers to the uptake of the cloud in the internal market. Kroes joins an all-star line-up of cloud security experts and visionaries, including Dr. Udo Helmbrecht, Dr. Richard Posch, Alan Boehme, Richard Mogull, as well as CSA CEO, Jim Reavis.

SecureCloud 2014 produced by the CSA, ENISA and Fraunhofer-FOKUS is an opportunity for government experts, industry experts and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security. It is also a place to learn from cloud computing experts about cloud computing security and privacy as well as to discuss about practical case studies from industry and government.

Early bird discount pricing is being offered through February 14.  To register for SecureCloud 2014 visit: https://cloudsecurityalliance.org/events/securecloud2014/#_reg





Cybersecurity absent during the State of the Union Address Arrow to Content

February 6, 2014 | Leave a Comment

by John DiMaria, BSI

I was disappointed that there was only a passing mention to cybersecurity at the recent State of the Union Address. As a matter of fact if you took a bite of your popcorn at the wrong time you missed it.

I realize the president’s address was focused mainly on the economy, but the biggest threat to our economy today is the lack of preparedness to identify, mitigate, detect and ward off a major cybersecurity attack.

The President clearly states in Section I of the Executive order; Improving Critical Infrastructure Cybersecurity, released last February that “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats

The right attack could cripple this nation and its infrastructure. We are reminded daily of the disasters that just affected the retail industry, what if that attack was targeted directly at the banking industry or even the stock exchange? Suppose you woke up one morning and found out that the NYSE or the reporting outlet’s computers had been hacked and false information had been reported over the last week or even just 24 hours? Not possible? Think again.

Just a couple of days ago (January 28, 2014) a story written by BankInfo Security noted  a hacktivist group known as the European Cyber Army that it had waged targeted distributed-denial-of-service attacks against Bank of America and JPMorgan Chase. The author Tracy Kitten reported that “The European Cyber Army claims to have targeted the United States’ two leading banking institutions without warning, according to a string of tweets the group posted Jan. 28. But the attackers suggest a target list may soon be released”. (Tracy Kitten, 2014)

In August of 2013 an outage of the Nasdaq stock exchange. Investigation showed that it had the incident had all the earmarks of the three waves of denial-of-service attacks that bedeviled U.S. financial institutions, including stock brokerages, since last September 2012. USA today reported that an Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam —  claimed credit for orchestrating sophisticated attacks that have overwhelmed the expensive security systems U.S. banks have put into place to keep their online banking services up and secure. The story noted that Reuters reported the giant brokerage house “reported a system programming error that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase & Co., Johnson & Johnson and Kellogg Co.,”. Prior that week there was a computer error that caused Goldman Sachs to sell options for a dollar (Byron Acohido, 2013)

Just April prior Syrian hackers claimed and AP hack that tilted the stock market by $136 billion. According to the Washington Post story, the official Twitter account of the Associated Press sent a tweet to its nearly 2 million followers that warned, “Breaking: Two Explosions in the White House and Barack Obama is injured,” some of the people who received this tweet were apparently on or near the trading floor of the New York Stock Exchange.

The Dow began to nosedive and dropped about 150 points, from 14697.15 to 14548.58, before stabilizing, when news that the tweet had been erroneous began to spread. During those three minutes, the “fake tweet erased $136 billion in equity market value,” according to Bloomberg News’ Nikolaj Gammeltoft. ( MAX FISHER, 2013)

Cyberattacks are evolving at an incredible rate. James Lyne, Director of Technology Strategy at Sophos who focuses on upcoming technology and threat trends, in a recent interview with BankInfoSecurity noted that “cybercriminals are approaching their activities with a business-like mindset, streamlining the process of obtaining the malicious code they need and targeting who they want to hit with their exploits” he reported that that five or six years ago you’d see numbers like 6,000 pieces of malware a day and today, on average, they see 250,000 individual, new PC malicious codes every day. ( Jeffrey Roman, 2013)

I like hundreds of other professionals attended all five of the NIST Cybersecurity Workshops. We were there because we cared, because we believed in the message sent by the executive order, we applauded the effort and wanted to get involved to make a difference.

Not even a mention of cybersecurity reminding everyone that it still stands as one of the biggest threats and that the “The national and economic security of the United States still depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats”, was disappointing and concerning that this is just another “flavor of the month” that will die or get lost once the midterm elections are over this November.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.


Jeffrey Roman. (2013, July 3). How Cyber-Attacks Are Evolving. p. 1.

MAX FISHER. (2013, April 23). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism? p. 1.

Byron Acohido. (2013, August 22). Nasdaq outage resembles hacker attacks. p. 1.

Tracy Kitten. (2014, January 29). DDoS: New Attacks Against Banks. p. 1.



Top Security Questions to Ask Your Cloud Provider Arrow to Content

February 6, 2014 | Leave a Comment

02 06 2014 bWhen considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.

1. What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold?
2. How do you manage the encryption keys?
3. Do you offer periodic reports confirming compliance with security requirements and SLAs?
4. What certifications for data protection have you achieved?
5. Who can see or have access to my information? How do you isolate and safeguard my data from other clients?
6. What are your disaster recovery processes?
7. What are your methods for backing up our data? What offerings are available to back up data?
8. Where is your data center, and what physical security measures are in place?
9. How do you screen your employees and contractors?
10. What actions do you have in place to prevent unauthorized viewing of customer information?
11. What actions do you do to destroy data after it is released by a customer?
12. What happens if you misplace some of my data?
13. What happens in the event of data corruption?
14. How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information?
15. How much data replication is enough, and what level of data durability do you provide?
16. How much control do I retain over my data?
17. Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported?
18. Can I disable access immediately to my data in the event of a breach?
19. Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery?
20. How often are backups made? How many copies of my data are stored, and where are they stored?
21. How reliable is your network infrastructure? What certifications do you currently hold for your data centers?
22. What is your current uptime and SLA option? What if SLA is not met?
23. Do you alert your customers of important changes like security practices and regulations or data center locations?
24. What country (or countries) is my data stored in – both on your infrastructure and for backups?
25. Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure?
26. Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf?
27. What third party security validation can you provide me with? How often do you have external assessments performed?
28. How do you dispose of end-of-life hardware?
29. How do you dispose of failed data storage devices?
30. What is your process for responding to a legal hold request?

02 06 2014 c


Andy Duewel

What is the Cloud? Arrow to Content

February 6, 2014 | Leave a Comment

The cloud, aka cloud computing, has many different colloquial definitions, all of which seem to be somewhat different depending on who you are talking to. A few of the different terms you may hear are Software as a Service (SaaS), virtual enterprise, carrier (or service provider) cloud, and I am sure many others.

Here is a quick list of some of the main types of solutions in the cloud with a couple providers for each:

02 06 2014 a



  • Office 365
  • Google Apps

Virtual Enterprise

  • Amazon’s AWS
  • Microsoft Azure

Carrier/Service Provider Cloud

  • Alcatel-Lucent’s Cloudband
  • VMware’s vCloud
  • Verizon Terremark’s Enterprise Cloud Services

This is by no means a complete list of cloud providers and really only scratches the surface. There are many providers all with a different portfolio of offerings and their own personal touches.

The term “cloud” varies in meaning and is really up for your own interpretation. How you define it and use it really depends on your imagination and capabilities as a company. It will, in most cases, provide greater flexibility, ease of deployment and a very scalable environment. Some companies have created business models that rely on cloud connectivity. Others use it to save on IT and hardware costs.

The cloud has grown over the last ten years with a couple different technologies/ideologies playing major roles in getting it to where it is today: Virtualization and Shared Resources.
These two technologies provided the springboard that launched the cloud into the “needed by all companies” status it maintains today. We still haven’t talked about how this can help a company grow and save money, so let’s take a look at what each type of cloud solution can do for a business.


Solutions such as Office 365 and Google Apps provide enterprise software (Microsoft Office and Google Drive, respectively) for companies to use through the cloud. This helps small to medium size companies who may not be able to afford dedicated IT staff to run a full blown mail, calendar, storage and chat solution in-house. However large companies may run this same solution to help when it comes time to upgrade these solutions as well as server space. Storage and server hardware would no longer be up to you to maintain.

Virtual Enterprise

Environments like Amazon’s AWS and Microsoft’s Azure provide a much larger scale solution for businesses and even personal use. With Amazons EC2, you can setup a virtual instance running nearly any OS out there and can use S3 to scale a storage solution for that machine, or even others to share. Azure also has competing solutions.

The possibilities are truly endless with these types of cloud infrastructure. Many companies run their entire website from this type of cloud infrastructure. Others use it as a Content Delivery Network (CDN) for web and mobile applications. There are many other ways you and your company can benefit from utilizing virtual machines, storage, backup, database and all the other cloud solutions AWS and Azure offer.

Carrier/Service Provider Cloud

Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) are a couple of terms that are used when it comes to the carrier or service provider cloud. A great description of this type of cloud solution comes from Wikipedia:

“Carrier Cloud is a class of cloud that integrates wide area networks (WAN) and other attributes of communications service providers’ carrier grade networks to enable the deployment of highly demanding applications in the cloud. In contrast, classical cloud computing solutions focus on the data center and do not address the network connecting data centers and cloud users. This may result in unpredictable response times and security issues when business critical data are transferred over the Internet.”

Per this definition, the cloud has focused on data centers and applications up until just recently. We were still limited by WAN connectivity, performance, availability, security and SLAs. Until the carrier cloud started to make its push over the last few years, some companies would not put critical applications into any cloud environment.

Now with carrier clouds we have a greater ability to load balance across multiple data centers and resources based on WAN connectivity as well as system utilization. We gain a higher level of SLAs, governance and risk compliance (GRC) and security. This part of the cloud is the infant of the group, so it will be fun watching how carrier clouds will grow with the wide adoption of software-defined networking (SDN) and the evolution of networking.

Considering a move to the cloud? Top Security Questions to Ask Your Provider

- See more at: http://www.fishnetsecurity.com/6labs/blog/what-cloud#sthash.eFmg8UAM.dpuf

02 06 2014





Bart Stump
Security Consultant

Contextual Activities and Your Cloud Security Service Arrow to Content

February 5, 2014 | Leave a Comment

In this best practices video, Jamie Barnett reviews details of the latest Netskope Cloud Report regarding the most commonly used activities in cloud apps. Jamie discusses why understanding activity context is important when considering a cloud security service. For this reason, the movie line for this episode is “I’m not dead yet!” Enjoy!

For more Movie Line Monday videos by Netskope, the leader in cloud app analytics and policy enforcement, feel free to visit http://www.netskope.com/category/movie-line-monday/ or http://www.youtube.com/netskopeinc


Almost 400 Cloud Apps in Every Enterprise Arrow to Content

January 28, 2014 | Leave a Comment

By Krishna Narayanaswamy, Chief Scientist at Netskope

On average, there are 397 cloud apps running in enterprises today. This is one of the findings in the second quarterly Netskope Cloud Report, an account of trends on cloud app adoption and usage. What makes this number interesting is that it’s about 10x the number that IT professionals estimate. Adding to the intrigue, 77 percent of those apps aren’t enterprise-ready based on the Netskope Cloud Confidence IndexTM, an objective measure of cloud apps’ security, auditability, and business continuity adapted from Cloud Security Alliance guidance.


The thing that really strikes us is the average number of cloud apps per category in each enterprise. The largest number is Marketing, with 51. That’s not that surprising, though. Our own startup marketing department uses almost that many apps. The second highest was more concerning, though: HR, with 35. While HR is a broad category, with specific apps for benefits, salary, performance, time-tracking, and more, the number still raises security and compliance questions. With that many apps, IT professionals are concerned about whether they have the appropriate controls in place to protect sensitive data like personally-identifiable information.

Beyond the apps themselves, where the real risks lie is in the usage of cloud apps. The report tracks the most common activities in cloud apps – edit, view, download, post, and share. These activities are especially telling when juxtaposed against policy violations, activities concerning data classified as “sensitive” or “confidential,” and data leakage incidents.

Get the full Netskope cloud report here.


Page Dividing Line