• All current WAF vendors provide Out-Of-The-Box Policies and Signatures for various known attacks and exploits such as   SQL injection, session hijacking, cross-site scripting (XSS),cross-site request forgeries (CSRF),buffer overflows, cookie tampering, remote code execution,malware,  denial of service, and brute force authentication
• All current WAF vendors provide Out-Of-The-Box Reporting and Alerting templates for Regulatory Compliance (PCI, Sarbanes Oxley,HIPAA, etc...)
• All current WAF vendors provide a Heuristic Learning mode that will create a "traffic baseline" over a short period of time, and then allow you to deny any traffic not following that pattern.

Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.

Okta is an enterprise grade identity management service, built from the ground up in the cloud and delivered with an unwavering focus on customer success.
With Okta IT can manage access across any application, person or device. Whether the people are employees, partners or customers or the applications are in the cloud, on premises or on a mobile device, Okta helps IT become more secure, make people more productive, and maintain compliance.
The Okta service provides directory services, single sign-on, strong authentication, provisioning, workflow, and built in reporting. It runs in the cloud on a secure, reliable, extensively audited platform and integrates deeply with on premises applications, directories, and identity management systems.

Taking a business-driven, rather than an IT-driven approach to identity and access management (IAM) fundamentally changes how organizations approach their IAM challenges, and dramatically improves the value they can obtain.

Specifically, with business-driven identity and access management solutions, companies can empower the business owners to take ownership of identity and access control, provide consistent, full business context across Identity and Access Management systems, connect to the full set of key applications and data resources, and significantly lower the total cost of ownership while scaling to modern enterprise environments.

Symantec O₃ is a unique cloud security platform that provides single sign-on and enforces access control policies across web applications. Symantec O₃ helps enterprises migrate to Software as a Service (SaaS) applications while ensuring that proper risk management and compliance measures are in place to protect enterprise data and follow regulations.

Symantec O₃ improves security without getting in the way of usability. With Symantec O₃, end users only have to login once, across all of their web applications. It works equally well for both cloud-based and internal web application use cases.

In short, O₃ enables enterprise IT to embrace the cloud while retaining visibility and control – simplifying the use of cloud applications for both enterprise IT staff and for users.

Multiservice, Standalone Identity Bridge Accommodating the most diverse and advanced enterprise use cases, PingFederate enables outbound and inbound solutions for single sign-on, federated identity management, mobile identity security, API security and social identity integration. Tier 1 SSO extends employee, customer and partner identities across domains without passwords, using only standard identity protocols (SAML, WS-Fed, OpenID).
Extending PingFederate
PingOne Identity as a Service PingFederate can be deployed standalone or in conjunction with PingOne Cloud Access Services for faster and more flexible employee access to SaaS applications. Eliminate passwords in the Cloud by recommending PingOne Application Provider Services for SAML-enabled applications in minutes.
Integrations Easily integrates with over 80 existing enterprise and cloud technologies including portals, web access management systems, strong authentication systems, Web application environments, custom applications, cloud identity providers and SaaS applications, eliminating lengthy integration projects and meeting tight deadlines.

  Symplified is a comprehensive cloud identity solution that enables IT and security organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements.
Single Sign-OnSymplified’s Single Sign-On seamlessly and securely connects your users to applications, whether the apps are in the cloud or behind the firewall.

Employees, partners, and customers expect easy and secure access to the business applications they use on a daily basis. Symplified significantly enhances security and control for your business while providing a better user experience for your employees, thereby improving productivity and reducing help desk requests associated with multiple user accounts.
And because of Symplified’s unique architecture, you can seamlessly bridge your on premise infrastructure and applications to the cloud without the need to manage multiple systems or risk replicating sensitive user information outside your control.

Centrify's industry-standard solution delivers a single, unified architecture for sign-on.

• For SaaS apps, Centrify addresses these challenges with true single sign-on directly to Active Directory. A cloud service facilitates secure single sign-on and controls access through a security token service, which authenticates users to the portal with Kerberos, SAML, or an Active Directory username/password; then automates logins through a one-click interface when users select from their list of authorized SaaS applications.
• For on-premise apps, native authentication modules plug seamlessly into the underlying Centrify Agent on the managed application host systems, eliminating the need for separate authentication servers, providing single sign-on for SAP NetWeaver, Java and web applications and databases such as DB2.

SailPoint AccessIQ delivers the convenient access to cloud, web and mobile applications that business users want, along with the controls that IT needs to minimize risk. It empowers users with an intuitive App Launchpad for one-click, single sign-on (SSO) to cloud and web applications from any device – at work, home or on the go with mobile devices. And it provides IT with the visibility and controls required to apply security policy, detect violations and ensure regulatory compliance. Application visibility also helps business units control monthly subscription expenses by promptly deprovisioning unused or unauthorized cloud application accounts.

Corporate to Cloud Single Sign-on

EmpowerID SSO Manager is a Cloud Single Sign-On and Identity Federation platform that supports all of the standard identity protocols - SAML, OpenID, WS-Trust, WS-Federation, and OAuth.
SSO Manager enables employees, consumers, customers, and partners to access cloud and corporate applications using a single username and password. Federated SSO allows users who are authenticated against one directory to access additional applications and services without re-authenticating when a trust relationship has been established.

 Intel Cloud SSO is an identity as a service (IDaaS) outsourced solution that removes the complexity and burden of maintaining your own identity infrastructure for user to cloud access.

By leveraging a solution backed by three trusted providers-Intel, McAfee, and Salesforce, you gain assurance that your user's cloud identity is enterprise class secure. Gone are the days of insecure password based log-ins, expense help desk password resets, and IT managed cloud provider integrations for SSO.

Intel Cloud SSO is designed for fast, simple deployment by Salesforce or IT administrators that are not security or identity experts. By partnering with Salesforce to deploy on Force.com, we take advantage of native platform capabilities that make configuration a breeze and deliver ready connectivity to hundreds of popular cloud applications.

Microsoft Active Directory Federation Services 2.0 (AD FS) helps IT professionals efficiently deploy and manage new applications by

• Reducing custom implementation work
• Helping establish a consistent security model
• Facilitating seamless collaboration between organizations with automated federation tools

AD FS 2.0 includes built-in interoperability via open industry standards and claims, and implements the industry Identity Metasystem vision for open and interoperable identity.

 Enterprise Single Sign-on is the industry’s leading enterprise single sign-on (SSO) solution, basing application and system user logins on existing Active Directory identities. It requires no hard-to-manage infrastructure and streamlines both end-user management and enterprise-wide administration of single sign-on.

Set Up Unified Single Sign-On (SSO) for Web, Cloud and VPN Resources with SecureAuth Identity Provider™ (IdP)
Now you can minimize the number of passwords your users have to remember by providing a single logon to all on-premise web and cloud-based applications without APIs or application modifications. SecureAuth IdP abstracts user data from your native directory so multiple applications can be securely accessed simultaneously using the same credentials.
When two-factor authentication is required, you can easily add this feature to the SSO experience and the same credentials will be used to support web, cloud and VPN resources. With SSO from SecureAuth IdP, your users don’t have to juggle multiple credential sets and administrators aren’t flooded with calls to reset forgotten passwords.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MITKerberos KDC.

Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.

Security aspects related to access control, delegation of administration tasks and other networkadministrationtasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.

Do we need to place our Security Appliances inline? 

Network Intrusion Detection / Prevention systems look for malicious, malformed or erroneous traffic that could impact the security of the network and ultimately corporate data.  Rules are evaluated against the traffic flowing in and outbound to ensure compliance.  Non-compliant traffic can be actively blocked.

Web URL filtering or Content filtering applies a set of rules to validate whether an individual can gain access to a particular site or service on the Internet.  These are typically used on "Code of Conduct" compliance.
  
Botnet / Malware Control Appliances like Damballa or FireEye  inspect traffic source/destination, comparing against known Command and Control networks  and can download and inspect the content of attachments for malicious payload and remove where appropriate.

Data Loss Prevention Infrastructure may inspect the content of traffic passing in and out of the network, and block or quarantine any messages or attachments that are deemed to contain Corporate Sensitive Data.

• SPAN ports on your Switching Gear,  
• Breakout or Passive TAPS,
• Direct inline Daisy-chained Appliances
• Bypass Switches.  
• Additional Firewall DMZs (Firewall Sandwich) 

• SPAN (Switched Port ANalyzer) ports are a feature of virtually every managed switch on the market, ie: they are free.  Most switches have at least two SPAN ports available.
• A SPAN port is remotely configurable, allowing you to change which physical ports or VLANs on a switch are mirrored to the port being monitored. However, when traffic levels on the network exceed the output capability of the SPAN, because of duplex aggregation, the switch is forced to drop packets. (*see note below)
• Layer 1 and 2 errors are also not mirrored, and therefore never reach the port being monitored.  Bad or malformed packets are dropped, ie: not monitored.  
• If all you are doing is monitoring network traffic for compliance, this may do, but for forensics, legal, data loss, Anti-Malware, or Intrusion Prevention, this is not your solution.

• These are the simplest type of TAP (Test Access Point). Typically these would have have four to eight ports. Two for Ethernet in and out and the remainder as "monitoring ports". The network traffic is sent between the input and output ports unimpeded.  The network segment does not “see” the TAP.  At the same time the TAP sends a copy of all the traffic to monitoring ports of the TAP.
• The problem is that a Breakout TAP does not allow the Security Appliance to directly affect the passing traffic. 
•  For monitoring purposes, it is fantastic, but if you need to actively manage or block traffic.... this is not your solution.

•  An efficient and inexpensive way to allow your security appliances to inspect and make immediate decisions on all traffic.
• However it comes at the great cost of adding several points of failure in your egress zone.  
• If any one appliance fails, or stops passing traffic, the entire segment is down. This is typically unacceptable.

• Otherwise known as a Firewall Sandwich uses other network equipment like firewalls or switches to provide for failover mechanisms between appliances. 
• This is a very costly method of providing redundancy, and actually adds several points of failure to the design.
• The firewalls in this approach will want to manage traffic according to their rules rather than providing ALL passing data to the security appliances. This has the high probability of failing to identify malicious traffic.  It's not like malicious code follows rules....

• A Bypass Tap or Switch will allow you to place Security Appliances into the network while removing the risk of introducing a point of failure. 
• With a bypass TAP, failure of the inline device, reboots, upgrades, or even removal and replacement of the device can be accomplished without taking down the network. 
• In applications requiring inline tools, bypass TAPs save time, money and network downtime.
• In a high availability design, ie: your infrastructure from the switch to the firewall and router, is completely redundant, the bypass unit can be configured to actively manage link states up and downstream to force natural failover and failback upon  appliance failure.
• The bypass unit can also be configured - as it's name states - to pass traffic beyond the failed appliance un-inspected if that is required. 
• Failure modes are decided as part of the architecture, and are automatic. The Bypass Switch sends heartbeat packets through each connected appliance, and upon failure to receive the heartbeat through the appliance can opt to bypass that particular appliance or force a failover to the secondary stream.

• TAPs do not alter the time relationships of frames – spacing and response times are especially important with RTPs like VoIP and Triple Play analysis including FDX analysis.
• TAPs do not introduce any additional jitter or distortion nor do they groom the flow, which is very important in all real-time flows like VoIP/video analysis.
• VLAN tags are not normally passed through the SPAN port so this can lead to false issues detected and difficulty in finding VLAN issues.
• TAPs do not groom data nor filter out physical layer errored packets.
• Short or large frames are not filtered/dropped.
• Bad CRC frames are not filtered.
• TAPs do not drop packets regardless of the bandwidth.
• TAPs are not addressable network devices and therefore cannot be hacked.
• TAPs have no setups or command line issues so getting all the data is assured and saves users time.
• TAPs are completely passive and do not cause any distortion even on FDX and full bandwidth networks.
• TAPs do not care if the traffic is IPv4 or IPv6; it passes all traffic through.

Cisco warns that “the switch treats SPAN data with a lower priority than regular port-to-port data.” In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded. This rule applies to preserving network traffic in any situation. For instance, when transporting remote SPAN (RSPAN) traffic through an Inter Switch Link (ISL), which shares the ISL bandwidth with regular network traffic, the network traffic takes priority. If there is not enough capacity for the remote SPAN traffic, the switch drops it. Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, “the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations.”

• Duplicate Network Switches with redundancy protocols
• Duplicate routers with redundancy protocols
• Duplicate firewalls with Heartbeat
• Redundant ISP circuits from two different providers
• redundant power supplies in all critical infrastructure, supplied from...
• Redundant street power from two separate grids
• Cluster or HA servers for critical systems such as Corporate Websites 

(from http://ikuna.com)

• HTTP acceleration for downloading of large files and website content
• Automatic and dynamic optimization of web page content
• Intelligent routing and load balancing 
• Protection from distributed denial of service (DDoS) attacks

• Bell Canada: Content Delivery Network
• Telus Canada: Content Delivery Network (via Edgecast)
• Akamai Technologies
• Limelight Networks
• Amazon CloudFront
• AT&T's Digital Media Solutions
• BitTorrent Inc.
• CDNetworks
• Edgecast
• Ikuna
• PEER 1
• PeerCast

• CDNPlanet: Content Delivery Networks
• Content delivery networks: A primer of CDN providers and technology
• Techtarget.com: content delivery network (CDN) 
• How content delivery networks (CDNs) work 
• http://www.quora.com/Content-Delivery-Networks/How-does-Akamai-CDN-work 
• http://www.searchblog.asia/topics/seo/will-using-content-delivery-networks-affect-seo/ 
• http://serverfault.com/questions/46830/how-do-cdn-content-delivery-networks-server-work 
• http://mae.ucdavis.edu/dsouza/Classes/MAE298-S09/sc421.pdf
• Updated List Of Vendors In The Content Delivery and Transparent Caching Markets 
• To Speed Up The Web, EdgeCast Has Added Google PageSpeed Technology To Its CDN 

To allow for near-future work models, where employees can bring their own mobile devices into the workplace,  where “work from home” is standard practice, and where the Data Center is being virtualized and services abstracted to external third party providers,  the Security Industry is rethinking the traditional concepts of  boundaries and perimeters.

What is considered a Host?

• A host can be physical or virtual, and may run any of a dozen operating systems. 
• A host typically will have additional software added to provide it’s specific functionality. This may include various commercial database and/or application server packages from a multitude of vendors.
• A host will generally have a specific purpose or “role” within the data center which would be defined by it’s configuration and/or applications/services running on it. 

• Similar hosts may be “clustered” together to provide a single service for performance or availability reasons.
• Hosts may be grouped together by similar role
• Hosts that work together to provide a specific service may be grouped together
• Hosts that belong to a specific Business Unit may be grouped together

 

Protecting a Heterogeneous Environment

• Any Host protection system deployed must operate and protect the majority of Operating Systems that can be found within the environment. This includes but is not limited to Microsoft Windows Server, IBM AIX , HPUX, Solaris, Linux, VMware, Xen, Microsoft HyperV

• Any Host protection system deployed must operate and protect the majority of Database Systems that can be found within the environment. This includes but is not limited to Microsoft SQL Server, Oracle SQL, Sybase, IBM DB2, Ingres, PosGreSQL, MySQL,

• Any Host protection system deployed must operate and protect the majority of Application Servers and Frameworks that can be found within the environment.  This includes but is not limited to Microsoft Active Directory, Exchange, SharePoint, and ISA, WebLogic, Oracle, WebSphere, Jboss,  IBM Domino,  Java, ASP.Net, PHP

• Any Host protection system deployed must operate and protect the majority of Web Servers that can be found within the environment.  This includes but is not limited to Microsoft IIS, Apache, Tomcat, Weblogic, Oracle

Host Protection - Operating System Layer

• File Integrity Monitoring and Prevention:
• Identify changes to files in real-time, including who made the change and what changed within the file.
• Memory Integrity Monitoring and Prevention: 
• Identify in real-time, any attempt to modify or corrupt memory outside of the boundaries of that owned or managed by a specific application or service.
• Registry Integrity Monitoring and Prevention: 
• Identify changes to Windows Registry settings in real-time, including who made the change and what changed within the registry.
• Device Control: 
• Identify, prevent and alert on attempts to access system devices which are outside of a particular security profile.
• Configuration Monitoring: 
• Identify policy violations, suspicious administrators or intruder activity in real-time.
• Targeted Prevention Policy: 
• Respond to server incursion or compromise immediately with quickly customizable hardening policies.
• Granular Intrusion Prevention Policies: 
• Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
• File, system and admin lock down: 
• Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.

Host Protection - Network Layer

Host Protection - Application Layer

A Host Protection Service must be able to provide a means to identify and control appropriate access within and  between applications…..

• Files
• Folders
• registry settings
• device drivers
• Libraries
• network connections
• service accounts

Host Protection - Database Layer

• Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers.
• Unauthorized or unintended activity or misuse by or by unauthorized users
• Unauthorized or unintended privilege escalation
• Malware infections causing unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems
• Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities

Host Protection - Web Layer

According to OWASP (http://www.owasp.org) and SANS ( http://www.sans.org) The top Web Server vulnerabilities include:

Host Protection - Managing Profiles

• Nested security profiles, akin to Active Directory’s “Group Policy” management will enable quick access and visibility to host assets by Owner, Role, or Location
• A high level role would be assigned to “Operating System Platform”
• A nested role would be assigned to SPECIFIC Operating Systems (Windows Server 2003, Windows Server 2007, AIX 5.3, AIX 6.0, HPUX 11…) to refine control
• A high level role would be assigned to each Database System Platform
• A nested role would be assigned to SPECIFIC Database Systems to refine control
• A nested role would be assigned to Critical Database Systems to refine control
• A high level role would be assigned to each Application Type
• A nested role would be assigned to SPECIFIC Application Instances to refine control
• A high level role would be assigned to each Web Server Platform
• A nested role would be assigned to SPECIFIC Web Server types to refine control
• A nested role would be assigned to Critical Web Servers to refine control

 

First: Here is the fixed OpenSSL 

• Steal OpenSSL private keys
• Steal OpenSSL secondary keys
• Retrieve up to 64kb of memory from the affected server
• As a result, decrypt all traffic between the server and client(s)

• Windows (all versions): Probably unaffected (uses SChannel/SSPI), but attention should be paid to the TLS implementations in individual applications. For example, Cygwin users should update their OpenSSL packages.
• OSX and iOS (all versions): Probably unaffected. SANS implies it may be vulnerable by saying "OS X Mavericks has NO PATCH available", butothersnote that OSX 10.9 ships with OpenSSL 0.9.8y, which is not affected. Apple says: "OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS"
• Chrome (all platforms except Android): Probably unaffected (uses NSS)
• Chrome on Android: 4.1.1 may be affected (uses OpenSSL). ^Source. 4.1.2 should be unaffected, as it is compiled with heartbeats disabled. ^Source.
• Mozilla products (e.g. Firefox, Thunderbird, SeaMonkey, Fennec): Probably unaffected, all use NSS 
•  Any service that supports STARTLS (imap,smtp,http,pop) may also be affected.

Affected Vendor Information (from CERT)

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley  and Bodo Moeller  for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
04/08/2014 08:46 AM EDT

Original release date: April 08, 2014

Systems Affected

• OpenSSL 1.0.1 through 1.0.1f
• OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact
This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution
OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

From the Dell SecureWorks documentation:

1. How did they compromise a public facing application to get "inside" the Corporate Network?
2. Why were 3rd party credentials on an external facing application associated within an Internal Directory?
3. Where was Intrusion Prevention between their DMZ and the Corporate Network?  
4. How did an Admin Account on a single server get privilege escalated to the Active Directory? 
5. Once in the Production Environment, how did they get to the POS network?  I mean they are PCI compliant, aren't they?  There should be no direct path between the two...
6. Where was Intrusion Prevention between the corporate network and the POS network? 
7. How was an FTP service allowed to communicate from the Data Center out to the Internet?
8. Where was Intrusion Prevention between the Corporate Network and the Internet?  
9. If IPS was in fact in place (I have to believe it was...)  was it detuned or ignored?

From my previous article:

A Host Protection Service must:

•Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware

•Protect against Zero-Day malware and malicious actor attacks.

•Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.

•Enable demonstrable change control on mission-critical systems.

•Centralize configuration protection across the enterprise, reducing administrative burden.

•Support a library of pre-defined rules that recognize common security events.

•Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.

•Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.

•Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.

•Record the event in a centralized corporate SEIM.

How could Host Based Protection have helped Target?

With Host Protection installed on the Point of Sale Embedded Windows OS terminals, a policy would restrict the system from accepting patches/updates, or installing software/executables from anywhere other than the official SECURED software distribution infrastructure.  This would have eliminated the potential of an attacker installing anything, unless they had already compromised your software distribution infrastructure.  The POS application would run in a "sandbox", basically a separate secured process that does not expose it's memory or connectivity to other processes on the host. This would have eliminated the potential for memory scrapers.  Essentially, phase1 of the attack would not have been achieved.

With Host protection running in the core data center servers (both physical and virtual), there would be no way to install the data transfer software... even if you had the credentials to an administrative service account on the server. The Host Protection would only allow software updates, patches, or executables to be pushed from 
the official SECURED software distribution infrastructure.  If the data transfer software were already installed, then any change to the configuration of this software, even with a compromised administrative service account, would raise an alert, and log all activity to the console.   If the alert was not responded to within a period of time, the configuration could be rolled back automatically. Essentially, phase2 of the attack would not have been achieved.

With no Phase1, and no Phase2... Exfiltration of the customer data through this methodology would not have happened, and CEO Gregg Steinhafel and CIO Beth Jacob would still have their jobs...

Additional controls to consider, beyond those provided by Host Based Server Protection:

• Segment POS network from the corporately accessed network
• Segment Database network from the corporately accessed network 
• Encrypt all transactions between POS network and servers outside POS network
• Employ a Privilege Access Management Strategy
• Enforce scheduled maintenance windows for software updates/installations
• Enforce specific hosts/accounts allowed to deploy software updates/installations
• Patch Applications as well as Operating System as patches become available
• Use Heuristic Analysis as well as Signature based AntiMalware. 
• Subscribe to and USE live Threat Analysis Feeds
• Do not log locally, but rather stream log events to a SIEM 
• Remove - not just disable - all not pertinent applications/executables
• Run AntiMalware at your Internet Egress point, as well as on your hosts
• Run Data Loss Protection on your hosts as well as at ALL egress points

According to a report by analyst firm Gartner, adding more layers of defense will not necessarily improve protection from targeted threats. What is needed, the analysts say, is the evolution of better security controls.

RSA: The Malware Factory and Massive Morphing Malware

“Advanced threats against enterprises today thrive on exploiting the unknown and evading blocking techniques thanks to a growing, global marketplace for selling software vulnerabilities,” said Zheng Bu, vice president of security research, FireEye. “The old security model of tracking known threats and relying on signature-based solutions are simply powerless to stop zero-day threats. The number of zero-day attacks profiled in the paper highlight why organizations need to take a new approach to security by combining next-generation technology with human expertise.”

 

(I added the Red Text to show the result of implementing FireEye)

1. Reconnaissance- Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. 

• If the reconnaissance is done as a form of phishing exercise, there will likely be links in the email back to a C&C server on the Internet.  Any attempt to connect to that network (ie: clicking the link) would be blocked by FireEye and generate an alert to the SIEM.

1. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable. 

• Email attachments as well as files downloaded from the Internet will be assessed by FireEye (Executed in several virtual sandboxes), and if deemed malicious, will alert the SIEM, block callbacks, and prevent further downloads.

1. Delivery- Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media. 

•  As in Weaponization, Email attachments as well as files downloaded from the Internet will be assessed by FireEye (Executed in several virtual sandboxes), and if deemed malicious, will alert the SIEM, block callbacks, and prevent further downloads.

1. Exploitation- After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. 

• *IF* a malicious application DOES get installed out of band, ie: from CD or USB drive, any callbacks would be blocked by FireEye, raising an alert in SIEM, and preventing subsequent communication with the C&C and subsequent downloads.

• Host Protection tools on your servers are HIGHLY recommended to prevent installation and  execution of any such malicious applications in the first place.

1. Installation- Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.

• Host Protection tools on your servers are HIGHLY recommended to prevent installation and execution of any such malicious applications in the first place.

1. Command and Control (C2)- Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.

• FireEye will block callbacks to the Command and Control, and prevent further downloads. 

1. Actions on Objectives- Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.

•  Malicious code will not be able to exfiltrate data, if callbacks are blocked, and the Command and Control IP addresses are blocked.  Again, any attempt to do so, would send alerts to the SIEM while still being blocked.

There is little excuse for a company to be running vanilla FTP either inside their data center or especially over the Internet.  Secure file transfer protocols and standards have been around and fully supported SINCE THE TURN OF THE CENTURY!!!

"...what about the threat information contained on an unsecured

FTP server could pose to a business like yours? Consider a few other recent FTP

exposures:

• CardSystems, who processed credit card transactions for nearly 120,000 merchants totaling more than $18 billion annually, were essentially forced out of business after 40 million identities were exposed. Amex and Visa told CardSystems that they would no longer do business with the company.
• 54,000 records were stolen from Newcastle City Council
• An unsecured document was exposed on the New Mexico Administrative Office of the Courts FTP server; it contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees.
• The Hacker Webzine reports that Fox News had an exposed FTP connection linking out to Ziff Davis.
• The personal information of uniformed service members and their family members were exposed on an FTP server while being processed by major Department of Defense (DoD) contractor SAIC. As many as 867,000 individuals may have been affected."

The FTP (File Transfer Protocol) protocol was documented in 1971 as  RFC 114 and eventually evolved into RFC 959 , the FTP standard that all systems use today. It has been the workhorse of most corporate file transfer systems in production.

All current Server Operating Systems, whether Windows, Unix, Linux, MAC, or Mainframe come with a variant of an FTP service following RFC 959.
There are VERY many FTP client applications available for each and every Desktop, Laptop, Tablet and smartphone in existence, also complaint with RFC 959.   

Once companies and security consultants  realized the great risk that FTP exhibits by sending corporate data "in the clear" over the network, they proposed RFC 2228 (in 1997) to protect FTP data in transit using SSL encryption.  Aside from transport encryption the service is identical to FTP.  

FTPS transport encryption comes in two flavors Implicit, and Explicit.  Implicit FTPS (Now pretty much obsolete) establishes an SSL or TLS session prior to exchanging data, over TCP ports 989(data)/990(control).  Explicit FTPS, the more common of the two, can use a single port for both encrypted and unencrypted data transfer.  The client initially establishes an unencrypted session, and if SSL/TLS is required, an AUTH TLS or AUTH SSL command is issued by the client to secure the control channel before sending credentials.

Although regularly  confused with FTPS, SFTP is actually an application in the  SSH  protocol suite.  RFC4253"The Secure Shell (SSH) Transport Layer Protocol"  defines the security model of this Secure File Transfer Protocol.   Whereas FTPS relies on SSL (X.509) Certificates with their associated PKI requirements to secure the session, SFTP uses Diffie-Hellman Key Exchange to manage an asymmetric pair of keys to secure the session. All UNIX based systems (Including MAC, Linux, and Mainframe) come with SSH preinstalled.   There are many variants available for Windows as well.

• Microsoft: How to create a security-enhanced FTP directory that uses Password Authentication
• WSFTP: Admin guide 
• Installing & Configuring VSFTPD FTP Server for Redhat Enterprise Linux, CentOS & Fedora 
• How to Make Your Mac an SFTP Server

"In a physical environment, every application depends on its OS for a range of services, including memory allocation, device drivers, and much more. Incompatibilities between an application and its operating system can be addressed by either server virtualization or presentation virtualization; but for incompatibilities between two applications installed on the same instance of an OS, you need Application Virtualization.  "

Emergency DDoS Protection Service to Stop a Cyber Attack

• http://www.prolexic.com/knowledge-center-dos-and-ddos-attack-reports.html
• Content delivery networks: A primer of CDN providers and technology
• Techtarget.com: content delivery network (CDN) 
• How content delivery networks (CDNs) work 
• http://www.quora.com/Content-Delivery-Networks/How-does-Akamai-CDN-work 
• http://www.searchblog.asia/topics/seo/will-using-content-delivery-networks-affect-seo/ 
• http://serverfault.com/questions/46830/how-do-cdn-content-delivery-networks-server-work 
• http://mae.ucdavis.edu/dsouza/Classes/MAE298-S09/sc421.pdf
• Updated List Of Vendors In The Content Delivery and Transparent Caching Markets 
• To Speed Up The Web, EdgeCast Has Added Google PageSpeed Technology To Its CDN 

Blueline Data Products and Services

• Strategic Assessment – a review with your team to determine what Blueline Solutions would be most impactful with your business requirements and technology investments
• Solution Services– compliance delivery guidance and market insight (call center, financial services, healthcare, retail, etc.) 
• Voice Gateway - encompasses security encryption around voice channels that send and receive sensitive data, to eliminate fraud by capturing, masking and encrypting confidential signaling information on the  path. The encrypted sensitive datagrams are securely rendered to allow fully protected  processing, eliminating the possibility of a call to get compromised.
• Retail Gateway - offers integration with any point-of-sale (POS) device in a secure and compliant manner, and allows point-to-point encryption of client's personal information from any payment media. This applies to any transaction or function where a client is required to use a payment terminal for credit or debit card processing expected to integrate with the backend data repository. There is no need for manual card data entry for proof of identity, payment guarantee or other purposes.
• Data Gateway - provides organizations with a single access point-of-presence to transaction services, such as secure banking and financial networks, mobile application payment delivery, or secure web bill presentment. It allows you centrally and uniformly govern all traffic of financial interest, whether it is exchanged between your partner organizations or with your clientele involved in the transaction flow.  Sensitive data transfer is fully protected to meet the highest security and privacy standards.
• Data Vault - presents a conversion engine that takes any sensitive data element – whether it is SSN or SIN number, driver's license, credit or debit card, or patient record – and encrypts such information in a format-preserving manner.  The data is tokenized and optionally stored in a secure "digital vault" that you can access as you need, provided that sufficient privileges are presented.  It fully removes sensitive payment and personal information from your computing systems and digital media.

• IBM X-Force security professionals monitor and analyze security issues from a variety of sources, including its database of more than 76,000 computer security vulnerabilities, its global web crawler and its international spam collectors.

• Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of approximately 69 million attack sensors which record thousands of events per second.

• ThreatCloud, the first collaborative security infrastructure to fight cybercrime. ThreatCloud dynamically reinforces Check Point Threat Prevention Software Blades with real-time threat intelligence derived from Check Point research, global sensors data, industry feeds and specialized intelligence feeds from the ThreatCloud IntelliStore.

• WildFire offers a completely new approach to Cybersecurity, through native integration with Palo Alto Networks Enterprise Security Platform, the service brings advanced threat detection and prevention to every security platform deployed throughout the network, automatically sharing protections with all WildFire subscribers in about 15 minutes.

• McAfee Global Threat Intelligence (GTI) notices the anomalous behavior and predictively adjusts the website’s reputation so McAfee web security products can block access and protect customers. Then McAfee GTI looks out across its broad network of sensors and connects the dots between the website and associated malware, email messages, IP addresses, and other associations, adjusting the reputation of each related entity

• Lancope Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. 

• F5® IP Intelligence incorporates external, intelligent services to enhance automated
  application delivery with better IP intelligence and stronger, context-based security. By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the F5 BIG-IP® platform, adding context to policy decisions. IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic.

• The Cisco Talos Security Intelligence and Research Group (Talos) is a group of elite cyber security experts whose threat intelligence detects, analyzes and protects against both known and emerging threats by aggregating and analyzing Cisco’s unrivaled telemetry data of billions of web requests and emails, millions of malware samples, open source data sets and millions of network intrusions. More than just a traditional response organization, Talos is a proactive member of your security ecosystem, working around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities with new rules, signatures, file analysis and security tools to better protect your organization.

• With Trend Micro at your side, you can safely navigate the changing cyber security landscape. We defend tens of millions of customers around the clock through a worldwide network of 1000+ threat researchers and support engineers committed to 24x7 threat surveillance and analysis, attack prevention and remediation, and educational tools to help you secure your data against cyber crime in this ever-changing digital world.

• Kaspersky Lab’s Security Intelligence Services constantly monitor the threat landscape, identifying emerging dangers and taking steps to defend and eradicate. Combining our world-leading knowledge of malware and cybercrime with a detailed understanding of our clients’ operations, we create bespoke reports that provide actionable intelligence for an enterprise’s specific needs.  Our intelligence services range from subscriptions to our global network insights, monthly threat analysis specific to your organisation, through to bespoke training and education programmes.

• Actively enforce and manage reputation-based security policies to help focus on those threats with most risk. By using frequently scheduled updates of reputation data, vetted by a global cadre of experts, HP RepSM detects communication with sites known to have bad reputations-preventing exfiltration of intellectual property and reducing business risk. In addition, you can proactively monitor and protect the reputation of your own enterprise by making sure company and partner web sites and assets are not found on the bad reputation list.

•  The new Interflow platform, based on Microsoft's Azure cloud service, is geared for incident responders and security researchers. "We needed a better and more automated way to exchange information with incident responders. That's how we started on a path developing this platform," says Jerry Bryant, lead senior security strategist with Microsoft Trustworthy Computing. "This allows for automated knowledge exchange."

"The CyberArk SSH Key Manager is designed to securely store, rotate and control access to SSH keys to prevent unauthorized access to privileged accounts."

The concept of a "jump" server has been around for decades, but is rarely in use or enforced.  One popular use of jump servers is to restrict access into a DMZ. This allows administrative control of servers in the DMZ to be regulated and audited as per compliance rules.

Secure administrative hosts are workstations or servers that have been configured specifically for the purposes of creating secure platforms from which privileged accounts can perform administrative tasks in Active Directory or on domain controllers, domain-joined systems, and applications running on domain-joined systems. In this case, “privileged accounts” refers not only to accounts that are members of the most privileged groups in Active Directory, but to any accounts that have been delegated rights and permissions that allow administrative tasks to be performed.
.......

Although the “most privileged” accounts and groups should accordingly be the most stringently protected, this does not eliminate the need to protect any accounts and groups to which privileges above those of standard user accounts have been granted.

A secure administrative host can be a dedicated workstation that is used only for administrative tasks, a member server that runs the Remote Desktop Gateway server role and to which IT users connect to perform administration of destination hosts, or a server that runs the Hyper-V® role and provides a unique virtual machine for each IT user to use for their administrative tasks. In many environments, combinations of all three approaches may be implemented.

Cyber-Ark Enterprise Password Vault (EPV) 

 
Cyber-Ark EPV is a suite of applications to securely manage passwords and other related sensitive objects.  While it typically is used to store and manage privileged account passwords, it has the capability to manage any type of sensitive information including such as database connection strings.

Features include:

• Granular password object access controls
• Ability to manage passwords automatically as per a predefined policy (i.e. change password every 90 days, verify password every 30 days, etc.) for many platforms
• One-time passwords possible
• Dual control authentication possible
• API spanning all common languages/development environments to integrate with custom applications facilitating secure storage and retrieval of sensitive application specific credentials and other information (i.e. private keys, database connection strings, etc.)
• Seven layers of security/access control for vault objects

Privileged accounts are a required part of any software whether it is an operating system, database or application. Most hardware appliances also require privileged accounts for administration.

Similar to the UNIX's root and Windows' administrator accounts, privileged system accounts are required for systems to function and are frequently used by system administrators to do their jobs, granting special system privileges that average users don't need, and that even administrators need only from time to time when making major changes.

However, these privileged accounts have no accountability, as they typically do not belong to any individual user and are commonly shared by many administrative staff.Alternatively, many organizations bestow excessive privileges onto the accounts of those conducting administrative tasks. 

These accounts have elevated access rights, meaning that those with access can circumvent the internal controls of the target system.

Once these controls are bypassed, users can breach confidential information, change transactions and delete or alter audit data.

• The most common type of hacker breaks into target systems using default lists of Privileged User accounts and can easily crack weak passwords.

• Compliance audit regulations (such as Sarbanes Oxley and PCI ) require organizations to periodically monitor and prove who has accessed shared accounts, what was done, and whether passwords are managed according to policy

• With hundreds or more servers and network devices, manually updating and reporting on Privileged Passwords can be extremely time-consuming, in particular, defining individual user access to a shared account, and when the access occurred

• Most enterprises consist of a multitude of disparate IS platforms (Windows, UNIX, Mainframe, AS/400, Databases, etc…). Each of these platforms pose unique challenges in managing privileged access

• Too many people have access to passwords for “generic” privileged access accounts (Administrator, DBA, ROOT).

• Too many people have more access to privileged resources on their own account than is required by their role.  Access tends to accumulate over the course of a user's employment.

• Most companies have not done a great job in the past in cleaning up user accounts that had privileged access.

• System or service accounts have been created with significant privileged access, but for technical reasons have not followed password compliance standards.

In this case study, an organization has implemented Cyber-Ark Enterprise Password Vault redundantly between two data centers.

This implementation will allow the various Business Units to Securely control access to their Privileged System Accounts.  This would include "infrastructure service accounts" like ROOT, Administrator, SYS, and DBA, as well as Business Unit and Application specific account that required privilege for the purposes of administration.

 

"Security Policies and Implementation Issues" By Robert Johnson

For the past decade and a half, Citrix and then VMWare have promised to deliver Virtual Desktop

Today, there is little delta in cost between a Smart Terminal and a low end Intel/AMD based PC.  Without the cost incentive, adoption has slowed. 

Network's have become exponentially faster.  Today's network environment has removed most of the latency issues chronically plaguing legacy applications.

Another entire tier of infrastructure is required to satisfy a typical VDI solution. High end multi-core server clusters with hundreds of Gigabytes of memory are required to host these remote sessions. 

Offline is not an option.  In a typical VDI infrastructure, when your network saturates or becomes disconnected... your entire farm is unavailable.  All workstations cease to work.

And most importantly, today's applications are Media Rich.  High end graphics and audio processors are the norm on the average desktop purchased, but the Server Based Computing model still fails to deliver on the performance requirements in this area. 

So? What's this Upside Down VDI thing you started with?

 In 2006, Citrix acquired a company/technology calledArdence.  Ardence basically stood up generic workstation boot images and user profile drives, and provisioned them through PXE boot to your workstations. You got the benefits of secure patching and antivirus every time you booted, and if there were hiccups in the network, you were still operational. AND!!!  The image ran locally on your Desktop hardware.  No huge backend server infrastructure other than the provisioning box, and all the media performance you could manage locally!  

Citrix has since rebranded this as Citrix Provisioning Services and focused it more on provision virtual images for its core line of business, the XenApp services as opposed to physical workstations. 

Now, if you follow VDI or Citrix in general, the name Brian Maddenis etched into your very optic nerves. He is the defacto guru of anything resembling Virtualized Desktop.

In early October, he issued the following article:  Brian Madden: Remember how Ardence was awesome before Citrix screwed it up? You need to know about Jentu: Disk streaming to physical desktops 

Jentu is a Canadian Company, out of Toronto Ontario. 

Even though the company name is relatively new, Jentu has been around in one form or another for over a decade.  Jentu introduced their Diskless Workstation provisioning architecture several years ago as a means to support multiple workstations at their remote customer sites.  Rather than remotely accessing and managing individual workstations on a remote network, they came up with a scheme that would manage Virtual Disk images on a file server.  These images would be maintained for patching and antimalware.  Typical office applications would be applied  to the image and maintained as well.  User profiles and data, as well as host hardware profiles would be stored on a separate volume on the network. 

When a user rebooted their physical workstation, a PXE boot (network boot) would connect the workstation (based on MAC address) to the correct boot image, and stream that image via secured iSCSI to the workstation.  User logon would then pull down their personal profile for desktop, etc via group policy in Active Directory.

From that point on, the user is running live on their own physical workstation with all the benefits of the hardware on their desk.  

---

  Remember that MAPS acronym from Citrix?   

 Management, Access, Performance, and Security.

If you haven't heard of Jentu, I suggest you go check them out now.  You'll definitely be hearing more of them in the future.

From the Jentu site: 

• Brianmadden.com
  
• The VDI Delusion: Why Desktop Virtualization Failed to Live Up to the Hype, and What the Future Enterprise Desktop will Really Look Like
• Why it is always, and never, the year of VDI, but network virtualization is here to stay
• VMware folds View into Horizon Suite, eliminates low-end VDI pricing 
• VMware's Wanova acquisition extends VDI to physical desktops 
• VMware Welcomes Wanova to the EUC Family 
• What is Persistent Desktop? 
• Dell: Who says thin client failed? 
• Brian Madden: A decade of server-based computing: how we got from WinFrame to the virtual, streamed, VDI, XenApp world of today 
• Fujitsu: Desktop Virtualization with Citrix 
• Wikipedia: Desktop Virtualization 
• Brian Madden: When to use local VDI vs. offline VDI  
• Ardence: IntervalZero Acquires Ardence Embedded Software Business From Citrix  
• Brian Madden: Using Ardence Disk Streaming with Citrix Servers  
• Brian Madden: Double-Take’s Flex product is like Citrix Provisioning Server without Citrix  
•  Brian Madden: Remember how Ardence was awesome before Citrix screwed it up? You need to know about Jentu: Disk streaming to physical desktops