Giving your network a shot in the arm! Darktrace: The Enterprise Immune System.

February 13, 2015, 11:05 am

≫ Next: Tokenization as a companion to Encryption

≪ Previous: Jentu: Canadian Company aims to turn VDI upside down

I understand that most of you reading this have never worked in aSecurity Operations Center or SOC for short, but you've all seen them in movies..

Sterile, brightly lit rooms of computer screens. All showing spreadsheets or charts or static maps of the world. I yawn even thinking of it.

And yet the men and women working this environment 24/7 are responsible for detecting that one little anomaly or sorting out the REAL bad traffic patterns from among the thousands of False Positive bad traffic patterns that show up on their screens hourly.

Little wonder the poor Security Analysts over at Target missed the evidence in front of them. The sheer enormity and chaos of data that assaults them in the course of their workday is stressful and overwhelming. All the screens look the same, tables and columns, and rows of information about network and security events collected and forwarded by every device on the network. Then hundred or thousands of rules process them to try to find deviations from "normal traffic". Like any network has "normal traffic". Right...

I know. I've worked in or around these systems for the past two decades. I've seen the tools appear, mature, merge, morph, and become "fairly" useable. But the false positives are still rampant, and low and slow "Advanced Persistent Threats" are under the radar and typically don't show up here.

So when an upstart Security Analytics company called me late in 2013 to show me what they've been working on, well... I could care less. Really... They tried hard to influence me with their Pedigree: Harking from the mindsex-MI5 Security Intelligence employees, and funded by Autonomy founder Mike Lynch. But all big software stands on the shoulders of giants, right?

Then a few months ago, a friend of mine convinced me to come out to a public demo of their system.

Five minutes in, I was awestruck.

So let me take a second to say that the basis of their tools revolves around some very propeller head complex math that us mere mortals could never comprehend. They do not rely on rules or signatures or feeds from your network devices. Yes... they DO require network span or tap at critical aggregation points in your network, but they are able to watch, analyze, identify, and correlate your traffic over a period of time, and through machine learning techniques, develop and understanding of "normal traffic" within several contexts.

Darktrace touts themselves to be your "Enterprise Immune System", in that like the human body's immune system, which has an understanding of "self" or what belongs or is normal versus contaminants like bacteria or viruses. After a period of mapping your environment's traffic patterns: Source/Destination/Port/Protocol/Time of day/Day of year/etc... Darktrace will use it's learning algorithms to alert on traffic patterns that are NOT normal, and therefore should be looked at. It learns what "normal" or "self" is for each device on your network. The difference here is the heuristic learning. Not rules, made be people who think they know the system.

All very impressive... BUT... that's not really what caught my eye. Sorry Darktrace guys, butthe person or people you can never let leave your companyare the ones who wrote that AWESOMELY FUTURISTIC HUMAN INTERFACE!!! Oh My God!

(pause here to collect my breath)

Remember up top where I said how sterile and drab and monotonous staring at a gazillion screens full of spreadsheets was? Well... now picture having the tools from Minority Report! Yeah, you know the ones!

The screen in front of me started off with a wireframe globe. Little pins of light would show up, intensify, dim... whatever.. I've seen this before. But... Our presenter took the mouse, spun the globe a few degrees, and zoomed in "just like in the movies".

I got the feeling at first that this was canned video footage. But then the presenter selected one of those intensifying lights. Zoomed in, and as he zoomed, images of network devices started showing up. Lines between them glowing as well, in various intensities and colors. They then portrayed a communication session initiated from a desktop to a webserver. a faint white line... Then immediately more light from that webserver back to another device that turned out to be an associated database server... AND more illuminated lines back to the network storage array... That one transaction, a web page request I would imagine, allowed me to visualize *VISUALIZE* connectivity to the various sub components of the web applications infrastructure.

Before anyone had a chance to ask about those red glowing devices and lines, the presenter clicked one and detailed how THIS was not typical traffic from that particular device at this time of day, nor from the area of the network being connected.   Anomalous behavior. VISIBLE in real time.

On a 3D rotatable glowing thingamabobber of a Awesome Graphical User Interface.

If you want your Security Operations Center personnel to be engaged, alert,

and notice the anomalies...

let them play with Darktrace just for a few days. I guarantee you'll leave it in.

Darktrace Corporate Overview.

References:
www.darktrace.com
Darktrace: Enterprise Immune System
Darktrace: Recursive Bayesian Estimation
Darktrace CEO Joins Prime Minister David Cameron on Official Cyber Security Visit to Washington D.C.
Former MI5 chief advises Darktrace
GCHQ Defence chief to head cyber security start-up Darktrace

ZDNet: Darktrace: What happens when Bayesian analysis is turned on intruders

Deloitte: The ‘Immune System’ of Enterprise IT?
How Threats Disguise Their Network Traffic
TrendMicro: Network Detection Evasion Methods
What is “Normal Traffic” Anyway? (by Chris Greer)
MI5: UK Security Intelligence

Cyber Security Exchange Conference with Darktrace

↧

Tokenization as a companion to Encryption

March 4, 2015, 8:15 am

≫ Next: What's the difference between a Virtual Machine and a Container?

≪ Previous: Giving your network a shot in the arm! Darktrace: The Enterprise Immune System.

For the protection of sensitive data, tokenization is every bit as important as data encryption.

(This article first ran in ITworld Canada in October 2014)

We are all very familiar with the requirement to encrypt sensitive data at rest as well as in transit. We have many tools that perform these functions for us. Our database systems allow for encryption as granular as field, or as course as table or entire database. Network file systems likewise allow for various degrees of encryption. All of our tools for moving, viewing, editing data have the ability to transport data encrypted via SSL/TLS or SCP.

Encryption, however, is intended to be reversed. Sensitive data is still resident in the filestore/database, but in an obfuscated manner, meant to be decrypted for later use. Backups of your data still contain a version of your original data. Transaction servers working on this data may have copies of sensitive data in memory while processing. Recently we saw in the Target breach, that memory resident data is not secure if the host is compromised. Memory scraping tools are among the payloads commonly delivered in a malware incursion.

As long as the valuable sensitive data such as Personally Identifiable Information (PII) or Payment Card Industry (PCI) resides in your facility, or is transmitted across your network, there is reason for a malicious threat agent to want to breach your network and obtain that information.

Additionally, the cost and time involved in regulatory compliance to ensure and attest to the security of that sensitive data can be daunting. For PCI data, there are 12 rigorous Payment Card Industry Card Data Security Standard (PCI DSS) requirements that have to be signed off on annually.
For the rest of this discussion, I'm going to focus on credit card (PCI) data, as it is nearest and dearest to my field of experience, but the process is similar regardless of the type of sensitive data.

Tokenization is not encryption

(Also read my: Toronto based PCI Compliance upstart brings single solution to Voice-Web-POS)

Tokenization completely removes sensitive data from your network, and replaces it with a format preserving unique placeholder or "token". You no longer store an encrypted copy of the original data. You no longer transmit an encrypted copy of the original data. Transaction servers no longer keep a copy of the sensitive data in their memory.

With no data to steal, any network breach would prove fruitless.

The token value is randomly generated, but typically designed to retain the original format, ie: Credit card tokens retain the same length as a valid credit card number, and pass the same checksum validation algorithm as an actual credit card number, but cannot be reverse engineered to acquire the original credit card number.

Don't get me wrong, the actual data does get stored somewhere, but typically in an offsite, purpose-built, highly secure, managed and monitored vault.

In the case of PCI compliance, this vault and it's associated security mechanisms are the only infrastructure that requires review/attestation. The rest of your network, including the transaction servers become outside the scope of review.

Neither Tokenization nor Encryption is a silver bullet in and of itself, but the appropriate mix of each will greatly reduce your overall risk exposure, and potentially keep your name off the next Breach Report.

Also Read: PCI DSS Cloud Computing Guidelines - Overview

References:
https://www.pcisecuritystandards.org/security_standards/index.php
Securosis: Tokenization Guidance: How to reduce PCI compliance costs
PCI Security Standards Coucil: PCI Data Security Standard (PCI DSS)
Securosis: Tokenization vs. Encryption: Options for Compliance, version 2
Cardvault: Credit Card Tokenization 101 – And Why it’s Better than Encryption
3 Core PCI-DSS Tokenization Models- Choosing the right PCI-DSS Strategy
Encryption and Tokenization
Data Encryption and Tokenization: An Innovative One-Two Punch to Increase Data Security and Reduce the Challenges of PCI DSS Compliance
Paymetric: Tokenization Amplified
Tokenization is About More Than PCI Compliance
Tokenization: The PCI Guidance
Blueline Tokenization Infrastructure and Tokenization as a Service

↧

What's the difference between a Virtual Machine and a Container?

April 27, 2015, 2:06 pm

≫ Next: Understanding Cloud Access Security Broker Services

≪ Previous: Tokenization as a companion to Encryption

With the current trend towards "Containers" as opposed to "Virtual Machines", I've had a few people asking what the difference was, and where you might use one over the other.

I hope to keep this brief, but...

Both Containers and Virtual Machines have been around for quite some time. Mainframe and Commercial UNIX have had terms like LPAR for Logical Partition (Representing VM) and WPAR for Workload Partition (Representing Containers) for over a decade (Mainframe since 1972!!!).

UNIX/Linux have used "chroot" filesystems (otherwise known as "chroot jail") for years to secure running processes such as a web server or database server. The earliest implementation of "containers" was the 1979 introduction of chroot into UNIX Version 7.

Currently chroot is a part of just about every major distribution of Linux.
________________________________________________________________________________

In very high level terms, a Virtual Machine or Hypervisor (such as VMWare, Hyper-V, KVM, VirtualBox, and Xen) is designed to emulate an entire physical computer including the various hardware abstraction required for networking, video, audio, etc...

In a word, VMs are FAT!

http://www.accenture.com/us-en/blogs/technology-blog/archive/2014/08/26/inspiration-through-elevation-simplified-configuration-management-with-docker.aspx

Via Accenture:

A container on the other hand (Docker, Parallels , CoreOS, chroot, ...) runs on top of an existing kernel, leveraging resources form the kernel, and merely presents a virtual userspace with separate filesystem, CPU, memory and protected processes.

Without having to emulate the underlying hardware, you can pack 3-4 times as many containers into the same resource pool as a single Virtual Machine.

So why would I use Virtual Machines, if Containers are just as good?

Well, because a Virtual Machine abstracts the ENTIRE hardware platform, there's evidence that it is better suited to defined network segregation.

You could, for instance, define a Virtual Machine to represent your web application in it's entirety, then within that VM, create containers for the web, app, and database tiers. The containers would provide logical segregation between the tiers, and the VM would protect the entire application from other apps in the DMZ.

Virtual Machines also allow you to run completely different Operating Systems simultaneously on the same hardware. For instance, on your Ubuntu Laptop, you could use Virtualbox, to simultaneously run Windows 8.1 and OSX.

Or, on your server, you could simultaneously run Redhat Linux, Windows Server 2008, and Windows Server 2012.

A containerized system, as mentioned above, runs all containers off of the same Operating System Kernel.

And by far the biggest benefit of Containers over Virtual Machines is speed of launch. A Virtual Machine is, for all intents and purposes, a complete computer Operating System. On boot, it has to run through all of the legacy boot processes...

A Container launches on an already running kernel. A full containerized application can launch in a fraction of a second (restricted only by I/O) whereas that same app launched within a Hypervisor context could be from tens of seconds to potentially a minute or more depending on boot requirements.

Edit: (04/28/2015)

Bromium is an newcomer to the virtualization space, and one to watch carefully. Based on a fork of the Xen hypervisor, Bromium relies heavily on Intel's hardware virtualization for isolation.

Unlike either of the above Hypervisor or Container approaches, Bromium isolates specific services in Windows, such as launching an application, downloading an email attachment, or clicking a hyper link in a browser. When these activities are identified, Bromium creates a small task-specific "Microvisor" to encapsulate and segregate only the resources required for that task. Mandatory Access Control policies ensure protection of the underlying Operating System, as well as any other apps running on the host.

When NSS Labs tested the Bromium architecture, it achieved a perfect score in defeating all malware, as well as manual and scripted attempts at penetration.

References:

VMware just created its first Linux OS, and it’s container-friendly
Why Containers Instead of Hypervisors?
WPARs Vs LPARs
IBM Systems Magazine: An LPAR Review
Wikipedia: Workload Partitions
Wikipedia: Virtual machine
Wikipedia: Operating-system-level virtualization
Wikipedia: Chroot
Best Practices for UNIX chroot() Operations
Ubuntu: Basic chroot
BELL LABS: UNIX (TM) TIME-SHARING SYSTEM: UNIX PROGRAMMER’S MANUAL Version 7
LinuxContainers.org (LXC)
Containers—Not Virtual Machines—Are the Future Cloud
Contain your enthusiasm - Part One: a history of operating system containers
Docker
Accenture: Inspiration through Elevation: Simplified Configuration Management with Docker
Gartner: Virtualization, Containers and Other Sandboxing Techniques Should be on Your Radar Screen
Bromium vSentry Sets New Standard for Security Effectiveness
NSSLABS: Threat Isolation Technology Test Report: Bromium vSentry
Bromium: Micro-virtualization for the Security Architect

↧

Understanding Cloud Access Security Broker Services

April 28, 2015, 11:42 am

≫ Next: Test Driving The Aegis Secure Key 3.0

≪ Previous: What's the difference between a Virtual Machine and a Container?

Over the past 30 years, we the IT Security team have been promoting and building a "Defence in Depth" strategy to protect our corporate assets.

This methodology was predicated on the fact that we need to assure our employees, customers, and shareholders that we were able to provide adequate Confidentiality, Integrity, and Availability(The CIA-Triad) for the sensitive data/intellectual property residing in physical data centers.

We have installed Firewalls, Intrusion Prevention, AntiMalware, Data Loss Prevention, Secure Email, VPN, etc... All with the intent on providing a stack of security capabilities to protect data withing our corporate network. Within our corporate data centers.

Simultaneously, our lines of business are becoming more agile, more complex, and more attune to services available "in the cloud". Shadow IT is the new trend. Lines of Business can and are spinning up new services at an aggressive rate to keep up with their online competition. Our ability to manage them "technically" as opposed to by policy has been almost non-existent.

We as Security Experts, are scrambling to augment our "bricks and mortar" based Defense in Depth strategy with Cloud Services, but the path is not presently clear.

Very recently, a niche market has developed to fill this void. Several vendors identifying themselves as Cloud Access Security Brokers (CASBs) have defined a strategy to mitigate this problem. CASBs are either on-premise, or cloud-based (or both) security policy enforcement points. Placed between your end users and the various cloud service providers, they can inspect traffic, manage and enforce policy, alert on anomalous behavior, and in most cases provide some level of DLP enforcement.

Either leveraging existingSingle Sign On providers, or corporate Active directory services, these Cloud Access Security Brokers can identify individuals' access into Cloud Service Providers that are affiliated with the broker. Currently these number in the hundreds if not thousands. For"Sanctioned" Cloud Applications (those services for which your enterprise has procured directly) end user access can be strictly enforced by context:

Who you are(Role based access)
Where you are coming from(corporate network, public Internet, wifi, geographic region)
What device you are using(Corporate laptop, Home PC, Tablet or phone)
What time of day you're working(Are you authorised to work during this time?)

This Context Awareness also allows the CASB providers to employ heuristic analysis on Cloud bound traffic, to do some form of anomaly detection to identify malicious or erroneous traffic. This is an area that they are all investing heavily in today.
Most of the Cloud Access Security Brokers provide granular encryption, but only three provide Tokenization of your Corporate Data in the Cloud. This can be as coarse as entire records or documents, or as fine grained as a field in a form. Adallom has also leveraged the Right's Management functionality of Checkpoint's Capsule to secure data in the cloud, while allowing trusted collaboration.

For more on Tokenization vs encryption, please see my articles: Tokenization as a companion to Encryption and Toronto based PCI Compliance upstart Blueline brings holistic solution to Voice-Web-POS

One of the strengths of some of the Cloud Access Security Brokers is the ability to identify and report on employee access to "Shadow IT" cloud services. "Shadow IT" are described as services that the corporation has not subscribed to as a whole, or has not specifically provisioned for the user in question. These typically include Cloud Storage facilities like Box or Dropbox. Again, if the CASB has an affiliation with the cloud service provider, these can be managed by policy, otherwise they can be flagged and alerted on to your security operations team for manual remediation.

Several of these CASBs provide on-premise inspection and policy gateways to augment your corporate network controls and provide definitive logical access control to the cloud services from within the corporate network. These on-premise gateways complement the cloud based CASB services and provide for a hybrid view of data movement.

Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017.

By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.

- Gartner, The Growing Importance of Cloud Access Security Brokers

Gartner has defined the four pillars of CASB as:

Visibility, Data Security, Compliance and Threat Prevention.

As of this time, there are about twelve companies playing in this space. I would like to highlight the leaders at the moment.

(In alphabetical order, and in their own words. ie: pilfered from their websites.)

Adallom delivers an extensible platform to secure and govern cloud applications. In addition to discovering almost 13,000 cloud services in use, Adallom offers comprehensive controls for data sharing, data security, DLP, eDiscovery and access control. The Adallom platform also integrates with existing on-premises solutions such as SIEMs, MDMs, NACs and DLPs. Adallom has identified new malware attacks in the wild, including a Zeus variant attacking Salesforce, and an identity token hijacking vulnerability affecting Office 365. On April 21st, Adallom announced an HP partnership where its platform will be resold on the HP price list, and offered with the HP Enterprise Security Products and Enterprise Security Services portfolio. https://www.adallom.com

https://www.crunchbase.com/organization/adallom

Bitglassthe Total Data Protection company, is a Cloud Access Security Broker, founded in 2013, that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise - in the cloud, on mobile devices and anywhere on the internet. Bitglass delivers the security, visibility, and control that IT needs to enable mobile and cloud in the workplace, while respecting user privacy.

https://www.crunchbase.com/organization/bitglass

CipherCloudis a cloud security software suite that encrypts data during the upload process, and decrypts during download. The encryption keys used for this process remain within your business network; thus, unauthorized users accessing data in the cloud will only see indecipherable text.
CipherCloud also comes with built-in malware detection and data loss prevention. There are specific builds for commonly used cloud applications such as Salesforce, Office 365, Gmail and Box, as well as a variant that can be configured to work with any cloud-based applications your business uses.

https://www.crunchbase.com/organization/ciphercloud

Netskope is a leader in cloud app analytics and policy enforcement. Netskope aims to eliminate the catch-22 between being agile and being secure and compliant by providing visibility, enforcing sophisticated policies, and protecting data in cloud apps.
Netskope is a service that discovers and monitors cloud apps and shadow IT used on your network. Netskope monitors users, sessions, shared and downloaded content as well as the shared content details, and provides detailed analytics based on this information.

https://www.crunchbase.com/organization/netskope

Perspecsys'AppProtex Cloud Data Protection Platform provides a flexible cloud data control platform that enables organizations to identify and monitor cloud usage and then encrypt or tokenize data that it does not want to put in the cloud “in the clear”. The Platform intercepts sensitive data while it is still on-premise and replaces it with a random tokenized or encrypted value, rendering it meaningless should anyone outside of the company access the data while it is being processed or stored in the cloud.

https://www.crunchbase.com/organization/perspecsys

Skyhigh Networksenables organizations to adopt cloud services with appropriate security, compliance, and governance. Skyhigh supports the entire cloud adoption lifecycle, providing unparalleled visibility, analytics, and policy-based control. Specifically, Skyhigh shines a light on Shadow IT by giving a comprehensive view into an organization’s use and risk of all cloud services. Skyhigh analyzes the use of all cloud services to identify anomalous behavior indicative of security breaches, compromised accounts or insider threats. Finally, Skyhigh enforces the organization's policies on the use of over 12,000 cloud services by providing contextual access control, structured and unstructured data encryption and tokenization, data loss prevention, and detailed cloud activity monitoring for forensic and compliance purposes.

https://www.crunchbase.com/organization/skyhigh-networks

Zscaler is leading two fundamental transformations in the world of IT security. First—the shift from on-premise hardware appliances and software to Security as a Service. Second—the transition from point security solutions to broad unified security and compliance platforms. Both transformations exactly parallel what has happened in every other sector of information technology—CRM, ERP, HR, eCommerce, and personal productivity—all have evolved from on-premises point applications to comprehensive cloud—based platforms.

https://www.crunchbase.com/organization/zscaler

While conducting this review of the CASB market, I looked at a number of Security Controls that I would expect a mature Access Broker to provide. I've laid this out in accordance with Gartner's four pillars:

Visibility, Data Security, Compliance and Threat Prevention.

If you think I have omitted your favorite Cloud Access Security Broker, or have mis-represented a control above, please have them forward details to me including their position on each of the items in the above controls list. After validating each, I will gladly amend the list.

Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service.
I'm interested to see what happens to this space over the next three years. My money is on convergence of CASB, SSO, and Mobile Security providers.

Also Read:

Standing at the Crossroads: Employee Use of Cloud Storage.

References:

Gartner: The Growing Importance of Cloud Access Security Brokers
http://www.computerweekly.com/news/2240223323/Cloud-access-brokers-top-security-technology-says-Gartner
Gartner: Emerging Technology Analysis: Cloud Access Security Brokers
http://www.ciphercloud.com/2014/09/30/public-cloud-security-demands-cloud-access-security-broker-casb/
https://www.netskope.com
Bitglass: The Definitive Guide to Cloud Access Security Brokers
CipherCloud looks to stay at the head of the cloud security class
Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways
Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends
NetworkWorld: How the cloud is changing the security game
Adallom: The Case For A Cloud Access Security Broker
Adallom: Cloud Risk Report Nov 2014
Check Point Capsule and Adallom Integration
HP - Adallom: Proven Cloud Access Security Protection Platform
Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP
PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager
ManagedMethods: Role of Enterprise Cloud Access Security Broker
Standing at the Crossroads: Employee Use of Cloud Storage.
Cloud Computing: Security Threats and Tools
SC Magazine: Most cloud applications in use are not sanctioned

↧

Test Driving The Aegis Secure Key 3.0

May 8, 2015, 9:31 am

≫ Next: From Blueline to BlueZone - PCI Tokenization Matures

≪ Previous: Understanding Cloud Access Security Broker Services

I just received a new item across my desk, and was so excited I had to share!

The Apricorn Aegis Secure Key 3.0is a high capacity hardware encrypted USB 3.0 flash drive with up to 240GB in Storage Capacity.

The one I received, an ASK-30GB is.. well.. 30GB capacity.
The first thing I noticed in this impressive device, is the crush resistant black aluminum extruded case. Rubber seals provide dust and water resistance. The buttons on the front present a very good high quality tactile feel. A comfortable aluminum case closes over the keypad with the aforementioned rubber seals. There is also a nice comfortable weight to it. Not too heavy...

More like "This feels like a tool, not a toy" heavy.

Now, there *is* a very slight learning curve to getting it up and running, as you have to train two separate 7-16 digit PINs: one Administrator, and one User pin. As a corporate tool, this is very much a requirement. If the user loses/forgets their PIN, we can still retrieve the secured contents. Once completed, daily use just requires your User PIN.

This is a true hardware encryption (256-Bit AES XTS Hardware Encryption) based USB media key. What this means is that there are no specific drivers required for your Operating System to share encrypted files. Aegis are currently awaitingFIPS 140-2 Level 3 certification, expected Q2 this year.

Once unlocked via the keypad, the device shows up as a standard USB media drive. I was able to read/write files easily between Windows 7, my Ubuntu Laptop, my OSX machine, as well as a Raspberry Pi, and an embedded microcontroller board I'm working on. Serious compatibility across the board.

Data transfer was fast. I did not measure it, but it was quicker than many of the "normal" USB 3.0 flash drives I have on hand. The documentation put it capable of
195MB/s.

Specifications according to Apricorn:

• 256-Bit AES XTS Hardware Encryption
• Software-Free Design
• Cross-Platform Compatible
• Embedded Authentication
• No Authentication Info Shared with Host
• Two Read-Only Modes
• Programmable Brute Force Protection
• Separate Admin and User Modes
• Lock-Override Option
• Forced Enrollment
• 3-Year Limited Warranty
• FIPS 140-2 Level 3 (Pending Q2)
• IP-58 Certified: Dust and Water Resistant

Having come from using a few other software based "Secure Flash" Keys, this device is a godsend. The software keys typically have to store multiple binaries on anapplication partition in support of the popular Operating Systems. (Windows and OSX are usually included, and more frequently, Linux binaries are available.) Running the appropriate binary unlocks the remainder of the drive once authenticated.

I highly recommend this Aegis Secure Key 3.0anywhere you require sensitive data to be securely stored and transferred between machines.

Interactive Product Tour

↧

From Blueline to BlueZone - PCI Tokenization Matures

September 25, 2015, 12:02 pm

≫ Next: What is a Security Governance Review, and why do I need one?

≪ Previous: Test Driving The Aegis Secure Key 3.0

Last year, I wrote about a new Canadian company that had entered the Compliance Appliance market space. Blueline Data had developed a tokenization gateway that would help you define and isolate your PCI compliance scope boundary. This isolation was not only for Point Of Sale and Web Merchant portals (Shopping portal), but for Telephony and Unified Communications traffic as well! This was a revolutionary step in this industry. Several other companies had tokenization systems available for structured and/or unstructured data, however no one had a viable solution that would also cover voice and unified communications.

A lot has gone on in the past year, and I decided to revisit them, to see where their technology has progressed...

Read my Tokenization as a companion to Encryption

Last year,Forrester issued a paper defining the requirements necessary to secure data into the future, and discussing the technologies that will get us there. The Document titled "TechRadar™: Data Security, Q2 2014", states clearly that you need to:

Restrict and strictly enforce access control to data. This includes denying access to unauthorized persons or blocking their attempts to gain access.
Monitor and identify abnormal patterns of network or user behavior. This includes tools that analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (e.g., improper or excessive use of entitlements such as bulk downloads of sensitive customer information).
Block exfiltration of sensitive data. These are tools or features of tools that detect, and optionally prevent, violations to policies regarding the use, storage, and transmission of sensitive data.
Render successful theft of data harmless. Once you’ve identified your most sensitive data, the best way to protect it is to “kill” it.6 “Killing” data through encryption, tokenization, and other means renders the data unreadable and useless to would-be cybercriminals who want to sell it on the underground market.

The first three have been the bread and butter of the Information Security industry for the past 20 years or so. From firewalls and both signature and heuristics based Intrusion Detection/Prevention, to Data Loss Prevention systems, the industry has been diligently protecting our perimeters.

It's that fourth one that I'm interested in here. "Render successful theft of data harmless." In other words, replace any valuable data such as Payment Card Info, Personal Health Info, Social Insurance Numbers, etc... with a "token" that has no value to would be thieves. These tokens can be made to preserve the format requirements of the original data, so as not to break backend processing, as well as including search/index criteria.

To properly provide security through tokenization, one must be able to implement it not only on the server side for data at rest, but also for data in transit, as well as at the client side, such that the relevant sensitive data never even leaves the client's network.

What if, there was a service... APIs that could provide tokenization either at the client browser, or as data is passed to cloud apps?

I know that I'm not new to this train-of-thought, but the cost of non-compliance is growing exponentially.

Financial Damage can be insured against... Reputational damage cannot.

As I said... a lot has gone on in the past year. Blueline has matured from just providing on-premise gateway appliances, to hosting Compliance Services in the cloud.

Through a partnership with Centurylink, Blueline is about to introduce several hosting options. You can still get on-premise control if that is what you desire, but that has been augmented with co-located gateway services as well as true Cloud based "Compliance as a Service" Tokenization/Encryption through APIs.

Another move that Blueline has made it to provide "Diskless Tokenization". Typically, tokenization services keep a very secure database in a cryptographic vault. This database would include a table of sensitive data to token pairs that are used to index and manage the tokens. Across the industry, customers have expressed concern over having this database, even though it is protected in a vault. Complaints from too much residual risk, to database latency in very large token pair tables (tens or hundreds of millions of pairs) have driven out an alternate solution.

Blueline has introduce a diskless solution that creates a "derived" token using a one time pad, without the need for the data/token pairs to be stored. These derived tokens, can be recalculated from some secret value that do not need to be stored in a database.

Blueline has created two new offerings:

bluegrid™ is a turnkey solution for "Compliance in a Box". It is a standard 19" cabinet, consisting of a series of redundant "bluenodes™" that provide the various security, and compliance services required for a self contained Compliance DMZ. It can be installed in your own data center, or hosted externally for you. Applying the "Zero Trust" model, bluegrid™encapsulates your sensitive application environment and provides a full security stack to protect that environment, from firewall, IPS, authentication store, tokenization, encryption, logging and storage.

A standard bluegrid™ rack would consist of a mix of the following bluenode™ appliances:

bluenode tx - Traffic Manager (zero-impact deployment)
bluenode dx - Data Gateway (financial network integration)
bluenode cx - Cyber Vault (diskless tokenization, encryption)
bluenode ix - Identity Manager (device and service access)
bluenode ex - Event Manager (logging and event analytics)
bluenode sx - Storage Block (low-latency shared storage)

bluegrid™ can centralize and limit most of your PCI compliance scope to a single rack in the data center. (Point-of-Sale systems excluded)

bluezone™ takes this one step further, providing a Cloud based Security Infrastructure - leveraging APIs to isolate the sensitive data outside of your IT environment and enabling secure financial or other confidential data processing and exposing the following security services:

Tokenization–replacement of the original sensitive data with a risk-free replica for secure transmission, processing or storage

Encryption–military-grade cryptographic protection of digital content

Key Management–cryptographic key storage and lifecycle control

Payment Gateway–secure real-time and offline merchant acquirer processing of tokenized e-commerce and m-commerce transactions

Credit Scoring–secure personal or commercial credit check against a credit bureau, reference agency or central bank

Address Verification–secure cardholder address validation

Issuer Reconciliation–transaction batch transfer to issuer bank

Digital Wallet–secure checkout for merchant commerce sites and mobile applications with the e-wallet payment method

bluezone™ can effectively remove most of your PCI compliance scope from your environment altogether.(Point-of-Sale systems excluded)

Forrester TechRadar report on Data Security Q2 2014 clearly shows Tokenization having "Significant Success" in securing sensitive data.

Resources:

http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html
http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109
https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547
http://www.mashery.com/blog/tokenization-and-api-gateways-future-mobile-commerce
http://www.mastercard.com/gateway/payment-processing/tokenization.html
https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/
http://www.protegrity.com/2012/02/differences-between-vault-based-tokenization-and-vaultless-tokenization/
http://www.protegrity.com/wp-content/uploads/2013/04/Protegrity-Vaultless-Tokenization-Fact-Sheet.pdf
https://securosis.com/blog/token-vaults-and-token-storage-tradeoffs
https://en.wikipedia.org/wiki/One-time_pad
https://en.wikipedia.org/wiki/Tokenization_(data_security)
https://www.voltage.com/technology/tokenization-and-key-management/hp-secure-stateless-tokenization/
http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf
http://www.bluelinex.com/trends.html
http://www.bluelinex.com/resources/blp204_osfi_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_pci_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_hipaa_compliance_sheet.pdf
http://searchcloudsecurity.techtarget.com/tutorial/PCI-and-cloud-computing-Cloud-computing-compliance-guide
http://www.crn.com/news/managed-services/300075263/2015s-big-opportunity-for-msps-compliance-as-a-service.htm
http://www.infoworld.com/article/2622986/risk-management/the-case-for-compliance-as-a-cloud-service.html

↧

What is a Security Governance Review, and why do I need one?

October 14, 2015, 10:40 am

≫ Next: Toronto's 2015 SecTor Conference.

≪ Previous: From Blueline to BlueZone - PCI Tokenization Matures

Regardless of what service or product your company produces, Information is your most critical asset. The organization, management, and protection of that data could make or break your ability to stay operational in today's corporate environment.

Many high-profile organizational failures over the past several years have driven home the requirement to adopt appropriate Information Systems policies, processes, and standards.

Privacy requirements, regulatory compliance, shareholder and customer transparency are all mandating a more mature approach to Information Security.

Your corporate reputation and well being depend on your ability to manage, organize, and protect your Information Assets.

This article, and the next few, will try at a high level to explain the various tools we can use to assess and document your roadmap to Information Security Maturity.

Let's start with the definition of an Information Security Governance Maturity Model:
An Information Security Governance Maturity Model is a representation of how well your company understands, organizes, manages, and maintains security controls and processes specific to your Corporate Information assets.

There are a few models to chose from, but the Industry accepted standard is the 6-level COBIT maturity model, which is based on work pioneered at the Software Engineering Institute at Carnegie Mellon, to evaluate each of the ISO 27002:2013 security control groups.

That said, the ISO 27002:2013 security control groups, in and of themselves are the Industry Standard set of controls - based on 18 specific sections - that provide guidance in protecting your corporate assets.

The COBIT definitions for the 6 levels of maturity are:

0 – Non-existent – Management processes are nonexistent or not applied

Complete lack of any recognizable processes. The organization has not even recognized that there is an issue to be addressed.

1 – Initial – Processes are ad hoc and disorganized

There is evidence that the organization has recognized that the issues exist and need to be addressed. There are, however, no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.

2 – Repeatable – Processes follow a regular pattern
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 – Defined – Processes are documented and communicated
Procedures have been standardized and documented, and communicated through training. However, it is left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 – Managed – Processes are monitored and measured
It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 – Optimized – Best practices are followed and automated
Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. Information technology is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

To understand where your company sits with respect to each of the ISO 27002:2013 security control groups, you would engage a non-biased 3rd party to conduct aSecurity Governance Review. This review would be an immersive engagement between the Security Assessors and various members of your organization. Everyone from Human Resources, Privacy, IT administrators, Network Administrators, Database Administrators, Software Developers, Project and Change Managers, Internal Auditors, and Corporate Executive.

A Security Governance Review (SGR) provides guidance for Corporate Executives and Board of Directors in establishing and maintaining an appropriate Information Security programme within your company.

A Security Governance Review provides critical feedback regarding the adequacy of existing controls and safeguards in maintaining your security posture. This feedback can provide guidance in the reduction and/or mitigation of Information Security risks within the company.

Typically, this report would consist of a high level executive summary of your organization's maturity levelsacross the ISO security domains, compared to peers in your particular industry. Remediation recommendations and a roadmap to completion would usually be included. Most Security assessors would also deliver the detailed ISO27002:2013 working sheets with which the domains have been assessed.

The Radar Map to the right represents a sample posture map compared to a baseline of your industry.

This chart illustrates, by ISO 27002:2013 control area, the areas which Acme Widgets Inc. is performing at a evaluated level to its industry peers (yellow within the red boundary), and the areas which Acme Widgets Inc. is evaluated to be performing at a level below its industry peers (yellow outside the red boundary), as along with the relative degree of effort required to accomplish improvements (more yellow exposed = more effort).

You will want to periodically (annually?) review this maturity model to ensure that you are on track as things change both outside and within your organization. This periodic review will allow you to show metrics regarding your security governance programme growth.

In future posts, we will be discussing the following:

What is a Threat Risk Assessment?

What is a Privacy Impact Assessment?

What is a Vulnerability Assessment?

What is a Penetration Test?

Sections of the ISO27002:2013

5. Security Policy Management
6. Corporate Security Management
7. Personnel Security Management
8. Organizational Asset Management
9. Information Access Management
10. Cryptography Policy Management
11. Physical Security Management
12. Operational Security Management
13. Network Security Management
14. System Security Management
15. Supplier Relationship Management
16. Security Incident Management
17. Security Continuity Management
18. Security Compliance Management

References:

ISACA: Information Security Governance Guidance for Boards of Directors and Executive Management
Comparing different information security standards: COBIT vs. ISO 27001
ISACA: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile
ISO 27002:2013 in plain English.
ISO/IEC 27002:2013 Information technology — Security techniques -Code of practice for information security controls
Wikipedia: ISO27002
http://www.securityprocedure.com/control-objectives-information-and-related- technology-cobit

↧

Toronto's 2015 SecTor Conference.

November 12, 2015, 1:44 pm

≫ Next: Selling Myself - Michael Ball Consulting Inc.

≪ Previous: What is a Security Governance Review, and why do I need one?

I feel utterly privileged to have attended this years SecTor Conference at the Metro Toronto Convention Center a few weeks ago now.

For those of you unaware of what Sector is, it is Toronto's pre-eminent Information Security Conference. Anybody and everybody associated with IT Security is here. SecTor is not only an educational event, but a social one as well. It is one of the annual events where Security Professionals congregate from around the province and indeed across the country.

The schedule is hectic, with multiple tracks of discussion panels suited to a variety of current topics.
Although the main conference is two days in length, there is a third day just before the conference for those who wish to participate in various Infosec educational courses.

This years daily Infosec sessions can be found here: http://www.sector.ca/Program/Sessions

Over the two days, there were four Keynotes:

Big Data Needs Big Privacy ... Enter Privacy by Design - Dr. Ann Cavoukian
Globalization of Cybercrime - Jason Brown
IT Security Operations: Successful Transformation - Kristin Lovejoy
Maturing InfoSec: Lessons from Aviation on Information Sharing - Trey Ford

All four of these speakers bring with them a wealth of experience and skill. I was riveted to my seat the entire time.

As for the actual Infosec discussions themselves, they were very wisely organized into a Technology track, a Management track, a Security Fundamentals track, and a Sponsor track. Again, see http://www.sector.ca/Program/Sessions for a drill down on the actual discussion topics for each.

I wish I could tell you I saw them all, I *had* planned on jumping between several presentations, but each one I attended had me fully engaged. I can honestly say that SecTor went out of it's way to select exceptional topics and speakers for this event.

Part of the problem with committing to a track as an attendee is that the CSO Summit is co-hosted alongside SecTor! The CSO Summit is co-sponsored by KPMG, and this year featured discussions by Kris Lovejoy, the former Global CISO if IBM, and Tim Rains, Chief Security Advisor, Microsoft.

The Expo Hall itself was huge, with a broad cross section of Infosec vendors from Educational Institutions, Compliance and Governance bodies, to Appliance and Software Vendors. Securesense and Fortinet showed off their "Forti-Express" a state-of-the-art rolling Briefing and Demo center.

Two things that grabbed my attention among all of the commotion in the Expo Hall were the "Lockpick Village" and the "Internet of Things Hack Lab".

The Lockpick Village has been a mainstay of SecTor for the past several years now. It's a free, full participation, workshop in using the standard tools of the trade to learn how to pick physical locks! Attendee times are recorded, with a prise at the end for the quickest time. The people sitting at these seats are among the happiest at the entire event.

This year Tripwire introduced the Internet of Things Hack Lab.Employees from Tripwire, as well as one of their previous hackathon winners were onsite to guide attendees into the world of IoT hacking. They brought samples of common IoT devices with them, and were willing to educate anyone who wanted to sit for a while and get an understanding of the security (or specifically lack thereof) of the Internet of Things.

SecTor was an overall success in my books. They brought the right people to discuss relevant topics, the vendor space was very well represented, and the social quality was outstanding. Thank you SecTor for once again putting on a remarkable event.

↧

Selling Myself - Michael Ball Consulting Inc.

March 7, 2016, 9:32 am

≫ Next: CSIRT: Classifying the Severity of a Breach

≪ Previous: Toronto's 2015 SecTor Conference.

As of July 2015, I have been providing Information Security Consulting Services on a contract Basis.

If interested in hiring me for consulting or a speaking engagement, please contact me at the following:

Michael Ball Consulting Inc.
61 Baxter St. Bowmanville Ontario, L1C 5P8 Cell: (647) 458-5064
Email: unix_guru at Hotmail dot com or @unix_guru on Twitter

Information Security Consulting and Architecture

Over 25 years Information Security Operations and Governance in the Finance and Insurance Sectors.

Finance Sector:

AGF Mutual Funds, Toronto (Jan 2016 – Present), Acting CISO
CIBC, Toronto (Feb 2016), Application Threat/Risk Analysis –Mobile Money Manager App.
Dundee Capital Markets, Toronto (Oct 2015), Information Security Maturity Model (Cobit / ISO 27001 based)
Dundee Capital Markets, Toronto (Nov 2015), Information Security Architectural gap analysis and Roadmap

Health Sector:

William Osler Health Institute, Brampton (Aug 2015), Privacy Impact Assessment for Patient Record Viewing Application.
William Osler Health Institute, Brampton (Sept 2015), Information Security Threat/Risk Analysis for Patient Record Viewing Application.
Trillium Health, Toronto (Mar 2016), SIEM Infrastructure Migration and Governance Review

Transportation Sector:

Air Canada, Montreal (Nov 2015), Privileged Password Management Architectural Review (CyberArk).
Metrolinx, Toronto (Feb 2016), Privileged Password Management Architectural Design (CyberArk).

Industrial Supply:

Wajax, Mississauga (Sept 2015), Information Security Maturity Model (Cobit / ISO 27001 based)
Wajax, Mississauga (Oct 2015), Information Security Threat/Risk Assessment (ISO 27002 based)

Speaking Engagements:

Sector 2015– Cloud Security Access Brokers
DCD Converged Canada (Nov 2015) - Cloud Security
SC Congress 2015– Cloud Access Security Brokers
SC Congress 2015– The Role of the CISO
CIO Innovation Summit 2015– Identifying Corporate IS Risk
SC Congress 2014– Privileged Identity Access
CyberArk Customer Event 2014– Corporate Use Cases
CIO Innovation Summit 2014– Cloud Security
Symantec Vision 2014– Enterprise Single Sign-On
Symantec Vision 2014– Enterprise Host Based Security

Services:

Privacy Impact Assessment.
Information Security Program Threat/Risk Assessment.
Information Security Governance Maturity Model Assessment.
Application Threat/Risk Assessment.
Network Vulnerability Assessment.
Cloud Security Consultation and Architecture.
Cloud Provider Access Review.
SIEM Governance Review.
Perimeter Security Review and Architecture.
Network Security Zoning Review and Architecture.

↧

CSIRT: Classifying the Severity of a Breach

May 17, 2016, 7:31 am

≫ Next: Securing the Internet of Things - Developer's Guidance

≪ Previous: Selling Myself - Michael Ball Consulting Inc.

We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data. (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").

One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.

I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.

I was told to constrain my scope to a High, Medium, Low classification model.

Using their own Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.

Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.

Information Security Breach Impact Classification

ABSTRACT:
This document, based upon 's Information Classification Policy, provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring CyberSecurity Insurance.

Significance of Breach: - High Level Breaches

- Medium Level Breaches

- Low Level Breaches

A High level Breachwould be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to either or it’s Partners/Clients/Vendors

RESTRICTED

The ‘RESTRICTED’ classification is assigned to data that, if corrupted, disclosed without authority or lost, might result in a critical loss to .

Example:

‘RESTRICTED’ information includes but is not limited to personal identifiable information (PII), employees’ medical history, Credit Card information, Bank account information, and encryption keys and passwords.

A Medium level Breachwould be considered any breach that exposed Corporate Confidential Information, but not PII, PCI, PHI, or Corporate Restricted Information pertaining to either or it’s Partners/Clients/Vendors

Confidential

The ‘CONFIDENTIAL’ classification for information is assigned to data that, if corrupted, lost or disclosed without authority, might result in important or significant loss to .

Example:

‘CONFIDENTIAL’ information includes confidential business proposals, customer information, HR information such as employment contracts and compensation, and general financial data.

A Low level Breachwould be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level Breach does not expose Corporate Restricted or Confidential Information, PII, PCI, or PHI Information pertaining to either or it’s Partners/Clients/Vendors.

Internal

The ‘INTERNAL’ classification is used to denote information that may be shared within but is restricted from general release to the public.

Example:

‘Examples include training manuals, procedures and communications to all employees.

Definitions:

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in Canadian, US, and European privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

The Payment Card Industry(PCI) Data Security Standard (PCI DSS) is a proprietary informationsecurity standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Protected Health Information (PII), generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.

References:

SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication
iso27001security.com:Information Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
http://www.databreachtoday.com/blogs/importance-data-classification-p-1153
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance

↧

Securing the Internet of Things - Developer's Guidance

June 13, 2016, 9:31 am

≫ Next: Threat Modeling a Mobile Application

≪ Previous: CSIRT: Classifying the Severity of a Breach

The "Internet of Things" or "IoT" as it's affectionately known, has become one of the most prevalent buzzwords of 2016. Almost everything you touch today is somehow associated with it. Everything from smart thermostats, security systems, refrigerators and baby monitors in your home, to fitness bracelets and watches on your wrist, are connected to the Internet now. From clothing that use coloured LEDs to reflect your mood, to children's educational toys, all have connectivity to "enhance your life experiences".

With the race to bring new products to this evolving market, issues of both Security and Privacy are raised for consumers. At the low end of the spectrum, an attached IoT device could expose your WiFi configuration. On the high end of the spectrum, your personal banking, and health information could be exposed.

Depending on who you listen to, the analysts are saying that there will be between 25-30 BILLION Internet connected devices by the year 2020... just a short 4 years from now. (Cisco says 50 Billion!)

http://hpe-enterpriseforward.com/eiu-securing-iot/

Each one of these devices is a potential

Security or Privacy liability.

Management consultant Capgeminifound:

only 33% of organizations believe their IoT products are “highly resilient” against any future cyber security threats,
48% of companiesfocus on securing their IoT products from the beginning of the product development phase.

Hewlett Packard Enterprise Security goes even further:

http://hpe-enterpriseforward.com/eiu-securing-iot/

In the past year, we have seen:

Cisco: IoT Security Timeline

Who are these "Malicious People" and why do they want to wreak havoc with our Inventions?

IoT devices and systems are typically remote sensors or controls involved in managing a process of some sort. Whether it be collecting weather information for crop management, to sensor data for proper maintenance of an automobile, temperature and humidity information for building climate control, or bio sensors for monitoring a patients health, IoT devices manage a large amount of critical information. Critical information that could potentially be considered Private and/or Confidential in nature.

IoT PenguinBot

By the remote nature of these devices, they are also typically designed to be "low cost" and "low energy" battery operated systems. Function and performance are the critical design success factors, while Security has not played a significant development role to date. MOST current IoT devices are readily exploitable through several means.

Oh, and did I mention that most IoT devices are connected (and trusted) in some way to logging, monitoring, and analysis tools deep within the corporate infrastructure? Find a kink in this light armour, and you can sail right past the corporate security systems in place.

What type of attacker is interested in exploiting IoT devices? We are finding that the IoT Threat Landscape is quite varied. Everyone from cybercriminals to government entities, hacktivists, and even insiders have shown up to the game. It's apparently hard to resist the low hanging fruit of an easily exploitable system, that could lead directly into the corporate infrastructure.
From stealing sensitive data by hacking IoT devices, to facilitating denial of service against a third-party entity, there are plenty of reasons and opportunities to exploit a connected Internet of Things device.

So, as developers, what are we to do?

How can we ensure that our products are secure from the beginning? What aids do we have to guide us in creating a more secure, more private consumer product?

I'm glad you asked! There are many initiatives currently to define the obstacles and opportunities to creating a secure Internet of Things ecosystem, but there ARE some guideline that you can follow.

First, from Cyber Security companyI am the Cavalry, here is a snippet of sage advice:

Security:

Secure by Default

No default passwords shared between devices, or weak out of the box passwords.
All passwords should be randomly created using a high quality random password generator.
Advanced features used by small percentage of users should be turned off by default(VPN,Remote Administration, etc...)

Secure by Design

Firmware should be locked down so serial access is not available.
Secure Ethernet (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.
All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removedand dumped), or other methods to prevent physical attack.

Self Contained Security

The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised, and still maintain protection methods. This can be done with prompts to the user to accept handshakes between devices trying to access other devices on their networks.
Communication between devices should be encrypted to prevent MiTM attacks and sniffing/snooping.

Privacy:

Consumer PII not shared with manufacturers or partners.
Usage data on individual consumer is never shared with partners or advertisers.
Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to no be traceable back to an individual consumer.
Data collection policy, type of data collected and usage of data is clearly documented on site.

As well, I am the Cavalry has published the Five Star Automotive Cyber Safety Program, with the purpose of bringing the industry together to standardize on a security framework for connected devices.

At the same time, an organization called OWASP, or The Open Web Application Security Project, has created a project specifically around Security for the Internet of Things.

According to their website:

The OWASP Internet of Things Project provides information on:
IoT Attack Surface Areas
IoT Vulnerabilities
Firmware Analysis
ICS/SCADA Software Weaknesses
Community Information
IoT Testing Guides
IoT Security Guidance
Principles of IoT Security
IoT Framework Assessment
Developer, Consumer and Manufacturer Guidance
Design Principles

Of interest in this discussion is the topic of "IoT Attack Surface Areas". Each one of these boxes identifies specific threat vectors to IoT product development, as well as guidance and recommendations on remediating these concerns early in the development cycle.

IoT Attack Surface Areas

Ecosystem Access Control	Device Memory	Device Physical Interfaces	Device Web Interface
Device Firmware	Device Network Services	Administrative Interface	Local Data Store
Cloud Web Interface	Ecosystem Communications	Vendor Backend APIs	Third Party Backend API's
Update Mechanism	Mobile Application	Network Traffic

IoT Security != Device Security

The OWASP IoT Attack Surface Areas are as follows:

Attack Surface	Vulnerability
Ecosystem Access Control	Implicit trust between components Enrollment security Decommissioning system Lost access procedures
Device Memory	Cleartext usernames Cleartext passwords Third-party credentials Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media
Device Web Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials
Device Firmware	Hardcoded credentials Sensitive information disclosure Sensitive URL disclosure Encryption keys Firmware version display and/or last update date
Device Network Services	Information disclosure User CLI Administrative CLI Injection Denial of Service Unencrypted Services Poorly implemented encryption Test/Development Services Buffer Overflow UPnP Vulnerable UDP Services DoS
Administrative Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials Security/encryption options Logging options Two-factor authentication Inability to wipe device
Local Data Storage	Unencrypted data Data encrypted with discovered keys Lack of data integrity checks
Cloud Web Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials Transport encryption Insecure password recovery mechanism Two-factor authentication
Third-party Backend APIs	Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked
Update Mechanism	Update sent without encryption Updates not signed Update location writable Update verification Malicious update Missing update mechanism No manual update mechanism
Mobile Application	Implicitly trusted by device or cloud Username enumeration Account lockout Known default credentials Weak passwords Insecure data storage Transport encryption Insecure password recovery mechanism Two-factor authentication
Vendor Backend APIs	Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks
Ecosystem Communication	Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates
Network Traffic	LAN LAN to Internet Short range Non-standard

As stated earlier, this is starting guidance on what to look for when building out your Internet of Things Security Framework. For further ideas and guidance, please read the references below.

Good luck, and happy coding.

Verizon Security whitepaper: Securing the Internet of Things

Resources:

OWASP: Top 10 IoT Security Issues
OWASP Top Ten IoT Security - Infographic
OWASP: IoT Security Guidance
RSA Conf: Mapping the IoT Attach Surface Areas
ARSTechnica: “Internet of Things” security is hilariously broken and getting worse
ARSTechnica: Police body cams found pre-installed with notorious Conficker worm
ARM.COM: From Sensor to Server, ARM drives the Internet of Things
Texas Instruments: Internet of Things - Opportunities and Challenges
DEFCON 23: IoT Attack Surface Mapping
HPE: Securing the IoT
Capgemini: Securing the Internet of Things
Globe and Mail: Internet of Things a playground for hackers
Globe and Mail: The Future is Smart - Why privacy must be baked into the Internet of Things
https://www.iamthecavalry.org/
IamtheCavalry: Five Star Automotive Cyber Safety Program
https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html
https://www.exploitee.rs/index.php/Exploiting_Nest_Thermostats
http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/
Embedded: Security framework for IoT devices
NIST Releases Draft Framework on the Internet of Things
Online Trust Alliance: IoT Trust Framework
WolfSSL: Embedded SSL Library for Applications, Devices, IoT, and the Cloud
http://www.bankingexchange.com/news-feed/item/5770-5-hacks-into-your-internet-of-things-devices
https://www.helpnetsecurity.com/2016/05/09/internet-of-fail/
Cisco: IoT Threat Environment
https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable
http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

↧

Threat Modeling a Mobile Application

June 21, 2016, 12:52 pm

≫ Next: Turmoil in the CASB market - 2016 the year of Big Business Acceptance

≪ Previous: Securing the Internet of Things - Developer's Guidance

The purpose of this article is to provide security guidance in the development of mobile applications. The following application threat-model (ATM) is an example, created to help developers identify potential threats that a malicious attacker could use to exploit a custom developed Mobile Application.

This threat model example is based on Industry Best Practices and observations across the Mobile Application Development space, and is not based upon any one particular mobile application. The scenario presented here assumes an application in the Banking and Finance space, but could be any industry.

From a Security and Privacy perspective, a mobile application must:

Prevent the un-authorized use of web service API associated to the related application

Prevent the accessibility of information or operational control of a user’s account

Prevent the ability for a third party to gain identification and authentication details

Reduce the opportunity or intention of a malicious user from accessing confidential information

Threat Profile:

A "Threat Profile" is the concept of identifying the complete set of security threats that could be used to compromise a given application or system.

The following Business Criteria and assumptions were used when assessing the threat profile for this example Mobile Application:

Industry Categorization Financial Institution
Organizational Audience Business Users
Level of Potential Threat to Audience Moderate-threat Audience
Degree of Confidential Data Moderate
Likelihood of Exploitation Low to Moderate
Delivery Platform Mobile devices with Secured Sandboxes
Level of User Interaction Minimal

SANS: Threat Profiling

Threat Agents:

A threat agent categorizes the types of intentional and unintentional users associated to the system. This can include, but does not require, the intended roles of the application.

Stolen Device User: A user who obtained unauthorized access to the device aiming to get hold of the memory related sensitive information belonging to the owner of the device.

Access to account information to perform unauthorized transactions

Access to account information to perform transactions from a different account

Attempt to garner information about the banks overall security structure

Denial of service attack against back-end systems based on gathered information

Owner of the Device: A user who has unwittingly installed a malicious application on their phone which gains access to the device application memory.

Capturing of credentials associated to the account for use by third party

Common WiFi Network User: This agent is aimed at any adversary intentionally or unintentionally sniffing the WiFi network used by a victim. This agent stumbles upon all the data transmitted by the victim device and may re-use it to launch further attacks.

Capturing of credentials associated to the account for use by third party

Ability to perform unauthorized transactions

Key Scenarios:

The following scenarios or activities have been identified as key to the success of the application's security profile:

User Authentication - to gain access to post-sign-on functionality and content on the Mobile application.

Get Portfolio and Rates, and Execute Trades - User being presented with the list of transactions associated with specific Rates (Wire Payments, Cross-currency Account Transfers). The User could retrieve, view and accept the rate presented for selected payment. The User could view Beneficiary Details and the Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.

Payment Approvals - User being presented with the list of payments (Wires, Account Transfers, EFT, Bill Payments) that qualify to be approved/released by the user. The User could view payment details and approve/reject selected payment. The User must be re-authenticated as a part of each payment approval operation. The User could view Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.

Accounts Module - User being presented with the list of accounts he is entitled to. The User could add/delete/change order of Favourites Accounts in the list. The User could query and view account balances and transaction history information.

Mobile Application Architectural Elements:

The following items are associated to the application architecture specific to mobile devices. This listing mechanism is intended to provide additional input and consideration into the overall threat model.

1.Carrier Elements Data SMS	5.Device iOS Android Blackberry
2. Web Services using RESTFUL agents over SOAP	6.Common applicable hardware components Wireless Interfaces USB Ports
3. App Store Apple App Store Android Play Store Blackberry World	7. Authentication Token Based Certificate Based Keyboard Based Touchscreen Based Biometric Based
4.Wireless Interfaces 802.11 Bluetooth NFC

Planned Application Security Mechanisms:

Planned application security mechanisms are technologies and threat-management measures that are included in part of application architecture and design. The model ignores these when defining the potential threats associated to the system but references them as solutions to identified problems.

The following application security mechanisms have been identified as part of application security design:

HTTPS secure transportation protocol using TLS 1.2 or above
Two-phase authentication
Input and data validation
Exception handling
Auditing and logging
Minimization of operations

Trust Boundaries:

An organization and its application define a series of perimeter that define different levels of security-oriented trust. The following information defines the trust boundaries associated with systems, sub-systems, and identities.

App Container Boundary within secure devices including iPhone and BlackBerry
Internet Trust Boundary is the connector between the device and internal banking systems
DMZ Trust Boundary including perimeter firewall where core services are located
Data Center Trust Boundary in which direct hosted systems and services are located.
Data Flows:

Data flow diagrams help document the flow of information across trust boundaries.

Understanding how data is communicated across boundaries help identify potential issues within communication protocols and mechanisms.

The following diagram represents the data flow of the application under investigation

Entry and Exit Points:

Entry Points

Entry points define the positions in your application where a user, cross-component communication or external application supply data and call operations associated to the back-end systems.

Mobile Application access to back-end API through JSON services.

Unintentional direct access to back-end API through JSON services.

Exit Points

Exit points are relationships to entry points and define the positions in which data is sent to the client. Exit points are prioritized to identify where information is transmitted in a trusted manner but the source is untrusted.

Potential Attack Tree:

An attack tree is a hierarchal diagram (or outline) that represents the attacks a malicious individual might perform against the application. This information is based on the development of an attack profile organized around the industry and type of threats associated to your application and end users

Gain authentication information to be used in other applications, systems or services

Authentication and access control attacks to determine applied security measure

Determine the depth of breach and fraud preventive controls

Access account to be used on other systems

Monitoring of transactions to record communication patterns

Obtain confidential information about the system

Gain details on how transactions are processed in the system

Discovery of weaknesses associated to the back-end system

General financial fraud

Perform unauthorized financial transactions to correct associated bank accounts

Determine clients and size of transactions for social engineering attempts

Data Collection by running application in a non-trusted environment (jail-broken)

Ability to access the application in a jail-broken device or development platform

Ability to apply memory forensics on the application at runtime to gain confidential information

Ability to apply memory forensics on the application to determine run-time details

Unmanaged JSON attacks over encrypted or unencrypted channels

Ability to perform data theft through cross-site references

Ability to perform a denial of service attack using cross-site references

Threat Tree:

A Threat Tree describes specific threats that can be applied to the application. Information in this section is defined in a threat-based tree for reference and specific descriptive afterwards. Please note that a single threat can be related to one or more common or uncommon vulnerabilities.

Authentication / Authorization

Input and Data Validation

Relying exclusively on client-side validation

Writing data you did not validate out to trusted source

Using input you did not validate to generate SQL queries

Configuration Management

Sensitive Data

Basic Man-in-the-Middle Attack

Request Forgery

Session Management / Cryptography

Parameter Manipulation

Failing to validate all input parameters.

Exception Management

Failing to validate all input parameters

Audit and Logging

Missing Security Auditing Features

Unsecured Audit Logs

Mobile Specific Threats

Method aimed to read the local application memory

Malware on the device

Transactions performed from non-localized location

Rating Potential Threats:

Relying Exclusively on Client Side Validation:

Threat Description	By relying on client-side validation the system allows for exposure of the back-end services through compromised client systems as well as communication protocols. This issue includes common assaults results including “Writing data you did not validate out to trusted source” and “Using input you did not validate to generate SQL queries”
Category	Input and Data Validation
Threat Target	Capturing of credentials associated to the account for use by third party. Ability to perform unauthorized transactions. Denial of service attack against back-end systems Attempt to garner information about the banks overall security structure Access to account information to perform unauthorized transactions
Risk	High
Attack Techniques	A malicious attacker compromises the mobile application by installing it on a jail-broken device or reviews data communication though a proxy service. Unintended information (pre or post authentication) is sent through the communication protocol to the back end server containing injection data or unintentional information.
Countermeasures	Use of SSL with trusted certificates to encrypt communication. Validation of data at all trust boundaries to manage tampered data.

Basic Man-In-The-Middle Attack:

Threat Description	User is able to monitor the data being communicated from the mobile application to the associated server in order to determine the URL, formats and identity of back-end services for direct access to the service.
Category	Sensitive Data
Threat Target	Capturing of credentials associated to the account for use by third party. Attempt to garner information about the banks overall security structure Access to account information to perform unauthorized transactions
Risk	Medium
Attack Techniques	Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.
Countermeasures	Use of SSL with trusted certificates to encrypt communication. Validation of data at all trust boundaries to manage tampered data. Source checking of communication using CSRF-token based concepts

Request Forgery:

Threat Description	An unauthenticated user sends requests through HTTP protocols in an attempt to (1)subvert authentication mechanisms, (2) perform destructive activities against a system, (3) gain information around exception handling mechanisms, or to (4) garner information about the system and its transactions
Category	Sensitive Data
Threat Target	Capturing of credentials associated to the account for use by third party. Ability to perform unauthorized transactions.
Risk	Medium
Attack Techniques	Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.
Countermeasures	Use of a secure token (similar to a CSRF token) to acknowledge authorized transactions to the system and to take appropriate measures including alerts and logging when un-authorized transactions are performed. The same mechanism used in a CSRF token can be used in this circumstance.

Missing Security Audit Features:

Threat Description	Attacks by an unauthorized user is not properly documented by the system reducing the opportunity for breach attempts to be discovered, hindered or prevented. From a security practice audits and logs should be applied across application layers and servers.
Category	Auditing and Logging
Threat Target	Denial of service attack against back-end systems Ability to perform unauthorized transactions Anti-forensic measures
Risk	Low
Attack Techniques	This threat does not have a direct attack; it represents an inability to detect and manage the assault in the case of a breach.
Countermeasures	Log all security oriented transactions to a “security log file” Recognize unusual number of requests to any series of accounts Critical transaction attempts are logged for fraud controls

Unsecured Audit Logs:

Threat Description	Once a breach has occurred, a malicious attack will attempt to alter or remove log files that demonstrate their attempts. This is a common step for an attacker in a breach to reduce the chance of success for a forensic investigation.
Category	Auditing and Logging
Threat Target	Denial of service attack against back-end systems Ability to perform unauthorized transactions Anti-forensic measures
Risk	Low
Attack Techniques	Upon a system breach the attacker will modify or delete the associated log files so evidence of their activities are removed.
Countermeasures	Audit files are located in a protected directory for with access controls Modification, viewing and back-up of log files have specific user controls Use of frequent back-ups for security files to single-direction systems

Method to Read Local Application Memory:

Threat Description	In this attack methodology, the data targeted is application specific memory and the method used is memory based analysis. The attacker steals sensitive data like passwords, userid, user account information which is stored in the application memory by reading the device memory.
Category	Mobile Specific Threats
Threat Target	Access to account information to perform unauthorized transactions Attempt to garner information about the banks overall security structure Capturing of credentials associated to the account for use by third party
Risk	Medium
Attack Techniques	Through development or forensic tools on the device or using a developer workstation, the system and application memory is reviewed while the application is running to determine how information is stored, communicated and its residual nature.
Countermeasures	General memory management techniques for the individual platform Nullifying variables with confidential data as soon as they are used Minimal storage of confidential data while in memory The storage of confidential data in memory in an encrypted format

Malware on the Device:

Threat Description	Any program / mobile application which performs suspicious or unauthorized activity. It can be an application, which is copying real-time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history. On a Jail-broken phone this can include access to the applications memory, buffer overflow threats
Category	Mobile Specific Threats
Threat Target	Access to account information to perform unauthorized transactions Attempt to garner information about the banks overall security structure Capturing of credentials associated to the account for use by third party
Risk	Low
Attack Techniques	Often malware is installed on a device through unintentional means where the malware itself is a Trojan or worm that is embedded in a useful application. Once installed the application slowly consumes and analyzes other applications in the device. Malware is most often found on Jail-broken phones in which non-App store related applications have been installed. Malware is often not a targeted attack but attack by drawing.
Countermeasures	The use of managed devices with a white-listed applications Encrypt Data at Rest on the device Encrypt Data in Transit

Transaction Performed from Non-Localized Location:

Threat Description	An unauthorized user attempts to perform a transaction from a distributed location with the goal of applying a fraudulent action. This may include a single or multiple financial transactions
Category	Mobile Specific Threats
Threat Target	Access to account information to perform unauthorized transactions Attempt to garner information about the banks overall security structure Denial of service attack against back-end systems
Risk	High
Attack Techniques	An individual using a stolen device or perform a transaction from a distributed location (uncharacteristic of the user) is able to perform multiple transactions
Countermeasures	Use of geo-location to monitor the location of transactions for a user The mapping of geo-location to potential fraudulent locations The validation of transactions when listed geo-locations are not used

Threat Risk Rating:

Threats are rated into three categories (Low, Medium and High) based on their DREAD rating. The individual elements associated to this rating are as follows:

Damage potential: How great is the damage if the vulnerability is exploited?
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How easy is it to launch an attack?
Affected users: As a rough percentage, how many users are affected?
Discoverability: How easy is it to find the vulnerability?

Threat	D	R	E	A	D	Total	Rating
Basic Man-in-the-Middle Attack	2	3	3	1	2	11	Medium
Request Forgery	2	3	3	1	2	11	Medium
Relying exclusively on client-side validation	3	3	3	1	3	13	High
Missing Security Audit Function	1	1	1	1	1	5	Low
Unsecured Audit Log	1	1	1	1	1	5	Low
Method aimed to read the local memory	2	1	2	1	2	8	Medium
Malware on the Device	1	1	1	1	1	5	Low
Malicious App	1	1	1	1	1	5	Low
Transactions from non-localized location	3	3	3	1	2	12	High
Threat	D	R	E	A	D	Total	Rating

References:

OWASP: Application threat modeling

SANS: Creating a Threat Profile for Your Organization
Microsoft: Threat Profile and Composite Threat
LockheedMartin: A Threat-Driven Approach to Cyber Security

↧

Turmoil in the CASB market - 2016 the year of Big Business Acceptance

July 12, 2016, 8:25 am

≫ Next: 6 steps to protect yourself from the Yahoo email breach!

≪ Previous: Threat Modeling a Mobile Application

In April of last year,I wrote a technical comparison of the various players in the CASB (Cloud Access Security Broker) space, and had such incredible response and discussion, that I felt I had to provide an update this year. Should be easy, right? WRONG!

(Read the above article if you are new to CASB and want an understanding of the space)

The CASB market has seen a lot of turmoil over the past year, in the form of mergers and acquisitions. Early on we all thought Cisco was going to acquire Elastica as they had become quite cozy, but in a screeching left turn, BlueCoat came from the sidelines, and snapped Elastica up. The surprise here is that earlier in June of 2015, BlueCoat had just acquired CASB player Perspecsys. Fast forward to June of this year, when BlueCoat announced their intent to IPO, then only days later agrees to be acquired by Symantec for $4.65B. Whew...

In a similar roller coaster, Adallom cozies up with HP in April 2015, only to get bought by Microsoft in September. Then just last week, Cisco, not to be left out of the CASB market announced their intent to acquire Cloudlock.

Also in recent news, Skyhigh Networks obtained a patent to use reverse proxies for cloud access security broker services, and Netskope obtains a patent for routing client traffic securely to Cloud Services. I'm not sure how this is going to change how the others model their business.

So to recap...

Last year, in the CASB space, we had:
Adallom, BitGlass, Ciphercloud, Cloudlock, Elastica, Imperva, Netskope, Perspecsys, and SkyHigh

This year, the landscape looks to be:
Bitglass, BlueCoat, Ciphercloud, Imperva, Microsoft, Netskope, and SkyHigh.

I closed last year's report with the statement:

"Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. I'm interested to see what happens to this space over the next three years. My money is on convergence of CASB, SSO, and Mobile Security providers."

I still hold to this: Cloud SSO is what gives CASB the ability to understand context, and Mobile Security (Device Security, Application Security, Data Security) is required to manage endpoints outside of the corporate perimeter. Yet I'm not seeing those acquisitions as yet.

I think it's going to be an interesting challenge to to update last year's report. Stay tuned.

If you are a current CASB provider that I have missed here, and want to be included in the upcoming report, please comment below, and I will contact you for validation.

↧

6 steps to protect yourself from the Yahoo email breach!

September 27, 2016, 7:22 am

≫ Next: Canada 150, and Canadian Innovation.

≪ Previous: Turmoil in the CASB market - 2016 the year of Big Business Acceptance

Last Thursday (09'22'16), Yahoo admitted to the largest email provider breach in history. The breach, which happened in 2014, consisted of the account information of at least 500 million users and included names, email addresses, encrypted password and even security questions.

According to reports, as many as 2.1 million Rogers Communications customers could be affected, as Rogers uses Yahoo as their underlying email provider.

Even though the breach itself happened in 2014, We urge you to take the time to protect yourself from this event. Since 2013, 360million MySpace accounts, 167 million LinkedIn accounts, And 145 million eBayaccounts have also been compromised.

Human nature has us using the same or similar passwords across all of our various online sites, whether they be social media, retail, email, or banking. Much as this is convenient, it opens us up to fraud and theft by these hackers.

Take these six simple steps to protect yourself now:

Change your online passwords now!

Remember that length and complexity are the easiest protection. Use at least 8 characters, and mix numbers and letters.

Use different passwords for your banking, email, and social media sites.

Hackers use automated tools to see if your stolen credentials work in thousands of other sites.

Enable 2-step verification.

Most online email, banking, and social media sites provide 2-step verification. Ie: when you log onto a new device or from a new location, they will send you an SMS text message with a validation code before you can enter. This protects you from having others logging in pretending to be you.

Enable transaction notification on your banking!

Online Banking sites have the option of sending you a text or email every time a transaction passes through your account. Turn this on!

Beware phishing attacks related to this breach.

Do not respond to, click on, or open emails and attachments that say they are going to help you with this breach. A number of malicious attacks have already begun to lure innocent people into providing credentials based on the fear and uncertainty around this breach. Your banks and email providers will NOT be sending messages related to this.

Finally, use a password management app to protect your online credentials.

Whether your preferred device is Windows, Mac, Linux, iOS, or Android, there are free apps out there that can help you organize and protect your online passwords.
Lastpass, 1password, and keepass are the most popular and cover a range of devices.

References:

http://www.pcmag.com/article2/0,2817,2475964,00.asp
http://www.cnbc.com/2016/09/22/yahoo-data-breach-is-among-the-biggest-in-history.html
https://www.thestar.com/business/2016/09/23/rogers-email-users-warned-in-massive-yahoo-data-hack.html
http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html
https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/#5d0270b13c15

↧

Canada 150, and Canadian Innovation.

June 29, 2017, 6:47 am

≫ Next: Can our Managed SIEM providers please get their heads out of the 90's?

≪ Previous: 6 steps to protect yourself from the Yahoo email breach!

Canada has a long legacy of innovation and prosperity. We have blazed technology trails in every aspect of life, from agriculture to medicine and health care, communications to manufacturing, transportation to space travel, finance to renewable energy.

I started my career as an electronics technician under the Industrial Research Assistance Program at the Canadian National ResearchCouncil. My role was to go in to young startup companies, and provide technical assistance getting their technology dreams built, tested, and ready for market.

Today, this program actively helps Canadian entrepreneurs innovate through grants, advisory services, networking, youth employment, staff augmentation, while providing technical assistance in various fields.

Looking backwards to see forward, Canada has great opportunity remain a global leader in innovation and technology. There is a wealth of diverse companies, both entrenched and new, taking on the challenge of automating, managing, and accommodating all aspects of our lives. I’ll outline just a few of those technologies here.

Healthcare:

The Canadian Healthcare System is respected worldwide, both for its ability to efficiently and effectively care for individuals as well as its history of innovations. Leveraging the rapid advances in “Internet of Things (IoT)” technology and infrastructure, Canadian health research facilities have become world leaders in the innovation of wearable devices to help track and monitor patient outcomes. With these devices monitoring vital aspects of a patient’s health and recovery, a physician can both be better informed upon arrival of the patient, reducing wait and visitation times, as well as analyzing appropriate remediation strategies. Canadian made wearable devices will become a normal part of our standard healthcare regime.

As well as the wearable monitoring devices, IoT technology has spurred a number of Canadian Innovators to launch “assistive device” products. These range from smart technology for wheelchairs, to adaptive prosthetics, to GPS tracking and guidance for the blind. The Canadian imagination is boundless, and as our population ages, these devices will become more prevalent.

Finance:

Blockchain Technology may be new to most of us, but is revolutionizing the way the banking industry works. In fact ANY industry that relies on transactional integrity could find benefit in Blockchain’s ledger based technology. Many of us are familiar with, or at least have heard of “bitcoin”, which is the grandfather of blockchain currencies. Ethereum is another blockchain up-and-coming currency taking international interest. Recently, the Enterprise Ethereum Alliance included the National Bank of Canada as one of 86 new members that will work together to develop business applications on the Ethereum blockchain.

Renewable Energy:

There are more than a thousand Canadian companies currently innovating in the Clean or Renewable Energy Market, employing more than 50,000 people across the country. From the staples of Solar and Wind, to deep water stores of compressed air, geothermal heating and electricity, and the manufacture of Lithium Ion batteries, we are making our mark on the global stage. Much of this is thanks to “Sustainable Technology Development Canada” , which is the largest single clean-tech fund in the world. It has seeded more than 200 clean-tech projects through grant funding of more than $600-million. Renewable Energy is a cultural shift that is well under way within Canadian homes and businesses, and we are going to continue to be at the forefront for decades to come.

Agriculture:

Over the past two decades, Canada has taken a strong lead in Modernizing and Automating Agriculture. With the prevalence and low cost of Industrial sensors for things like moisture level, sunlight, ph level, soil nutrients, etc.. Canadian researchers have been able to greatly increase crop yields across the industry. This technology has been transferred down to the hands of local farmers who are able to automate aspects of their farm such that they not only increase yield, but can direct and reduce water consumption and cost. Crops are able to be grown in areas previously unmanageable through monitoring and automation. Canada is also setting examples of how to use industrial sensors to monitor and manage Livestock health and food consumption. This is an area in which we will continue to be world leaders.

Smart Cities:

Continuing on the Industrial Internet of Things theme, Canada is also a leader in Innovation in monitoring and managing all aspects of transportation and buildings in today’s Smart Cities. Cities across Canada are collaborating on means to provide cleaner more efficient home and work spaces for their inhabitants. We are researching ways to use Industrial sensors to monitor and more efficiently manage heating and cooling within residential and commercial buildings. We are also developing ways to monitor and reduce emissions from these buildings.

Through the use of sensors under the pavement, on lamp posts, and cameras at intersections, we are researching ways to better identify traffic patterns across the city, and adjust intersection lights for more efficient travel times and greater safety for both vehicles and pedestrians.

There are also Canadian innovations being developed in street lighting to greatly reduce power consumption, and reduce environmental impact on wildlife.

Space Exploration:

We are all too familiar with the Canada Arm that had assisted the NASA space shuttle program for two decades, and now currently works diligently on the International Space Station. Did you know that Canada has a burgeoning Space program too? In 2016, the Canadian Government committed to extend Canada’s participation in the ISS program, and provide opportunities to develop leading-edge space technologies. Up to $379 million will be earmarked for this program over the next eight years.

Six Canadian Astronauts have served eight missions aboard the International Space Station, and in 2018, David Saint-Jacques will become the next Canadian astronaut to take part in a long-duration mission aboard the ISS.

The University of Guelph’s Mike Dixon and his team are working on “biological life support” systems. Research that will help sustain long-term human exploration to distant planets by finding ways to grow plants inside greenhouses with techniques that could one day allow us to grow crops on the moon or Mars.

Canada had long partnered with the US on development of Satellite Communications technology. Our first Canadian Satellite, Alouette 1, was launched by Nasa on September 29 1962. Companies such as DeHavilland, Spar Aerospace, and Telesat Canada spurred on the innovation across the past several decades. Now, the torch has been picked up by several Canadian startups that are developing very small format satellites for such purposes as monitoring forestation and environmental changes, or providing imaging services for commercial planning.

We Canadians are a country of dreamers, and we dream big. The future of Canadian Innovation will not dull.

↧

Can our Managed SIEM providers please get their heads out of the 90's?

August 24, 2017, 10:58 am

≫ Next: Cloud Access Security Broker (CASB) - The purpose of a forward proxy

≪ Previous: Canada 150, and Canadian Innovation.

rant mode on

(I had tried standard <> tags, and the CMS tried to process them! LOL)

I've been a customer of SIEM (Security Incident and Event Monitoring) for about 30 years (cough), and have never had a "good" customer experience.

SIEM are complex (and expensive) systems that closely integrate with every server/appliance/network device on the floor, and try to make sense of the data flowing through to identify security concerns. This data is typically formatted proprietary to the vendor of the source product.

When a vendor wants to implement SIEM in your infrastructure, for each server they enroll, the vendor asks about "use cases", or the set of rules that define what types of security events you should care about.

"Mr Customer, how many failed login attempts to you want to capture before we alert you?"

As a customer, how the hell should I know? What's the industry norm? You're the SIEM expert, tell me what your other customers are doing! This approach has stiffled progress/uptake in the industry. SIEM is typically implemented grudgingly as an audit checkbox.

"Ok, yes, we have SIEM, and things are reporting to it... CHECK... Next..."

This is a very expensive and time consuming effort to acquire a check box, but this is also how the vendors are selling it. Compliance sells products.

There is so much more that SIEM can and should do, like correlating firewall sessions with EndPoint Protection alerts. Identifying patterns (anomalies) in VPN users activities, alerting on movement of data between rogue cloud applications (shadow IT)... but those tasks take planning and scripting skills. Time and budget that an average Information Security team does not have. So the tools get put in to fill the checkbox, and all of the capabilities they have sits idle. (I hear you out there... prove me wrong, tell me YOUR good news story!)

Another typical issue with implementing SIEM is scaling/sizing of the SIEM infrastructure itself. The vendors usually define the size of your SIEM based on incoming "events per second". There are many calculators out there to help you determine size, but they don't tell you that a) this is a best case scenario, or b) EPS depends entirely on what you CHOSE TO LOG!

It's a rare event that you buy too much SIEM for your requirements. SIEM is expensive, and most of us will err on the side of budget.... and then find out we spec'ed 3-4 times smaller than required.

rant mode off

So let me tell you a little story now of my most recent experience that turned all this on it's head:

There's a little "Managed Detection and Response" company, eSentire out of Cambridge Ontario, that I had seen at several trade shows. Fatigued by vendors proclaiming that their product/service was better than the next coming of Christ, I had watched them warily. But heard good news from all sources.

I had an opportunity at one of my clients to replace an very non-functional implementation of Arcsight that one of Toronto's finest managed security providers had failed to deliver appropriately. (I'll just leave that there)

We looked at possible opportunities for bringing SIEM back in-house, as well as talked to about a dozen Managed Security Service Providers, and the daunting conversation of use cases kept coming up time after time. Vendor would ask us what we wanted to monitor, how many, how long, what's the alerting criteria, blah blah blah... (insert Charlie Brown adults talking here)

In the mix, we had eSentire come in and present. I had prepared my VP of IT and director of Security Operations as to the types of questions we would encounter, and typical responses regarding EPS per logging device, and use cases based upon product.

eSentire took the conversation in a completely new direction:

Us: "Ok, tell us what we need to provide for use cases, and possibly some guidance on what makes sense...."

eSentire: "We looked at your company, it's size, and market space. We have dozens of similar customers as you. Do you think your use cases might differ much from theirs?"

Us:"Ummm... no... probably not."

eSentire: "Good, we can start there as a baseline, and monitor, next?"

Us: "Ok, what about Events Per Second, and storage?"

eSentire: "Based on existing customers, and the list of systems you want to integrate, we'll put a log collector in your infrastructure and monitor and manage it's capacity. "

That was nine months ago. We signed up almost immediately, and the full implementation was a few weeks (not the typical 12-18 months I'm used to with those other systems). We were getting reports daily, weekly, monthly, that made sense, and had executive presentations that I could actually take to my management.

We've also signed up for and are very happy with their Network Interceptor (Managed Intrusion Prevention) and Continuous Vulnerability Assessment services.

Resources:

Gartner: SIEM Use Cases

http://www.esecurityplanet.com/products/top-siem-products.html

Alienvault: What kind of logs do you need for an effective SIEM?

Gartner: Managed Detection and Response Companies
eSentire: Managed Detection and Response

SANS: Benchmarking SIEM
Why and How to calulate Events per Second
Solarwinds: Estimating Log Generation
Qradar: Sizing, Determining Events Per Second
A good EPS sizing chart and writeup from Buzzcircuit
https://www.emc.com/collateral/guide/11020-rsa-siem.pdf

Arcsight: Enterprise Security Manager

↧

Cloud Access Security Broker (CASB) - The purpose of a forward proxy

September 12, 2017, 10:43 am

≪ Previous: Can our Managed SIEM providers please get their heads out of the 90's?

First of several short articles on the feature sets of a typical Cloud Access Security Broker (CASB)

The Forward Proxy:

In a Cloud Access Security Broker (CASB) A forward proxy is an in-line real time protection gateway service configured to handle network requests for a group of known clients (users and devices) to any external website and/or cloud service. These users and devices can be connecting from anywhere, either on the corporate network, or across the Internet. The destination services are typically cloud based.

The CASB forward proxy is primarily a policy control, and in it's most basic un-authenticated form, would simply apply policy enforcement to allow or deny access to specific sites and services on the internet. This form of the service could be used to police the corporate "Code of Conduct" ie: "No corporate device is allowed to browse Pornography, Violence/Hate, Drugs, Gambling, etc... " or to block access to Cloud Storage sites to reduce risk of Data Loss.

This however, is a very limited use case, and easily subverted.

Typically, you would configure the Forward proxy to authenticate the endpoint (Either User, or Device, or both) to your corporate directory. This can be done through Microsoft's ADFS (Active Directory Federation Service)or better through a Cloud Identity Provider such as Okta, Ping, OneLogin, or Centrify.

For sites that are Corporately Sanctioned, you can manage/report/alert on the context of Who visited the website or service, from where, on what device, and at what time. Any or all of these attributes can be used to modify access. IE: If going to a specific service from an unknown device over public WIFI, you may want to enforce Two Factor Authentication, and restrict file transfer.

For sites and services that are unknown or not Corporately Sanctioned (Shadow IT), you may want to validate the type of service through URL/Content filtering, and then allow access, while logging verbosely.

Scenario: With authenticated forward proxy, you can say:

This user is from accounting - these are the apps they should potentially be able to access.
This user is on a corporate laptop from within the corporate network, allow full access.
This user is on a corporate laptop on a public network. (Starbucks or Hotel)

Enforce two factor auth to these apps, and deny access to these apps.

This user is on a personal device on a public network.

Enforce two factor auth to these apps, and deny access to these apps
Deny file transfer.

etc...

And of course the Cloud Identity Provider would manage credentials on the end service, therefore direct connection would be prohibited.

Next up: Cloud Access Security Broker (CASB) - The purpose of a reverse proxy

References:

Security Musings: Comparing Cloud Access Security Brokers

Security Musings: Security Appliances, In-band or Out of Band?

Wikipedia: Forward Proxy

JScape: Forward Proxy

Microsoft: Creating a Forward Proxy Using Application Request Routing

Unixhops: Apache Reverse Proxy & Forward Proxy

Wikipedia: Active Directory Federation Services

Okta Vs. AD FS: Evaluating Both Cloud Identity Solutions

↧