Security

The Scary New Hacking Trend

Fri, 17 Feb 2012 14:26:00 EST

Starting with Operation Aurora – the brazen 2009 cyber attacks on Google and other large enterprises – through to the recent high-profile data breach that shut down certificate authority (CA) DigiNotar and the recent breach of VeriSign, hackers have learned to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks. In this article I explain what you can do to mitigate the risks of falling prey to this scary new hacking trend. It’s always easy with hindsight, but today it seems clear that the criminals behind recent, high-profile cyber attacks weren't necessarily computer geniuses – just good opportunists. They were able to exploit human nature and then abuse an open door they knew they’d find. Let me explain.

Quick Response, Quick Risk?

Thu, 16 Feb 2012 09:45:00 EST

Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today. You don’t have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers. QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code – making them a marketer’s dream because they make it easy to direct users toward information and services. What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer. However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads’ is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.

Network Security 101: Automating for Continuous Compliance

Mon, 30 Jan 2012 07:30:00 EST

Managing access to confidential information and application resources via firewalls is the foundation of network security, and firewall audits are central to any mature network security process. However, relying on security and network experts to review rules across multiple firewall zones and different firewall products is proving to be costly and ineffective. Few will dispute that when it comes to network security, automating best practices to reduce operating costs, complexity, human error, and streamline processes is a good thing. However, in what we call the age of Continuous Compliance – brought on by the reality that point-in-time audits done hastily to meet reporting deadlines rarely – if ever – deliver any security or compliance benefits once that point in time has passed, automation becomes more than just good. It becomes essential. Case in point: a November 2011 survey from Tufin Technologies of 100 firewall managers revealed that only 1.3% of configuration changes that cause network downtime or pose a security breach are identified during the quarterly audit, yet almost a third of the respondents spent 3 to 7 days per quarter of valuable network security team time on firewall audits (Disclosure: I work for Tufin). Organizations receive precious few benefits for the level of resource spent on manual firewall audits – it is proving to be an inefficient approach to maintaining a secure network and if you do the math, an extremely inefficient use of skilled security personnel.

Consumerization of Corporate IT and Data Loss

Sat, 14 Jan 2012 14:00:00 EST

Companies across all industries are fighting to secure their proprietary and confidential data behind firewalls and complex passwords; unfortunately, the reality is that this data is most likely still slipping through the cracks. The introduction of employee-owned devices and the consumerization of the modern workplace present a new data loss threat that organizations must now address and combat. The consumerization of corporate IT and the advent of powerful mobile devices has forced many organizations to adopt the “bring your own (mobile) device” (BYOD) approach as an alternative IT-provisioning option instead of corporate-issued computers. Consequently, the organization’s IT security department has much less operational control over the BYOD mobile devices used by their employees.

Planning, Scoping and Recon Techniques

Mon, 09 Jan 2012 04:00:00 EST

The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking.

The Cyber-Crime Landscape

Fri, 06 Jan 2012 08:00:00 EST

Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D. On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

BYOD, Meet Two-Factor Authentication

Wed, 04 Jan 2012 05:15:00 EST

There are some technological concepts that simply go better together. Consider the cloud and information explosion; the cloud offers the potential for unlimited storage for a torrent of ever-increasing data. Another example is virtualization and IT agility; strategic virtualization implementations can create flexible, responsive resources that enable IT organizations to better align with ever-changing business needs. However, one combination that might not seem so obvious is the bring your own device (BYOD) movement and security. In fact, when many CIOs and CISOs think of BYOD their focus is often on the various security and management challenges associated with this rapidly spreading trend, not how BYOD and security have a symbiotic relationship.

Why Rule-Based Log Correlation Is Almost a Good Idea... Part 4

Tue, 20 Dec 2011 09:00:00 EST

We saw what typically happens when trying to use static rule-based log correlation to perform real-time incident management... combinatory explosion and lack of scalability. How do you automate non-deterministic attacks in a few discrete steps??? Today, we'll look at more scenarios for which static rule-based log correlation doesn't make sense. Attack Scenario Example 2: Brute Force Attack Let's look at another example scenario. Brute Force Attack.

Complex IT Security Risks Can Only Be Treated with Comprehensive Response

Fri, 02 Dec 2011 06:45:00 EST

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic. The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle. As part of the series of recent news announcements from HP, this discussion examines how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs.

Compliance vs. Security: The Multiple Dimensions of Corporate Espionage

Thu, 24 Nov 2011 15:00:00 EST

You’ve spent months fixing the red items on an internal audit report and just passed a regulatory exam. You’ve performed a network vulnerability assessment and network pen test within the last year and have fixes in place. You’ve tightened up your information security policy and recently invested in a security information and event management (SIEM) solution. You’re secure, right? Put yourself in the shoes of a criminal. He knows that most security programs focus on regulatory compliance. He knows that IT departments have limited budgets. He also knows that you must defend against an almost unlimited number of attack vectors, while he just has to find one way in. How do you protect against a sophisticated, motivated criminal? A professional spy who has targeted your company’s trade secrets? A skilled insider with a specific purpose in mind? These types of people know that information comes in many forms, not just electronic, and they are trained to exploit any vulnerability. An effective information security program must incorporate more than just traditional pen tests and vulnerability assessments.

Four Popular Offsite Data Backup Approaches

Fri, 28 Oct 2011 11:51:00 EDT

In a recent blog post, Gary Sevounts, VP of marketing at Zetta, looks at the most popular offsite backup solutions for organizations with smaller budgets that can't afford a data center, but need their mission-critical data to be protected. Sevounts lists four options: tape, USB, mirroring to a DR site, colocation and online data backups. Tape backups have been around for decades. Many companies already have the equipment, software and procedures in place for tape archiving. In those organizations where tape is working well, it is probably best to continue its usage.

Scanning Tools: The Target Environment

Wed, 12 Oct 2011 13:00:00 EDT

The goal of the scanning phase is to learn more information about the target environment and discover openings by interacting with that target environment. This article will look at some of the most useful scanning tools freely available today and how to best use them. During this process we'll perform a number of scans. The goal of the scanning phase is to learn more information about the target environment and discover openings by interacting with that target environment. This article will look at some of the most useful scanning tools freely available today and how to best use them. During this process we'll perform a number of scans. This article appears in the September 2011 EXTRA issue of PenTest magazine.

Most Powerful Voices in Security

Thu, 08 Sep 2011 14:50:00 EDT

The security community has a growing number of influential and important people, especially as the industry rises to meet the need to address more advanced security threats, such as targeted attacks. But how does a company in the security industry truly identify the influential people? And then once identified, how does one use influential voices to help promote their brand? In this study, we answer the first question – how to identify the most powerful voices in your industry (in this case focusing on the security space), and as part of this we provide you a list of people to follow for the best, most up to date information, and who have the loudest voices to help carry some of your key messages. In a future study, we will discuss how to further exploit that knowledge to market your brand.

Externalizing Fine-Grained Authorization from Applications

Thu, 25 Aug 2011 10:15:00 EDT

The recent spike in insider threats, coupled with a rise in compliance considerations, has forced organizations to ensure only authorized users access sensitive application functionality and data. Historically, user entitlements or authorization logic has been embedded inside an application. For example, if the user of an application meets specific conditions, such as a specific role, access to that application function will be granted at runtime. But if the definition of specific authorization conditions changes over time, then the application developer needs to modify the application’s source code, test, and re-deploy the application. Suppose a homegrown portal application must present a sensitive piece of customer information such as a Social Security Number (SSN) when a service representative views a customer’s profile. It is determined that in order to ensure compliance with various privacy regulations, only directors and senior managers may be able to view a customer’s SSN. A decision has to be dynamically made whenever the application must show an SSN as to whether the current user may view the actual data or some default value (e.g., “XXX-XX-XXXX”). The decision must take into account the user’s job title. A dozen parts of the application that can display a customer’s SSN mean a dozen places for this business logic to be applied.

IT Looks to Open Trusted Technology Forum to Help Secure Supply Chains

Fri, 29 Jul 2011 10:00:00 EDT

How can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

Post Exploitation Using Metasploit pivot and port forward

Wed, 29 Jun 2011 10:00:00 EDT

We are using the local port forwarding bound on a victim host so when we execute the route command and exploit internal hosts we can map them back to our initial victim, through the meterpreter connection and back to us. The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task. You can download metasploit from here. A very nice feature in metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.

Preventive Security Through Behavior Modification - Part 4

Thu, 16 Jun 2011 14:15:00 EDT

Last week we saw that a proper Log Management tool is a powerful tool to catch the bad guys. Advertise your use of such a tool and you will send a clear signal to would-be attackers that they will be caught, which will act as a powerful deterrent, and curb bad behaviors. A 2004 study from Ibas, a computer forensics firm, conducted on 400 UK businesses showed that "69.6% of business professionals have stolen some form of corporate IP from their employer when leaving a job." I simply cannot believe that 69.6% of the people are "bad guys," responsible for a trillion dollar worldwide problem. I believe that these 69.6% of people saw a window of opportunity, somehow persuaded themselves that it was OK to steal that corporate IP, and assumed that they were going to get away with it.

Open Trusted Technology Provider Aims to Secure Global IT Supply Chain

Wed, 23 Feb 2011 11:20:00 EST

The OTTF’s purpose is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain. The framework outlines industry best practices that contribute to the secure and trusted development, manufacture, delivery and ongoing operation of commercial software and hardware products. Even though the OTTF has only recently been announced to the public, the framework and the work that led to this whitepaper have been in development for more than a year: first as a project of the Acquisition Cybersecurity Initiative, a collaborative effort facilitated by The Open Group between government and industry verticals under the sponsorship of the U.S. Department of Defense (OUSD (AT&L)/DDR&E).

Forum: Ensuring Secure IT Products in Global Supply Chains

Tue, 22 Feb 2011 14:54:00 EST

This is really not about adding some security band-aid onto a technology or a product. It's really about the fundamental attributes or assurance of the product or technology that’s being produced. The OTTF is a group that came together under the umbrella of The Open Group to identify and develop standards and best practices for trusting supply chains. It's about how one consumer in a supply chain could trust their partners and how they will be able to indicate their use of best practices in the market, so that people who are buying from the supply chain or buying from a specific vendor will be able to know that they can procure this with a high level of confidence.

Security, Rumors of Security, and Bill Clinton

Mon, 14 Feb 2011 15:24:00 EST

The major theme of this year’s RSA Conference is, guess what, security. This is the largest security show of the year, and its clearly a big deal, since it covers both sides of the Moscone Center in San Francisco. As of 10 a.m. on Monday, preparations are still being made. The show officially opens at 6 p.m., when the doors are thrown open to the Exhibit Hall. And yes, as was noted on various social media outlets, only a security geek show would be scheduled on Valentine’s day.

Information Security from a Business Perspective

Wed, 09 Feb 2011 06:00:00 EST

As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the “preservation of confidentiality, integrity and availability of information.”[1] Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.

After WikiLeaks, What's Next for Document Compliance Management?

Sat, 05 Feb 2011 05:15:00 EST

The WikiLeaks security fiasco has shed a lot of light on document security and its inherent irony: namely that the more confidential a document is, the more it’s likely to be shared. Web Security Journal reached out to the CEO of Brainloop, Peter Weger, to discuss the notion of so-called document compliance management.

Preventive Security Through Behavior Modification

Tue, 01 Feb 2011 19:00:00 EST

Over the next few weeks, we'll investigate how the expression "An ounce of prevention is worth a pound of cure" could also be applied to the IT world, and what are the tools to foster preventive security through behavior modification. When looking at IT security, it seems that most of the security solutions today are based on Defensive Security. Technologies such as AntiVirus, Firewalls, Intrusion Detection Systems and Intrusion Prevention Systems, Anti-Trojan, Anti-Worms, and Anti-Spyware belong in this category. The primary focus of these technologies is defending against security attacks in progress. Other categories of security exist of course, such as Proactive Security (including Vulnerability Management) and Remediation Security (e.g. Patch Management), but the industry focus these past few years has been on Defensive Security.

When Compliance Is at Odds with Security

Wed, 12 Jan 2011 12:15:00 EST

Users are the weakest link when it comes to information security. Without intending to, they cost more money in security breaches than outside hackers. This is why all regulations require the demonstration of strong access security. But focusing purely on regulatory compliance proofs as a standard of security can cause one to lose sight of the intended goal. In a typical organization, IT administrators face an alphabet soup of regulatory requirements that have been put in place in an effort to protect sensitive information. And even in businesses that are not externally regulated, there are often compliance initiatives underway that require meeting some type of standard. There is a real temptation to define success as getting a passing mark on a list of criteria against which the security of the organization is going to be measured. However, in trying to pass an ever-growing and evolving list of tests, IT personnel may find themselves getting away from their real jobs - security. This is particularly true when the organization attempts to handle each standard on an individual basis and winds up getting preoccupied with creating or applying specific controls for each one. As individual standards change or requirement specifications are released, this approach of wearing two hats may quickly challenge security professionals’ sanity.

Bulletproofing the WebSocket Wire Protocol

Sun, 12 Dec 2010 02:30:00 EST

There's been a flurry of discussion this week among Internet and Web standards heavy-hitters around WebSocket, the new communications protocol supported in Chrome 4 and Safari 5. What was the main issue? Is there some kind of fundamental security vulnerability with the WS protocol? Web Security Journal turned to a domain expert in such issues, namely the CTO of Kaazing Corporation, John R. Fallows.

White House Taps Cyber Security Czar

Mon, 28 Dec 2009 11:30:00 EST

Right before Christmas, the White House tapped Microsoft’s long-ago chief security officer, the CEO of the non-profit Information Security Forum Howard Schmidt as head of US cyber security. Despite the national priority, between pressure from US companies and reported infighting among bureaucrats, it took 10 months for the Obama administration to find someone who would take the job of dealing with millions of attacks a day on government and military systems – including hacks by Russia, China and terrorist interceptions of drone video feeds – as well as increasing financial losses to phishing schemes and Internet thefts like the reported multimillion-dollar one pulled off by the Russian mafia at Citigroup. How Schmidt interprets the job will be watched. There are doubts about his authority and the adequacy

The Threat Behind the Firewall

Sat, 12 Sep 2009 18:30:00 EDT

I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title. They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations. Graduating from floppy disks, as early as 2003 articles were warning against the possible threats introduced with these devices – 256Mb for $160 back then – and yet we still see some sort of incident reported almost once a week! From consultants, to government employees, to Mortgage lenders, to the International Space Station, what used to be a giveaway staple at trade shows, these tiny less-than-two-inch drives can hit and hurt you in a multitude of ways.

The Neglected Flipside of SOA Security

Tue, 08 Sep 2009 13:00:00 EDT

Joe McKendrick kicks off a thread on the current state of SOA Security. As usual, most discussion of SOA Security applies to "how SOA can be made secure". This is understandable. And, as some commentators have pointed out, there is a body of Best Practice out there on how to secure services in an SOA. For example, Randy Heffner provides lots of good advice on how to secure the services in an SOA)

Navigating the SOA Security Waters

Mon, 09 Mar 2009 10:15:00 EDT

You don't have to be a chief information officer to realize that security is becoming a corporate concern as more business is transacted on the Web. The mounting fears are well founded. Web attacks are growing in sophistication. Data is flowing faster and to more applications and more users. New Web development models, such as Web 2.0 and AJAX, are appearing.

Four Reasons Why Data Security Strategies Fail

Mon, 10 Nov 2008 13:08:00 EST

There are many reasons why a data security strategy could self-destruct, not the least of which is a new breed of highly motivated data thieves who stand to make a considerable profit on customer and other sensitive information in data centers. We're often so mired with putting out data security and compliance fires that we don't have time to step back and look at the high-level issues that could have prevented many of those fires from igniting in the first place.

Layer 7 Technologies Expands SOA Into Belgian Market

Wed, 28 May 2008 15:30:00 EDT

Layer 7 Technologies announced its go-to-market partnership with Steria Benelux. Steria will act as a channel partner for Layer 7's SOA gateway products in Belgium to offer leading SOA security, governance solutions and support to its current and prospective customers.

SOA World - SOA SDLC: On-Demand

Thu, 22 May 2008 08:00:00 EDT

Spending time with my parents over the holidays got me thinking about the differences between this generation and the previous one. My parents expect to spend a certain amount of time and effort managing certain aspects of their lives. For example, when they drive to an unfamiliar vacation spot, they inquire about directions and even write or plot the route before they head out. Whereas for me, it is a matter of popping out an iPhone or a GPS device, saving time, improving accuracy, and avoiding the mistakes of manually drafting the directions.

Testing Process Orchestrations Based on the BPEL Standard

Mon, 05 May 2008 18:00:00 EDT

Composite applications are made up of discreet services that have been tried and proven reliable, but building an orchestration that incorporates services that come from several sources, some of them outside of the company, could introduce testing hazards beyond just bad output. For example, let's say that your business has a process that includes activities to run a credit check with an external credit agency or to schedule a package delivery with an external shipping service.

Is SOA Ready to Move from the Whiteboards and into Production IT?

Mon, 20 Aug 2007 08:45:00 EDT

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source.

Security in a SOA

Sat, 14 Apr 2007 16:15:00 EDT

As the name suggests, a Service Oriented Architecture is one where application functionality is packaged as autonomous services that adhere to industry standard interfaces (WSDL, SOAP), and the services are then deployed in an IT architecture that makes for their most effective use. The component services can be rapidly reused and composited, plugged and played as it were, to create new business offerings and they can be individually upgraded for increased business agility. However, to achieve the promise of a SOA it's imperative that critical non-business logic-related functionality, the foremost of which is security, should also be provided and used as a service. And for this to occur it has to be externalized, accessed, and managed independently from the business logic-related services.

SOA Access Control Policy Management

Thu, 19 Oct 2006 13:15:00 EDT

When SOAP-based Web Services solutions began appearing five years ago, one of the major challenges was securely propagating end-user identity in Web Service chaining scenarios. Certainly a user could authenticate to a portal, and that portal could talk to a Web Service that talks to another Web Service that talks to another Web Service (and so on), but the big question was - how could each point in the Web Service chain be assured who the requesting end user really was?

Build Management Is Critical to Developing an SOA Enterprise

Mon, 16 Oct 2006 12:00:00 EDT

Developing under a Service Oriented Architecture (SOA) is different from traditional development. A large set of business changes will now be funneled through a relatively small number of enterprise services. An inefficient or bad build system can impact a greater number of business changes. As services are exposed to more consumers and so to more potential threats having a robust and secure development environment is more important than ever. Centralized role-based control of builds and reporting of build activities is critical for incorporating a greater number of changes and managing the security and auditability of Web Services.

Creating Secure Web Service Sessions

Thu, 10 Aug 2006 12:45:00 EDT

Over the past five years, the promise of enterprise information sharing has made great strides with the evolution of Web Services and the promise of Service Oriented Architectures (SOA). An architectural shift that moves us away from point-to-point client/server systems.

McAfee's Foundstone Professional Services to Launch Free Web Service Tools

Thu, 15 Jun 2006 11:00:00 EDT

McAfee the leading dedicated security company, announced that Foundstone Professional Services will launch a series of free tools that teach developers, programmers, architects and security professionals how to create more secure software. The tools will also review the root causes of increasingly prolific crimes such as e-shoplifting, session hi-jacking and identity theft.

WS Security Performance

Mon, 17 Apr 2006 11:15:00 EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.