RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!

K

Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K

An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K

RSA Conference Europe 2012 – Hacking Senior Management..

Hacking Senior Management – Selling Security to the Board

Brian Honan – CEO, BH Consulting

Security events are now very much mainstream news, consider stories about Anonymous, Sony (PlayStation network), Citibank, IMF, RSA etc..

Hacking / cracking has evolved from the early days of wanting to understand and make things better through wanting personal fame / recognition to wanting personal / organisational gain (criminals) , National interests (spies) and ‘hactivism’.  The threats have evolved to become a lot more serious.

Along with malicious threats, we also have to be aware of carless users, loosing laptops and other devices, sending sensitive emails to the wrong recipient etc.

In addition to threats and users, organisations also have to comply with ever increasing levels of regulation both from industry (PCI-DSS) and governments (SOX etc.).

Topping this of is the fact that IT is ever my critical to all areas of business / organisation functioning.

This threat is well recognised right up to the US presidential level with President Obama quoted as saying;

“the cyber threat to our nation is one of the most serious economic and national security challenges we face.”

Mi6 also address UK parliament on these issues.

So given the level of the threats, and the fact that IT is a regular agenda item in the boardroom you would think that the reaction from management / the board would be –

‘Get this done! Here is the budget to fix things..’

However the response is more often than not apathy or the head in the sand.

Why is this?

Are we doing something wrong as a security industry?

Hacking systems == Easy

Hacking applications == Easy

Hacking management != Easy

We often think management isn’t clever if the don’t understand the issues.  This is not true, senior leadership usually intelligent and educated, and also very busy.

How do we solve this?

We must get inside their heads and understand their drivers.  These are things like profit and loss, audits, reports to shareholders etc.

We like to talk about 0-days, attacks, hackers, exploits, worms etc.

When we talk like this management hear BLAH BLAH BLAH…

They think money; we are very bad at this.  Do we consider on-going maintenance costs as well as the initial cost?

In order to hack a system you need to understand it!

Thought on how;

–          We (IT / IT security) must get better at understanding the business.  Make sure you understand your business strategy and plans.

–          We must reduce the FUD (Fear Uncertainty and Doubt), the sky is not always falling – be realistic and talk in business terms.

–          Focus on the benefits, e.g. if we do this and implement that we’ll reduce security incidents by XX and save £XX.

–          Understand and explain the security trade-offs, you’ll never be 100% secure so understand and explain what different choices mean.

–          Act professionally – talk about improving assurance rather than penetration testing – use professional language and actions.

–          Speak plainly and translate terminology.  Instead of there is a 0-day vulnerability on the server that could give root privileges to the attacker.  Try; There is a vulnerability on the database server that manages our key financial data which could allow someone to view all of that data.

–          Engage with the business, don’t hide in the basement!  Present metrics and information back to the business about the benefits of our AV, DLP, proxy servers etc. – make the benefits we already provide and plan to provide much more visible.

 

To have secure systems and more importantly a secure organisation we all have to work together!

Thoughts about next steps from the talk;

Within 3 Months:

–          Review How You Present Security Issues to Senior Management

–          Focus on Cost and Benefits

Within 6 Months

–          Become More Visible With Management

–          Align Information Security With Business

Within 12 Months

–          Get Approval for New Infosec Initiatives

–          Have the Business Come to You !!

For security to become more successful, and indeed a key part of business process we need to become more professional and business minded.  We must engage better with the business and speak in the language and terms that they understand and care about.  These are great points and ones we as an industry really need to bear in mind if we want to become a more central part of our organisations.

K

RSA Conference Europe 2012 – How to Build a Cyber Intelligence Capability

Stewart Bertram – Cyber Intelligence Team Manager, VeriSign

Talk will cover;

The socio-technical approach to cyber intelligence team design / capability.

The growth of the influence of the intelligence team within the wider business context

Legal and reporting points

So just what is a Socio-technical system?

“an approach to complex organizational work design that recognizes the interaction between people, information and  technology in workplaces”

So how should the new hypothetical cyber intelligence team be made up?

The talk proposes a combination of

–          Computer Science folk

–          Former military / intelligence

–          Social science background / experience

While computer science people are the obvious choice that no one would argue with, what do the other two facets bring?

Military intelligence – Computer insurgency experience, Battle for hearts and minds, human terrain analysis, experience helps them to better know what to look for ..

Social science – An understanding of social interactions and ‘networks’ – how groups of people interact and work together.  This is useful for both understanding the behaviour of your adversary groups, and also understanding how to get buy in from your organisation.

Your team should work to best leverage technology to do the heavy lifting and initial filtering so that they can look at detailed aggregated / fused information.  This allows them to use their skills and experience to make the best decisions and risk assessments.  If your team is spending their time looking at the base information, they will only be able to view a tiny amount of the data and thus you will frequently be surprised.

So, why are we even discussing a cyber-intelligence capability in the first place?  Is Cyber threat posing a greater risk than 10 years ago?

Yes.  Driven by the contextual change to the importance of cyber space to Western Society – we are hugely reliant on IT and the Web for almost all aspects of our lives now and this is only increasing.

Cyber intelligence teams used to exist on the primary of the business or as a sub set of the IT security team.  Increasingly they are, or should be core to the business and driving change across departments including, IT, IT security, HR, Finance etc.

For further reading, the paper #intelligence by Sir David Omand et al is strongly recommended.

We need to ensure a balance is struck between online security and privacy.  Consider also where social media intelligence (SOCMINT) fits into your model;

“SOCMINT is not yet capable of making a decisive contribution to public security and safety.”

“SOCMINT does not fit easily into the existing systems we have developed to ensure intelligence collected can be confidently acted on.”

Consider also Open Source evaluation.

As with any intelligence, you need to consider the quality of the intelligence and the quality of the source.

If you are going to perform any of this directed or semi directed monitoring of social media you need to understand the legal issues surrounding it, and have a legal framework in place within your organisation.

As a closing comment the talk stated;

“If today is the information age then tomorrow will be the intelligence age”

Overall this talk was a little light and glossed over quite a bit, but then it was a huge topic to cover in 50 minutes, and I realised the speaker wrapped up within 30 minutes..  This would definitely have benefited from taking the full allotted time.  However there were several good points raised and definitely things to think about – how would this fit into your organisation?

K

RSA Conference Europe 2012 – Adversary ROI

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

Joshua Corman – Director, Security Intelligence, Akamai Technologies
David Etue – VP, Corporate Development Strategy, SafeNet

The premise of this talk is that adversaries have developed better ROI models than we have relating to our security spend..

As an organisation we cannot protect everything.  We have scarce security resources.  Are we protecting our most critical assets?  Think like our adversaries – what is important to them, not just what we think is important to us.  It Is not just about what you have done, but WHO is after you..

Why does security ROI fail?  Security provides protect, it is not a profit centre..

Does ROSI (Return on Security Investment) improve things?

ROSI = ((Risk Exposure * % Risk Mitigated) – Solution cost) / Solution cost.

However in the real world, much of the Risk exposure and risk mitigation have to be educated guests at best.  So how accurate can we ever be?

The adversary does not care about your ROI / ROSI, they are results orientated, all their care about is whether they can get the assets of yours that they want and achieve an ROI that is acceptable to them.

Thinking about adversary ROI came about from looking at risk – A risk requires a threat and a vulnerability that results in a negative consequence.  As we have finite resources we must optimise the risk equation for our success.

Consider what is a “threat”? Proposed that is is an Actor with a Capability and a Motive.  Stuxnet, ‘0-days’ etc. are the ‘bullets’ without the actor they would do nothing..

While adversaries have limited resources, consider the adage, ‘why spend $40M on it if you can steal it for $1M?’.  There are many criminal organisations willing to spend $1M+ on a single exploit if the return makes this worth while.

Adversary ROI ((Attack Value (Value of assets compromised + adversary value of operational impact) – Cost of attack) / Cost of attack) * Probability of Success – Deterrence Measures (% chance of getting caught * Cost of getting caught)

Discussion around profiling a particular Actor or class of actors;

Actor Classes (States, Crime, Hactivists…)

Have

Motivations (Financial, Industrial, Ideological…)

Which define their

Targets (Credit card #s, Intellectual property, Cyber Infrastructure…)

With various

Impacts (Reputational, Personal, Availability…)

Via many

Methods (Tools “Metasploit”, Phishing, Malware, Physical…)

Using methods like this to understand the who and why of who is likely to be attacking you can be a great aid to your risk assessment activities.

Consider the already discussed ‘HD Moore’s Law’, suggesting that attacker power increases exponentially, double every 18 months (as with Moore’s law for CPU power).  The ability or strength of the casual attacker grows at the rate of software and tools such as Metasploit, Cain, and Pineapple etc.

Does it matter who is attacking?  Yes, as an example in the survey of top threats, Abuse of System access / privileges was number 18 in the overall list, so if you chose to try and mitigate the top 10 you may miss this one.  However for those wishing to steal intellectual property and classified information this was the number one attack.  Knowing who is trying to attack you, and why will help ensure you have the correct focus for your very finite security budget and resources.

While patching is important, once we have patching in order do we need to keep looking at this as one of our key security metrics?  For example 25% of current breaches are via SQL injection, how much effort is spent on application and code security?  What metrics do you have for ensuring the security of your applications?

I’d recommend reviewing the Verizon Business Data Breach Investigations Report for more information on breaches and breach types etc.  This contains a lot of very useful information to aid your understanding of the current landscape.

Have a look at some of these interesting free tools that can help with your security defences;

WebLabyrinth – http://code.google.com/p/weblabyrinth/

FOG Computing – http://sneakers.cs.columbia.edu:8080/fog/

SCIT: Self Cleansing Intrusion Tolerance – http://cs.gmu.edu/~asood/scit/

Honeyports – http://honeyports.sourceforge.net/

I don’t have time to cover all of these here, but have a look for yourselves if you want some more tools to make attackers lives considerably more difficult should they get onto your networks.

So, how to we best get non security executives involved?  Some questions you can put to them to get the conversation started;

–          What protected or sensitive information do we have?

–          What adversaries desire the information and why?

–          What is the value of the information to the organization?

–          How would the adversary value it?

–          What are the adversary’s capabilities?

–          What controls protect the information?

Summary and next steps;

Remember these are ways to enrich and complement your existing security, not instead of it!

–          Start with a blank slate

–          Engage non security people – you must have executive buy in, and should aim to gradually make security front and centre as part of the corporate culture

–          Identify your most likely adversaries and thus their likely motivations – work with other businesses in your industry – information and knowledge sharing!

  • Obtain and share adversary centric intelligence;
  • Threat intelligence
  • Brand chatter monitoring
  • Information sharing

–          Simulate adversary-driven scenarios – improve on your penetration testing.

K

RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K