Cloud Security Alliance Congress Orlando 2012 pt4

Keynote day 2 – panel discussion around ‘Critical Infrastructure, National Security and the Cloud.

Discussions around the role of ISPs in protecting the US from attacks, e.g. by dropping / blocking IP addresses / blocks of IP addresses from which attacks such as DDoS are originating from.

Should they be looking more deeply into packets in order to prevent attacks?  What does this mean for net neutrality and freedom?

How does this apply to Cloud service providers (CSPs)?  What happens when the CSP is subpoenaed by the courts / government to hand over data?  This is another reason why you should encrypt your data in the cloud and ensure you manage the keys.  This means the court / government has to directly subpoena you as the data owner and give you the opportunity to argue your case if they want access to your data.

Should the cloud be defined as critical infrastructure, if so which parts, which providers etc.  Will need to clearly define what means critical infrastructure when discussing the cloud.

Next discussion point was China;  Continuous economic growth means we are more and more involved in trade with China, however they are also stealing huge amounts of proprietary data across multiple industries and literally stealing all of their manufacturing data to copy what is made and how.  According to some vendor reports 95% of all internet based theft of intellectual property comes from China.  This is both from Chinese governmental bodies, and Chinese corporations.

Look up Internet Security Alliance documentation around securing, monitoring and understanding your global manufacturing supply chain.  This document has been strongly resisted by both Chinese Government and companies.  There is a clear need to protect sensitive information and work to reduce global supply chain risk.  Us Government working on constant monitoring capabilities to help corporations monitor their global supply chains.

Proposed that IP theft should be on the agenda for the G20 next year.  Also proposed the US and other countries should have an industrial policy, if they don’t already, that allows the military and intelligence communities to defend corporations and systems that are deemed part of the critical infrastructures.

Counterfeiting is also moving into cyberspace, what do we do with counterfeit infrastructure or counterfeit clouds?

————

A practical, step by step approach to implementing a private cloud

Preliminary points – have you ever decommissioned a security product?  How many components / agents does the “AV” software on your laptop now have?

Why is security not the default?

Why would you not just put everything in the public cloud? – Risk, Compliance – you cannot outsource responsibility!

This is where ‘private cloud’ options come into play.  Could also consider ‘Virtual private cloud’ – this is where VPN technology is used to create what is effectively a private cloud on public cloud infrastructure..

Many organisations have huge spare server capacity – typical results find 80% of servers only used at 20% capacity.  You can create internal elasticity by making this spare capacity part of an internal, private cloud.

5 steps to a private cloud;

  1. Identify a business need– what is your cloud driver?  What will benefit from;
    1.  Greater agility
    2. Increased speed to develop and release,
    3. Elastic processes that vary greatly over time such as peak shopping days, or month end processing etc.
    4. DevOps
    5. Testing
    6. Rapid prototyping

2. Assess your current infrastructure – is there excess capacity?  Is the hardware virtualisation ready?  Can your existing infrastructure scale? (Note that a cloud can be physical, not virtual if this is required).  Is new cloud infrastructure needed?  What are your storage requirements?  What are your data recovery and portability requirements?  How will you support a private cloud with your existing security tools and processes (e.g. where do you plug in your IPS?) – are your processes robust and scalable? – can you monitor at scale?  Can you manage change at scale?

3. Define your delivery strategy – who are your consumers? Developers.  Administrators. General employees. Other?  Competency level of consumers defines the delivery means. (e.g. developers and admins may get CLI, General employees may get the ‘one click’ web portal).  Delivery mechanism matters!  Create a service catalogue.  Ensure ‘Back end services’ are in place

4. Transformation – You cannot forklift into the cloud – legacy applications that do not scale horizontally will not work.  More resources != greater performance.  Need to design in scale and security.  Modernise code and frameworks.   Re-test – simulate cloud scale and failures.  Re-think automation, scale.

5. Operationalize – Think about complete service life-cycle – deployment to destruction.  Resilience.  Where does security fit into this? – Everywhere! – whether applications or services.  Secure design from the ground up – embed into architecture and design – then security no longer on the critical path to deployment!

Overall this was an entertainingly presented talk that was a little light on detail / content, but I thing the 5 points are worth bearing in mind if you are thinking or implementing a private cloud in your organisation.

—————

Cloud security standards;

Talk over-viewing some of the current standards relating to cloud security.  Below is a list of some of the cloud security standards / controls / architectures / guidance that you should aware of if you are working with or planning to work with any sort of public cloud solution.

ITU – 

–          Cloud Security Reference Architecture

–          Cloud security framework

–          Guidelines for operational security

–          Identity management of Cloud computing

ISO  –

–          27017 – guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 2

–          27036-4 – Supply chain security: Cloud

–          27040 – Storage security

–          27018 – Code of practice for data protection controls for public cloud computing services

–          SC7 – Cloud governance

–          SC38

–          Controls for cloud computing security

–          Additional controls for 27001 compliance in the cloud

–          Implementation guidance for controls

–          Data protection implementation guidance

–          Supply chain guidance

NIST – 

–          800-125 – Guide to security for full virtualisation technologies

–          800-144 – Guidelines on security and privacy in public cloud computing

–          NIST cloud reference architecture

OAISIS – 

–          Identity in the Cloud

ODCA (Open Data Center Alliance) – 

–          Provider assurance usage model

–          Security monitoring usage model

–          RFP requirements

CSA – 

–          Cloud Controls matrix

–          Trusted cloud infrastructure

–          Security as a Service

–          Cloud trust protocol

–          Guidance document

The CSA Cloud Controls Matrix maps many of these standards to cloud control areas with details of the specification and the standard components each specification meets / relates to.

While a pretty dry topic, this is a useful reference list if you are looking for more information on cloud / cloud security related standards and guidance.

K

 

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

 

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

 

So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

 

Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

K

Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

K

 

 

Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K

RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!

K

Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K

An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K

RSA Conference Europe 2012 – Hacking Senior Management..

Hacking Senior Management – Selling Security to the Board

Brian Honan – CEO, BH Consulting

Security events are now very much mainstream news, consider stories about Anonymous, Sony (PlayStation network), Citibank, IMF, RSA etc..

Hacking / cracking has evolved from the early days of wanting to understand and make things better through wanting personal fame / recognition to wanting personal / organisational gain (criminals) , National interests (spies) and ‘hactivism’.  The threats have evolved to become a lot more serious.

Along with malicious threats, we also have to be aware of carless users, loosing laptops and other devices, sending sensitive emails to the wrong recipient etc.

In addition to threats and users, organisations also have to comply with ever increasing levels of regulation both from industry (PCI-DSS) and governments (SOX etc.).

Topping this of is the fact that IT is ever my critical to all areas of business / organisation functioning.

This threat is well recognised right up to the US presidential level with President Obama quoted as saying;

“the cyber threat to our nation is one of the most serious economic and national security challenges we face.”

Mi6 also address UK parliament on these issues.

So given the level of the threats, and the fact that IT is a regular agenda item in the boardroom you would think that the reaction from management / the board would be –

‘Get this done! Here is the budget to fix things..’

However the response is more often than not apathy or the head in the sand.

Why is this?

Are we doing something wrong as a security industry?

Hacking systems == Easy

Hacking applications == Easy

Hacking management != Easy

We often think management isn’t clever if the don’t understand the issues.  This is not true, senior leadership usually intelligent and educated, and also very busy.

How do we solve this?

We must get inside their heads and understand their drivers.  These are things like profit and loss, audits, reports to shareholders etc.

We like to talk about 0-days, attacks, hackers, exploits, worms etc.

When we talk like this management hear BLAH BLAH BLAH…

They think money; we are very bad at this.  Do we consider on-going maintenance costs as well as the initial cost?

In order to hack a system you need to understand it!

Thought on how;

–          We (IT / IT security) must get better at understanding the business.  Make sure you understand your business strategy and plans.

–          We must reduce the FUD (Fear Uncertainty and Doubt), the sky is not always falling – be realistic and talk in business terms.

–          Focus on the benefits, e.g. if we do this and implement that we’ll reduce security incidents by XX and save £XX.

–          Understand and explain the security trade-offs, you’ll never be 100% secure so understand and explain what different choices mean.

–          Act professionally – talk about improving assurance rather than penetration testing – use professional language and actions.

–          Speak plainly and translate terminology.  Instead of there is a 0-day vulnerability on the server that could give root privileges to the attacker.  Try; There is a vulnerability on the database server that manages our key financial data which could allow someone to view all of that data.

–          Engage with the business, don’t hide in the basement!  Present metrics and information back to the business about the benefits of our AV, DLP, proxy servers etc. – make the benefits we already provide and plan to provide much more visible.

 

To have secure systems and more importantly a secure organisation we all have to work together!

Thoughts about next steps from the talk;

Within 3 Months:

–          Review How You Present Security Issues to Senior Management

–          Focus on Cost and Benefits

Within 6 Months

–          Become More Visible With Management

–          Align Information Security With Business

Within 12 Months

–          Get Approval for New Infosec Initiatives

–          Have the Business Come to You !!

For security to become more successful, and indeed a key part of business process we need to become more professional and business minded.  We must engage better with the business and speak in the language and terms that they understand and care about.  These are great points and ones we as an industry really need to bear in mind if we want to become a more central part of our organisations.

K

RSA Conference Europe 2012 – How to Build a Cyber Intelligence Capability

Stewart Bertram – Cyber Intelligence Team Manager, VeriSign

Talk will cover;

The socio-technical approach to cyber intelligence team design / capability.

The growth of the influence of the intelligence team within the wider business context

Legal and reporting points

So just what is a Socio-technical system?

“an approach to complex organizational work design that recognizes the interaction between people, information and  technology in workplaces”

So how should the new hypothetical cyber intelligence team be made up?

The talk proposes a combination of

–          Computer Science folk

–          Former military / intelligence

–          Social science background / experience

While computer science people are the obvious choice that no one would argue with, what do the other two facets bring?

Military intelligence – Computer insurgency experience, Battle for hearts and minds, human terrain analysis, experience helps them to better know what to look for ..

Social science – An understanding of social interactions and ‘networks’ – how groups of people interact and work together.  This is useful for both understanding the behaviour of your adversary groups, and also understanding how to get buy in from your organisation.

Your team should work to best leverage technology to do the heavy lifting and initial filtering so that they can look at detailed aggregated / fused information.  This allows them to use their skills and experience to make the best decisions and risk assessments.  If your team is spending their time looking at the base information, they will only be able to view a tiny amount of the data and thus you will frequently be surprised.

So, why are we even discussing a cyber-intelligence capability in the first place?  Is Cyber threat posing a greater risk than 10 years ago?

Yes.  Driven by the contextual change to the importance of cyber space to Western Society – we are hugely reliant on IT and the Web for almost all aspects of our lives now and this is only increasing.

Cyber intelligence teams used to exist on the primary of the business or as a sub set of the IT security team.  Increasingly they are, or should be core to the business and driving change across departments including, IT, IT security, HR, Finance etc.

For further reading, the paper #intelligence by Sir David Omand et al is strongly recommended.

We need to ensure a balance is struck between online security and privacy.  Consider also where social media intelligence (SOCMINT) fits into your model;

“SOCMINT is not yet capable of making a decisive contribution to public security and safety.”

“SOCMINT does not fit easily into the existing systems we have developed to ensure intelligence collected can be confidently acted on.”

Consider also Open Source evaluation.

As with any intelligence, you need to consider the quality of the intelligence and the quality of the source.

If you are going to perform any of this directed or semi directed monitoring of social media you need to understand the legal issues surrounding it, and have a legal framework in place within your organisation.

As a closing comment the talk stated;

“If today is the information age then tomorrow will be the intelligence age”

Overall this talk was a little light and glossed over quite a bit, but then it was a huge topic to cover in 50 minutes, and I realised the speaker wrapped up within 30 minutes..  This would definitely have benefited from taking the full allotted time.  However there were several good points raised and definitely things to think about – how would this fit into your organisation?

K

RSA Conference Europe 2012 – Adversary ROI

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

Joshua Corman – Director, Security Intelligence, Akamai Technologies
David Etue – VP, Corporate Development Strategy, SafeNet

The premise of this talk is that adversaries have developed better ROI models than we have relating to our security spend..

As an organisation we cannot protect everything.  We have scarce security resources.  Are we protecting our most critical assets?  Think like our adversaries – what is important to them, not just what we think is important to us.  It Is not just about what you have done, but WHO is after you..

Why does security ROI fail?  Security provides protect, it is not a profit centre..

Does ROSI (Return on Security Investment) improve things?

ROSI = ((Risk Exposure * % Risk Mitigated) – Solution cost) / Solution cost.

However in the real world, much of the Risk exposure and risk mitigation have to be educated guests at best.  So how accurate can we ever be?

The adversary does not care about your ROI / ROSI, they are results orientated, all their care about is whether they can get the assets of yours that they want and achieve an ROI that is acceptable to them.

Thinking about adversary ROI came about from looking at risk – A risk requires a threat and a vulnerability that results in a negative consequence.  As we have finite resources we must optimise the risk equation for our success.

Consider what is a “threat”? Proposed that is is an Actor with a Capability and a Motive.  Stuxnet, ‘0-days’ etc. are the ‘bullets’ without the actor they would do nothing..

While adversaries have limited resources, consider the adage, ‘why spend $40M on it if you can steal it for $1M?’.  There are many criminal organisations willing to spend $1M+ on a single exploit if the return makes this worth while.

Adversary ROI ((Attack Value (Value of assets compromised + adversary value of operational impact) – Cost of attack) / Cost of attack) * Probability of Success – Deterrence Measures (% chance of getting caught * Cost of getting caught)

Discussion around profiling a particular Actor or class of actors;

Actor Classes (States, Crime, Hactivists…)

Have

Motivations (Financial, Industrial, Ideological…)

Which define their

Targets (Credit card #s, Intellectual property, Cyber Infrastructure…)

With various

Impacts (Reputational, Personal, Availability…)

Via many

Methods (Tools “Metasploit”, Phishing, Malware, Physical…)

Using methods like this to understand the who and why of who is likely to be attacking you can be a great aid to your risk assessment activities.

Consider the already discussed ‘HD Moore’s Law’, suggesting that attacker power increases exponentially, double every 18 months (as with Moore’s law for CPU power).  The ability or strength of the casual attacker grows at the rate of software and tools such as Metasploit, Cain, and Pineapple etc.

Does it matter who is attacking?  Yes, as an example in the survey of top threats, Abuse of System access / privileges was number 18 in the overall list, so if you chose to try and mitigate the top 10 you may miss this one.  However for those wishing to steal intellectual property and classified information this was the number one attack.  Knowing who is trying to attack you, and why will help ensure you have the correct focus for your very finite security budget and resources.

While patching is important, once we have patching in order do we need to keep looking at this as one of our key security metrics?  For example 25% of current breaches are via SQL injection, how much effort is spent on application and code security?  What metrics do you have for ensuring the security of your applications?

I’d recommend reviewing the Verizon Business Data Breach Investigations Report for more information on breaches and breach types etc.  This contains a lot of very useful information to aid your understanding of the current landscape.

Have a look at some of these interesting free tools that can help with your security defences;

WebLabyrinth – http://code.google.com/p/weblabyrinth/

FOG Computing – http://sneakers.cs.columbia.edu:8080/fog/

SCIT: Self Cleansing Intrusion Tolerance – http://cs.gmu.edu/~asood/scit/

Honeyports – http://honeyports.sourceforge.net/

I don’t have time to cover all of these here, but have a look for yourselves if you want some more tools to make attackers lives considerably more difficult should they get onto your networks.

So, how to we best get non security executives involved?  Some questions you can put to them to get the conversation started;

–          What protected or sensitive information do we have?

–          What adversaries desire the information and why?

–          What is the value of the information to the organization?

–          How would the adversary value it?

–          What are the adversary’s capabilities?

–          What controls protect the information?

Summary and next steps;

Remember these are ways to enrich and complement your existing security, not instead of it!

–          Start with a blank slate

–          Engage non security people – you must have executive buy in, and should aim to gradually make security front and centre as part of the corporate culture

–          Identify your most likely adversaries and thus their likely motivations – work with other businesses in your industry – information and knowledge sharing!

  • Obtain and share adversary centric intelligence;
  • Threat intelligence
  • Brand chatter monitoring
  • Information sharing

–          Simulate adversary-driven scenarios – improve on your penetration testing.

K