Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

K

 

 

RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K