Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR ( – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.


Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?


–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance


3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.


Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance


  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!




RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.


Collection of thoughts presented;


–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.


Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..


Exploit vulnerabilities rather than just report on ‘hypothetical’ issues

While doing some general reading recently I came across an article entitled “Why aren’t you using Metasploit to expose Windows vulnerabilities?”.  This reminded me of something I have discussed with people a few times, the benefits of actually proving and demonstrating how vulnerabilities can be exploited rather than just relying on metrics from scanners..

Don’t get me wrong, the use of vulnerability / patch scanners are incredibly useful for providing an overall view of the status of an environment;

– Are patches being deployed consistently across the environment in a timely manner?

– Are rules around password complexity, who is in the administrators group, machines and users are located in the correct places in the LDAP database etc. being obeyed?

– Are software and O/S versions and types in line with the requirements / tech stack?

– etc..

The output from these scanners is also useful and extensively used in providing compliance / regulatory type report data confirming that an environment is ‘correctly’ maintained.

What these scans fall short in two main areas;

1. They do not provide a real picture of the actual risk any of the identified vulnerabilities pose to your organisation in your configuration with your polices and rules applied.

2. Due to point 1 they may either not create enough realisation of the risks for senior management to put enough priority / emphasis on remediating them, or they may cause far too much fear due to the many vulnerabilities identified that may or may not be exploitable.

In order to provide a quantitate demonstration of how easy (or difficult) it is to exploit identified vulnerabilities, and also demonstrate to management how these reported vulnerabilities actually be exploited, using tools such as Core Impact, Canvas or Metasploit in addition to just scanning for vulnerabilities is key.

Tools like Canvas and Core Impact are commercial offerings with relatively high price tags, Metasploit is however open source and free to use in both Windows and *nix environments. It even has a gui!  So there is no excuse for not actually testing some key vulnerabilities identified by your scans, then demonstrating the results to senior management and even other IT staff to increase awareness.

Metasploit can be found here;

Where it can be downloaded for free.  Should you wish to contribute to it’s success there are also paid for versions.

The key message here is don’t stop using the standard patch / vulnerability scans as these are key to providing a picture of the entire environment and providing assurance of compliance to policies.  However these should be supplemented with actually exploiting some key vulnerabilities to provide evidence of the actual risk in you environment rather than just the usual ‘arbitrary code execution’ or similar statement related to the potential vulnerability.  This will put much more weight behind the your arguments for improving security.