Cyber Security Part III - Enterprise Protection

This is the third part of the cyber security series (Part I, Part II), with this week focusing on enterprise protection.  Any device connected to the internet is open to attack from either highly complex botnets right through to an individual port scanning for on line ftp or database servers.  Corporate networks are no stranger to being specifically targeted, or infected with malware that is delivered via the public network.

Attack Vectors and Entry Points


Firewall & Network Perimeter - Historically, enterprise security was often viewed with an 'us and them' mentality.  Everything on the internal LAN was safe, anything past the DMZ and on the internet was potentially bad.  The main attack vector in, was through the corporate firewall and any other perimeter network entry points.  The firewall was seen as the ultimate protection mechanism and as long as desktops had anti-virus software installed, that was as much as many organisations needed to do.

Infosec Product Release Review - 26th Oct

Tech Centre - the weekly review of newly released information security products, services, frameworks and policies.

Software


LANDesk Raises the Bar with Release of Integrated Systems

24 Oct 2012
"Management Suite and Security Suite 9.5 were created in order to help solve the ... "With theseproducts, our current and prospective customers now have the tools they ... This informationincludes power consumption per device, the health of ...

Objective releases Govt-standard DropBox

24 Oct 2012
While DropBox is a very popular information sharing service among consumers and ... According toproduct marketing manager Michael Warrilow, the service will be ... Government Information Security Manual up to and including “Protected”...

The Problem With Passwords (again, still)

Passw0rds!  The bane of most user and sys-admins lives.  I started talking about passwords earlier in the year, with the theme of 'the password's dead...long live the password'.  Obviously, the password isn't dead and is very much alive.  The story generally unfolds something like this:

  1. The infosec team, create a corporate password policy that requires a password to contain something like the following: to have a minimum length, include a number, an upper case character and also a special character, perhaps have a minimum age and be historically unique
  2. A sys-admin or developer, creates a function within an app/system/website to check the newly created passwords for complexity, in line with corporate password policy
  3. A user is created within a system / registers on a site
  4. A user is prompted to enter a new password for themselves, which must match the above policy
  5. If the policy is too complex, the user's initial password selection will generally be bounced for being too insecure
  6. The user iterates their password, adding numbers or additional characters until the password is accepted
  7. User convenience and satisfaction is probably reduced due to having to remember a large password
  8. The sys-admin believes the system is now relatively secure from hackers guessing passwords as everyone has a complex password

Cyber Security Part II - Botnets, APT's & AET's

This is the second of a five part series focusing on Cyber Security.  This article will examine some of the key terms and components that comprise of a cyber attack in 2012.  I'll take a look at the individual 'lone wolf' style attacks, right through to the complex networks of robots, capable of distributing malware on a vast scale.  I'll also quickly examine the components of an Advanced Persistent Attack and the increasing rise of Advanced Evasion Techniques, being used by malware to avoid detection.

From Lone Wolf to Botnets

The Lone WolfIn any walk of life the lone wolf is seen to be independent, agile and potentially unpredictable.  Whilst these characteristics are often seen to be difficult to defend against in a cyber security landscape, being an individual can have it's limitations.  In the new dawn of the internet era (yes I know, what was that like?) in the early 90's, the appearance of individual hackers was often portrayed as glamorous and cool.  The script-kiddy style attacker was generally male, 18-23 years old and a self-badged nerd/geek/social outsider.  Their main motive for attacking online systems was simply for prestige and credibility, driving for acceptance of their technical aptitude.

6 Steps to Selling Security to the Business

I spent a little time this week on two Twitter virtual discussions (#secchat, #hpprotect) covering security innovation and the like, where invariably the topic ended up focussing on how to basically promote or sell security into a business. This could be either from a vendor perspective, trying to promote new products or features, ultimately to make license revenue, or for the likes of internal security staff, attempting to justify business cases or budget for infosec related projects.

Kaspersky to Build Secure OS

Kaspersky recently confirmed the rumours that they are creating a new, built from scratch, secure operating system for the Industrial Control Systems (ICS) market.  Kaspersky argue that the well known issues with ICS, such as the Stuxnet, Duqu and Flame infections, have prompted them to re-evaluate the security of critical infrastructure type environments.  The conclusion was that a new, independently developed operating system, built using secure principles is the way forward.

The main issue with ICS environments is the fact they nearly always require 24 x 7 x 365 up time.  Not the usual 5-nines availability for critical or data storage or web apps.  These environments cannot be stopped.  Think oil pumps, water extraction systems, electricity production plants, gas transportation systems and so on.  It's not really a case of finishing at 6pm, doing a few hours patching and updating, testing and ready for the 8am login rush.  Those sorts of outage windows simply don't exist. This makes management of such environments difficult and has often lead in the past to legacy systems, often un-patched, performing critical services, simply because the downtime to replace or improve them is too great.  Introduce the likes of Stuxnet into the equation and you can see the opportunity for malware is too great to ignore.


Cyber Security Part I - (Cyber) War on Terror

This is the first in a five part series covering cyber security.  Each Monday, Infosec Professional will focus on many of the key aspects of cyber security, from government lead strategic defences, right through to individual consumer level protection.  Any device that connects to the internet is now a potential target, with the motives now becoming political, as control of the information highway becomes paramount.

US government security expert Richard A. Clarke, in his book Cyber War (May 2010), defines "cyberwarfare", as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption".  This initial sentence is paraphrased straight from Wikipedia, but could just as well have come from a sci-fi movie of the mid 1980's.  Cyber war is no longer an imaginary concept, cocooned in the realms of laser gun protection and x-ray vision.  It's an everyday occurrence, impacting governments, corporate enterprise and individuals.

Security as a Service - Infosec the Cloud Way?

Last month Google acquired VirusTotal, an on line virus and malware scanning tool.  VirusTotal has been around about 8 years, and provides a simple and focused virus and URL scanning service.  They basically act as a service wrapper and aggregator for some 60 anti-virus engines and tools.  They then provide the ability for a file or URL to be scanned by the the underlying engines, before returning a scan result from the various different partners.  This is a simple, yet powerful concept for several reasons.

I'd imagine Google's main interest would be in the ability to scan a particular URL that is returned from a user's Google search, before they go ahead and click through it.  This would help Google to identify any malicious links, trojan destinations and so on, increasing their credibility and the safety of it's users. VirusTotal also provides various internet browser plugins, which would likely become an integral default part of the Chrome browser too.

Security Intelligence - Reactive -v- Proactive

The RSA Conference bandwagon rolled into London this week, which promises to bring some interesting sound bites from the big players in the security sector.  Yesterday's opening key note speech from RSA's own Arthur Coviello, focused on some of the key challenges organisations face from an information security perspective.  The lack of skilled personnel, shrinking security budgets and the difficulties of ever complex risk management, make attacks more difficult to identify and overcome.

Coviello called for more of an 'intelligence-driven' security model to help evolve the traditional security operations centre into something more analytical and proactive.  Whilst being able to carefully understand and dissect and attack source, flow and impact, security intelligence could also be seen as just another level of reaction, albeit a more detailed one.

The Future of Cloud Based Identity?

This week I was fortunate to spend some time with Mike Schwartz, CEO and founder of Gluu, the leading open source and on-demand cloud identity management provider.  Gluu is an Austin based start-up, that leverages open standards such as OpenID Connect, SAML 2.0, Shibboleth, and SCIM to make achieving single sign-on (SSO) secure and easy.

How has the concept of online identity management and federation services changed in the last few years?

Mike: Several fundamental changes are converging to the create the perfect storm of online identity: (1) Facebook Connect is bubbling up from the consumer space into the enterprise market, creating demand for instant connectivity based on user controlled decisions; (2) OpenID Connect is positioned to replace a plethora of other standards - SAML, OpenID versions 1 and 2, OAuth versions 1.0 and 1.1, WS-Fed and Information Cards;  (3) there has been a proliferation of authentication technologies - username / password is not the only option any more, and in fact we are being presented with many more easy to use, and more secure alternatives; (4) Email address has emerged as the definitive identifier for a person, and domain name the definitive identifier for an organization; (5) Due to the proliferation of mobile and cloud apps, the use cases for online identity needs to address not only the attributes or claims of a person,  but of the device or client to which the person is connected.

IPv6 Security

IPv6 is the natural progression for internet addressing.  With IPv4 addresses limited to just over 4 billion,  estimates have predicted a public address space shortage in months rather than years.  With over 7 billion people on the planet, it's easy to see why, especially as many in the western world, use smart phones and tablets as well as standard laptops, resulting in a individual using more than one address simultaneously.

What is IPv6

Internet Protocol version 6 is seen as a direct replacement for Internet Protocol version 4, operating at the internet layer of the OSI model.  There are a few main differences between the two approaches, mainly the fact that IPv6, has a considerably larger pool of available addresses - around 340 undecillion (lots of zero's..).  An IPv6 address is longer too, at 128 bits compared to the shorter 4 byte, 32 bit IPv4 address.  IPv6 also contains a fixed host identifier based on the devices MAC (Media Access Control) address.

Ransomware - Pay Up or Lose Your Files?

Ransomware has been around for years, but has seen a rapid rise to the popular mainstream in the last couple of months.  Ransomware is generally seen as a type of malware that restricts access to the computer or device it infects, not releasing control until some sort of monetary payment has been extracted.

The malware can generally operate at the boot or pre-OS level, encrypting the underlying files, photos and music that the user deems so important.  This encryption process is managed by the malware, with the contents not being decrypted until either a bank transfer, SMS or premium rate phone call is made to the malware operator.  Other basic ransomware payloads, simply restrict access to the main interfaces of the operating system.  So instead of encrypting the contents, access to things like explorer.exe in Windows or the command line shell are prevented, making the machine practically useless.