Well, it’s been a while since I’ve posted… Security work is always in demand! I will cover Android and PCI Assessments in future blogs, but I would like to start a short series on a hot [and hyped] topic: Cloud Computing Security…

First, lets define the terms: Cloud Computing is a SERVICE provided by an internal IT shop [private cloud] or outsourced to a provide [public cloud.] Occasionally organizations, line non government organizations (NGO) or Universities work together to create a like cloud they can share among themselves and that is called a “community cloud.” If you mix any of the three types of clouds, you get a hybrid cloud! So far so good?

Alright, let’s go a little deeper… remember, all we are trying to do is for our client computer to connect to a remote server to perform some work… As I mentioned earlier, cloud computing is a service and it comes in 3 flavors:

Infrastructure – just like you have been able to rent rack space or gigabytes galore in the past, Infrastructure as a service (IaaS) is the service of providing infrastructure on demand. You provide the OS and things you need… as close to bare metal as you can get. You also have good control  of the security of the remote infrastructure.

Platform – sometimes you just don’t have the IT resources and you just need another database or application server for testing or when you know demand will be high. You may need debugging or programming tools as well, whether is Java, .Net or PHP. Many software vendors are a pain in dealing with software licenses. Well,  that’s where the Platform as a Service (PaaS) comes in. You rely on the vendor to maintain and secure the platform, you provide the data and the applications.

Software as a Service or SaaS is a perfect fit for a small company [but not limited by size] that does not even have an IT department and the need an email service, a content management server (CMS) or a customer relationship management (CRM,) basically: on-demand software.

So the companies get to save money… and the former hosting companies sell more “space and bandwidth.” Wait! What about security? I’m glad you asked! We’ll cover that exact topic tomorrow!

=====

What about Cloud Security?

Let’s think of the process for a second: you used to have servers in house (if you had an IT department) then you moved them to a hosting environment under tight control, and now you finally moved your main servers to a another layer on the internet where your trusted employees and partners can get access… any security issues here?

When an organization goes to the cloud, it gains a number of advantages (especially cost savings) at the cost of losing at least some degree of control over its computing and networking environment. If an organization contracts for Software-as-a-Service (Saas), its users will obtain access to a variety of applications and databases that support the applications. The cloud applications will run somewhere outside of the organization’s network, so the hop count for traffic from users’ workstations to servers on which the applications run will grow, causing increased latency in interactions with applications.

Another important integration consideration is authentication and authorization. In some ways, the worst possible cloud integration scenario is when an organization that has designed and implemented an identity management solution based on certain services and protocols migrates to cloud services that perform authentication and authorization in a different way. Suppose, for example, that an organization uses an identity management system with LDAP-based authentication and authorization. Suppose, too, that a large proportion of internal applications interface with the identity management system through LDAP. If this organization signs on for SaaS with a cloud provider that does not use LDAP-based authentication and authorization, the organization’s transition is likely to be very difficult.

Still another integration issue is auditability. When an organization’s IT functions are entirely in-house, it is easy to obtain log output from servers, workstations and devices to obtain a thorough picture of what kinds of events and conditions are occurring. Additionally, IT staff can launch vulnerability scans at will. When the organization moves its IT functions to the cloud, however, it is generally more difficult to obtain the same amount of information. Some CSPs allow customers to query at will for information such as the status of patches in critical hosts, but many do not. Organizations that are making the transition between in-house and cloud services need to determine how to keep getting the log and status condition output they need in the interim, while at the same time exploring long-term solutions.

Next we’ll get really technical: Encryption!

=============================

Security has become mainstream in moderate to mature corporations. They start with a policy, they provide the tools to the techies and then they ENFORCE the policy! Younger organizations or the ones not realizing the risk they are in, they endanger themselves or connected partners, and they think the joke is on them…

The PCI DSS (Payment Card IndustryData Security Standard) has proven to have more teeth than other government regulations. Compare these statements: Big Credit Card company tells retailer: “If you are not PCI certified, you have to pay us $50,000 a month or stop processing our credit cards” versus GSA telling a government agency: “so you have an F in security this year, so we are cutting the budget a little this year”.  One of the consequences of  a government incident: U.S. Department of Veteran Affairs breach resulted in fines of $1,000 per violation and amounted to $26.5 billion. Who paid for that? US taxpayers. T.J. Max was hacked and 94 million credit card numbers were stolen. Who paid? T.J. Max shareholders and consumers.

So where is the joke in all this? It’s not funny. But why does it an incident to raise concerns by management and start doling out money for security and compliance? Because they the pain and shame of being the butt of the joke! And as Frank wrote: “maybe your users will realize that what they do matters.”

Until next time, stay secure!

Sources:

US Veteran Affairs http://datalossdb.org/incidents/289-names-social-security-numbers-and-dates-of-birth-of-26-5-million-u-s-military-veterans-stolen

TJ Max http://datalossdb.org/incidents/548-hack-exposes-94-million-credit-card-numbers-and-transaction-details

Organized crime and creative malicious people will have their share of stolen goods before the end of the year…. don’t make it easy on them and become a cyber victim!

Cyber-thieves use all kinds of methods (hacking, tempting targeted spam, spyware for intercepting information, etc.) in stealing personal or financial information from their victims, mostly from their computers.

The latest of these nefarious activities even sports a name: phishing (pronounced like ‘‘fishing”). The thief sends a simple e-mail that looks like it came from a genuine site (mostly from financial institutions as Citibank, eBay, PayPal, Best Buy and others), telling you there is a problem with your account.  Basically, it’s like “hacking for dummies”, except they are doing the hacking and you are being the dummy if you click on the link! The hacker would like you to click on a certain link in the e-mail, and you are taken to a site that looks exactly like that of your bank.  Here, they will ask you to fill out again your password, Social Security or credit card numbers, and/or other confidential numbers.

The following are some ways to minimize the risk of your identity being stolen:

• Don’t visit any site that is using third party links. Open a new browser and type the address yourself if you want to visit a site.
• Do business with reputable companies.
• Some attackers may try to trick you by creating web sites that appear to be legitimate.
• Update your web browser! Newer versions of Internet Explorer, Firefox or Google chrome have anti-spoofing alerts or alert you about invalid certificates…

You can also check privacy policies to see how the company in question use and distribute information. Many companies allow customers to request that their information not be shared with other companies.

Maintain a security mindset – always be skeptical of unfamiliar sites and links, suspicious e-mails and IM messages.

Anti-virus software and firewall
As standard practice, use and maintenance of an anti-virus software and firewall will protect your computer from attacks that may steal or modify data in your computer.
Make sure to keep your anti-virus program and firewall up to date.

Fighting identity robbery
As precautionary steps, regularly check your credit reports for strange transactions or transactions you don’t recall, unusual charges on your bills, bills for products and services you don’t have, or worse, unexpected denial of your credit card.

Once the identity robbery has been confirmed, calls to appropriate companies and agencies have to be done immediately. Have your credit card accounts closed right away so future charges will be denied.

Contact the Social Security Administration if your SSS card number has been accessed or the DMV if your driver’s license or car registration papers were stolen. This is to warn these agencies for possible unauthorized use of your personal ID information. Of course, you need to file a criminal report with the local police.

For U.S. citizens, you need to contact the main credit reporting companies (Equifax, Experian, TransUnion) to see if there had been any unexpected or unauthorized activity.  Have fraud alerts placed on your credit reports to prevent new accounts from being opened without verification. File a complaint with the FTC and IFCC.

A website, www.identitytheftactionplan.com, had been created to help citizens prevent, detect, and respond to identity theft and fraud. Within the site is information on how identity theft occurs, the latest prevention tips, what to do in case you are victimized and pertinent information of law enforcement agencies that investigate these crimes. Two other sites to learn more about phishing and ID theft are the following: consumer.gov/idtheft and idtheftcenter.org

If you want to watch an interesting movie of the dangers of Identity Theft, check out the classic movie “The Net” about a person’s ordeals when her identity is stolen http://www.imdb.com/title/tt0113957/

Vigilance, information and action. Cyber security dictates that every cyber citizen (those using computers and the Internet in most of their activities) needs to be vigilant at all times!!!

However, what most of us don’t know and what we are forced to believe is that having these precautionary measures are just enough. Well, the truth is, they are not! It is time that you know the truth and expose some of the myths cyber security or cyber-rumors that we have believed for years. It’s been almost 22 years since the first famous piece of malware: the Morris worm spread via the internet. About 20 years ago, we only had to be concerned with viruses. Later there were also worms, Trojan horses, spam, spyware, phishing, root-kits, code injection and internet bots. To simplify we group them as malware. While the malware family has grown considerably the defenses have been few and hardly effective…

Let’s start of with anti-virus software and your system firewall. Despite what manufacturers say, despite what the advertisements say, despite what some of your friends might tell you, no anti-virus software or firewall for that matter is 100% effective. You need to understand that virus creators make malicious code so advanced that an anti-virus application is not yet capable of handling an attack coming from it.

Despite the regular updates released by anti-virus software companies, they cannot foresee what kinds of virus will come out next month or the month after that. They can only provide their customers with protection based on the virus that they know off and the potential virus that could come out. As mentioned or implied earlier, the best way to have a degree of protection is to combine these technologies together. Have separate anti-virus software installed and keep a strong firewall active.

Although, there might be a problem with some applications not working well together but conduct your own research and see which software works well together. Newer versions of anti-viruses also look at software behavior to detect malicious activity, but since it consumes more CPU cycles, most people turn them off! I’m always surprised when visiting friends and family, or even clients, that they show me their systems running “a bit strange lately” and the first thing I’ve noticed is that the 30 day demo anti-virus subscription has expired or they are running an obsolete version, which is useless since it offers very little protection, if any!

It is also important to know that because you have successfully installed a software application that’s the end of it. Unfortunately, you will also need to get the patches or updates that manufacturers release. These patches or updates are fixes on some little or sometimes big inconsistencies or bugs in the application. How to do it? This can take some planning and work. Microsoft releases all of their patches the second Tuesday of every month. Unfortunately in the Microsoft world, they don’t see the computer as a collection of applications on top of an integrated user-friendly operating system (OS,) just the OS and “other stuff”. So they don’t track categories of software installed or even care to update them. In order to update those programs, you will need third-party tools or the software package themselves which now opens more security issues!

Examples: Java and Adobe Acrobat Reader check every time you boot your computer to see if there are any updates [and they will update themselves unless you postpone the download.]

In the world of operating systems which are more user friendly and security intelligent, Linux and Apple OS X alert you when there are new software versions of the applications you have installed and can even install it for you… and if there is a critical patch required for the OS it can be downloaded and installed now, not some time in the future when it’s more convenient for the software manufacturer. All digitally signed and from a central repository! That’s better overall protection, so it’s no wonder there is very little malware for these operating systems!

Look into your installed applications and see it there is an automatic updating option, which there usually is, that allows you to automatically receive updates whenever manufacturers release a new version or an upgrade of the system.

Also, don’t believe that just because you have mainly personal and insignificant information in your computer that it’s not worth protecting at all. Please bear in mind that what you think is not important can turn out be quite useful for hackers. Every bit of information you have in your computer, email or any other system can be manipulated and used by hackers to access more of your confidential information or use it to gain some profit. Even if you keep your files in a computer not connected to any network, the one that a hacker gains access to can be used to attack other computers or cause problems with other systems. In the worst case, a hacker can steal your internet bandwidth or computer storage by converting your computer into an illegal file server so he or she can share with their accomplices!

Not being rich is not a good enough reason of being attacked as well. Hackers and identity thieves will grab any opportunity that they come across with. If they can get you personal information easily, they will do so and think about how they can use it for their personal gain and believe me, they will think of a way.

After we exposed some of these myths and now you know a bit more about the truth on cyber security, I hope you get a renewed conviction regarding cyber security. Your mind is your first line of defense. So train it well so you’ll be better protected… We will cover cyber security awareness and training in a future post!

Read
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Patch_Tuesday
http://en.wikipedia.org/wiki/Mac_OS_X
http://en.wikipedia.org/wiki/Linux
http://en.wikipedia.org/wiki/Package_manager

This is an interactive “discussion board” where we can share our thoughts, rants, pet peeves or frustrations… in a fun and informal manner.

Let’s discuss security, from the top! Unless your organization (whether you work for a non-profit, multi-national corporation or government agency) is “obligated” by some government regulation or business supplier or partner to shape up and come up with some “security” money, most organizations invest the bare minimum until they get hacked and then they start rethinking.   And I’m not alone venting this issue… the latest Insecure Magazine (June 2010) points out the fact that many managers of Heartland Payment Systems (one of the largest security breaches in history), knew that PCI security compliance wasn’t enough to secure Heartland against a sophisticated cyber attack, but failed to take extra precautions…”Of the breaches in 2009, 81% of vendors were not PCI compliant….” Sometimes, some executives will get top management to understand the security priorities and prepare to spend the money now or prepare to deal with the mess later and spend even more money [British Petroleum execs: are you listening?] In many industries, after unfortunate events like Enron, or the T.J.Maxx wireless cyber theft, a drastic change has to occur because someone was hurt. Law is reactionary: it changes to address recent painful events and enforce new rules. So for the last few years, public companies had to deal with Sarbanes Oxley (Sox), health providers, have to deal with HIPAA, merchants that process credit cards have to deal with the PCI Council, and the US Government had to deal with FISMA. The question is still valid: are we more secure?  There are many people working in security positions that have no clue about security! Yes, you know them: the politically appointed or because they’re related to someone in top of the totem pole… So what about the bottom of the totem pole? Many software engineers know their software needs more testing but they are pressed by management to release it or else [again, it costs time and money]

So what’s my point, you may ask? Well, security is not just about firewalls, antivirus and a building badge. Those are many expressions of security technology. Security is the result of a process. A process requires people to follow procedures. These procedures are designed to mitigate or reduce risk. Just like an insurance company will give you a discount if you have an alarm system in your house or your car, a company feels that by having a security card and a badge reader or a firewall reduces the risk of physical or cyber attack. Unfortunately, in the real world, according to FBI statistics, more than half of the security incidents are inside jobs. That number does not count those “oops” moments when some system administrator rebooted the incorrect server, since no data was leaked… only a few transactions were lost forever.

This was an intro to the many topics we will cover in future sessions in this blog, from people, processes and procedures, in order to make our systems more secure… [hopefully!]

Securely,
Adrian Mikeliunas, CISSP, CISA, PCI-QSA