CISO

Enterprise Information Security

CSA releases SecaaS Implementation Guidance for Identity and Access Management

by Leave a Comment

In the recent past CSA has defined the categories of security services that can be offered as Security as a Service. The functionalities listed in each category as part of the category definition is looked into in detail. The implementation guidance series tries to define the best practices in the design, development, assessment and implementation of these service categories.

The implementation guidance on the Identity and Access Management provides direction for the enterprise security stakeholders responsible for ensuring the security of IAM solutions in a corporate IT environment

In this guidance, detailed discussions on the following areas are included:

  • Centralized Directory Services
  • Access Management Services
  • Identity Management Services
  • Identity Federation Services
  • Role-Based Access Control Services
  • User Access Certification Services
  • Privileged User and Access Management
  • Separation of Duties Services
  • Identity and Access Reporting Services

The full IAM implementation guidance is available here.

Image Source: CSA Guidance

Cloud Security Alliance Guidance on Security as a Service (SecaaS)

by Leave a Comment

The CSA (Cloud Security Alliance) has issued a new guideance with a focus on how security can be provided as a service (SecaaS). This document covers 10 categories of services that can be provided as a service over the cloud.

An interesting quite from the executive summary on the adoption of SecaaS "the future looks bright for SecaaS, with Gartner predicting that cloud-based security service us will more than triple in many segments by 2013"

The 10 domains covered by the guidance are the following:

  1. Identity and Access Management
  2. Data Loss Prevention
  3. Web Security
  4. Email Security
  5. Security Assessments
  6. Intrusion Management
  7. Security Information and Event Management (SIEM)
  8. Encryption
  9. Business Continuity and Disaster Recovery
  10. Network Security

The full guidance can be downloaded from here. Cloud Security Alliance Guidance on Security as a Service (SecaaaS)

I have been using some of the above services through some cloud services providers such as CloudFlare. Do you use any? What are your thoughts on the Security services over the cloud?

2012 Data Breach Investigations Report

by Leave a Comment

Verizon has published its 2012 data breach investigations report. This years report is a result of analysing 855 incidents, 174 million compromised records and it represents a broader and more diverse geographical scope.

Some key points from the executive summary of the report

Who is behind data breaches?

  • 98% stemmed from external agents (+6%)
  • 4% implicated internal employees (-13%)
  • <1% committed by business partners (<>)
  • 58% of all data theft tied to activist groups

How do breaches occur?

  • 81% utilized some form of hacking (+31%)
  • 69% incorporated malware (+20%)
  • 10% involved physical attacks (-19%)
  • 7% employed social tactics (-4%)
  • 5% resulted from privilege misuse (-12%)

What commonalities exist?

  • 79% of victims were targets of opportunity (-4%)
  • 96% of attacks were not highly difficult (+4%)
  • 94% of all data compromised involved servers (+18%)
  • 85% of breaches took weeks or more to discover (+6%)
  • 92% of incidents were discovered by a third party (+6%)
  • 97% of breaches were avoidable through simple or intermediate controls (+1%)
  • 96% of victims subject to PCI DSS had not achieved compliance (+7%)

Where should mitigation efforts be focused?

Smaller organizations

  • Implement a firewall or ACL on remote access services
  • Change default credentials of POS systems and other Internet-facing devices
  • If a third party vendor is handling the two items above, make sure they.ve actually done them

Larger organizations

  • Eliminate unnecessary data; keep tabs on what.s left
  • Ensure essential controls are met; regularly check that they remain so
  • Monitor and mine event logs
  • Evaluate your threat landscape to prioritize your treatment strategy
  • Refer to the conclusion of this report for indicators and mitigators for the most common threats

You can read the full report here

nCircle Announces Patch Priority Index.

by Leave a Comment

Last week lots of security patches were released by various vendors, especially Microsoft. It is always challenging for organizations to prioritize the patches for testing and implementation. nCircle, a provider of information risk and security performance management solutions, today announced a .Patch Priority Index. which is designed to help organizations prioritize the most critical vulnerabilities that should receive immediate remediation.

About the Patch Priority Index

nCircle’s Patch Priority Index (PPI) draws from a number of unique sources to create a thoroughly researched list of the most critical vulnerabilities affecting your network. Every month, nCircle VERT, a team of highly skilled security research engineers, considers a number of criteria to determine the most severe issues that can be patched in a given month to be a candidate for the list. For a vulnerability to be included on the PPI list it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:

  • Attack Vector
  • CVSS Score
  • Availability of Exploit Code
  • Popularity of the Service or Software
  • Customer Feedback
  • Worst Case Attack Scenarios
  • Attack Outcome

These attributes are assigned to the vulnerabilities and then peppered with extensive VERT experience to create the ideal list of ‘Patch Now!’ vulnerabilities.

The Anatomy of an Anonymous Attack

by Leave a Comment

iMPERVA has recently released a report on the attack patters followed by the Anonymous group. The report gives following insights on the Anonymous campaign

  • The process used by Anonymous to pick victims as well as recruit and use needed hacking talent.
  • How Anonymous leverages social networks to recruit members and promotes hack campaigns.
  • The specific cyber reconnaissance and attack methods used by Anonymous. hackers. We detail and sequence the steps Anonymous hackers deploy that cause data breaches and bring down websites.

The report also provides some risk mitigation steps that organizations can follow to protect against attacks

The full report is available for download here

Network Information Security in Education.ENISA report

by Leave a Comment

ENISA has published a report on Network Information Security in Education. The report provides young digital citizens and stakeholders with an overview and highlights of good practices on how to become educated to feel and behave safer online.

Long life learning, formal, non-formal and informal education are on the agenda of policymakers. Children, youth and their peers, parents and educators are all part of the discussion and the recommendation is that they should cooperate and get involved as much as possible. The material available here is to enable easy transfer of knowledge between stakeholders.

The information in this consolidated report helps all stakeholders to be better informed, better educated and better involved in the area of Network and Information Security [NIS].

Protecting Industrial Control Systems

by Leave a Comment

ENISA, the EU’s ‘cyber security agency, has recently issued the results of a study on Industrial Control Systems (ICS) security. The report describes the current situation on ICS security and proposes seven recommendations for improving it.

Industrial Control Systems (ICS) are command and control networks and systems designed to support industrial processes. These systems are used for monitoring and controlling a variety of processes and operation, such as gas and electricity distribution, water, oil refining and railway transportation.

In the last decade, these systems have faced a notable number of incidents. These include the "Stuxnet" attack, which is believed to have used bespoke malware to target nuclear control systems in Iran, and the recent DuQu-‘upgraded variant’ of this malware. These incidents caused great security concerns among ICS users.

In 2011, ENISA has worked on the main concerns regarding ICS security, and national, pan European and international initiatives on ICS security. The stakeholders involved include ICS security tools and services providers, ICS software/hardware manufacturers, infrastructure operators, public bodies, standardisation bodies, academia and R&D.

This final report proposes seven practical, useful recommendations to public and private sector ICS-actors, as to improve current initiatives and enhance co-operation. The recommendations call for the creation of national and pan-European ICS security strategies, a Good Practice Guide on ICS security, research activities, the establishment of a common test bed and ICS-computer emergency response capabilities.

"Real security for Industrial Control Systems can be only achieved with a common effort, characterised by cooperation, knowledge exchange and mutual understanding of all  involved stakeholders," says Rafal Leszczyna, editor of the report.

Professor Udo Helmbrecht, Executive Director of ENISA added;

"Stuxnet brought the problem of security of industrial control systems to prominence. Our study clearly shows that there is still a lot to be done in this area by all relevant stakeholders. We hope that our seven recommendations will lead to significant improvement."

Read the full report here

First EU-report on Maritime Cyber Security

by Leave a Comment

ENISA has published the first EU report ever on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. Finally, high-level recommendations are given for addressing these risks.

Cyber threats are a growing menace, spreading to all industry sectors that are relying on ICT systems. Recent deliberate disruptions of critical automation systems, such as Stuxnet, prove that cyber-attacks have a significant impact on critical infrastructures. Disruption of these ICT capabilities may have disastrous consequences for the EU Member States. governments and social wellbeing. The need to ensure ICT robustness against cyber-attacks is thus a key challenge at national and pan-European level.

Some key findings of the report;

  • Maritime cyber security awareness is currently low, to non-existent. Member States are thus highly recommended to undertake targeted maritime sector awareness raising campaigns and cyber security training of shipping companies, port authorities, national cyber security offices, etc.
  • Due to the high ICT complexity, it is major challenge to ensure adequate maritime cyber security. A common strategy and development of good practices for the technology development and implementation of ICT systems would therefore ensure .security by design. for all critical maritime ICT components.
  • As current maritime regulations and policies consider only physical aspects of security and safety, policy makers should add cyber security aspects to them.
  • We strongly recommend a holistic, risk-based approach; assessment of maritime specific cyber risks, as well as identification of all critical assets within this sector.
  • As maritime governance is fragmented between different levels (i.e. international, European, national), the International Maritime Organisation together with the EU Commission and the Member States should align international and EU policies in this sector.
  • Better information exchange and statistics on cyber security can help insurers to improve their actuarial models, reduce own risks, and thus offering better contractual insurance conditions for the maritime sector. Information exchange platforms, such as CPNI.NL, should be also considered and by Member States to better communications.

A study about the SQL injection attacks

by Leave a Comment

Imperva has released a report on the anatomy of the SQL injection attacks. Well, its not much about the anatomy, but more about how, from where and  when are the thing covered in this report.  The report is prepared after monitoring a set of 30 web applications over the last nine months. Key excerpt from the report is below.

    • SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
    • Attackers increasingly bypass simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
    • Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
    • Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These .zombies. are used in an interchangeable manner in order to defeat black-listing defence mechanisms.
    • About 41% of all SQLi attacks originated from just 10 hosts. Again, we see a pattern where a small number of sources are responsible for a majority of attacks.

To better deal with the problem, enterprises should:

    • Detect SQL injection attack. Using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. Detecting SQLi must normalize the inspected input to avoid evasion attempts.
    • Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools.  Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
    • Create and deploy a blacklist of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.

In this report, we discuss some of the most popular tools as we outline the challenge of . and solutions to . SQLi attacks targeting Web applications. The full report is available here for download.

Data Protection and the Cloud

by Leave a Comment

CA Technologies commissioned independent research in May 2011 to investigate the data protection and disaster recovery
(DR) policies of organisations in Europe and Asia Paci?c. This report highlights the key ?ndings across Europe and provides
insights into how these policies can be improved.

KEY FINDINGS

  • Organisations throughout Europe are starting to use cloud computing as a key component of their data protection plans.
    34% of organisations expect their use of cloud to increase as part of these plans over the next year.
  • Investment in data protection and DR continues to rise. 94% of organisations have at least sustained their investment
    budgets throughout the period 2010 to 2011 whilst 27% have increased investment.
  • Currently 31% of organisations in Europe have data residing in a private cloud, and 17% in a public cloud. 75% of those
    that use private cloud and 81% that use public cloud are con?dent that their data would be safe in the event of a disaster.
  • 94% of organisations surveyed have experienced application and data loss incidents over the last year. 70% of data loss is a
    result of IT systems failure e.g. hardware or network failure.
  • Just 26% of organisations in Europe have a comprehensive DR plan. 
  • Inadequate buy-in from senior management (48%) and lack of budget (39%) were cited as the main barriers to
    improvement of data protection and DR operations.

The full report can be downloaded from here