CISO

Enterprise Information Security

Cloud Computing = Low cost? Check again.

by Leave a Comment

It is been considered that the cloud computing solutions reduces the cost of computing resources as far as organization is concerned. However, a recent white paper from ISACA indicates that the true cost of cloud computing may be higher than earlier thought values. In the white paper titled .Calculating Cloud ROI : From the Customer Perspective. ISACA provides a detailed framework on how the cost of cloud computing operations shall be assessed for a better understanding towards calculating the ROI of cloud computing

It explains .The acceptance at lightning speed may be attributed to its appeal as a low cost-of-entry and rapid return on investment (ROI) solution. This view, however, may only consider the immediate costs of contracting and migrating to the cloud and fails to consider the long-term costs of operating in the cloud and, worse, the hidden costs that could minimize the expected return. To add to the complexity, cloud computing encompasses a variety of service delivery and deployment models, ranging from public and community to hybrid and private clouds. These services are offered by a variety of providers, each with different solutions and pricing models.

The estimated costs section of the white paper gives some interesting insights of the hidden costs, which should be considered for calculating the ROI.

  • Cost of rebuilding the infrastructure back in your data centre for business / regulatory reasons.
  • Flexibility of the systems
  • Lock-in requirements of the contract and possible unsatisfactory service
  • Loss of internal IT Skills 
  • Risk management costs

It is an interesting white paper, if you are considering cloud based solutions for your business. You can download the article from here

Malware attack at Saudi Aramco

by Leave a Comment

In the recent past, Middle Eastern companies are becoming a frequent target of attackers. Malware attack at the Saudi Aramco oil company is the latest in these series. News sources confirms that a malware infection at Saudi Aramco user workstations; however, the core production network is said to be not affected with this attack.

.The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.. as per company statement

As an immediate incident response, the networks are isolated. .On Wednesday, Aug. 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network,. the company wrote in its statement.

.Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company.s production operations,. the statement said.

.The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems."

The attack vector is yet to be disclosed by the authorities as well as the malware details.

It is high time for the countries in GCC to form a protection and information sharing network to have better coordination and response.

Critical Infrastructure system security in India

by Leave a Comment

The recent power outage in the northern parts of India was part of a grid failure. However, it could have been a result of security failure as well. The security of these installations is considerably weak and such an attack would be hitting a much larger number of people across the country.

It is high time for India to build the cyber security framework for the protection of its critical systems. it is understood that such a move is happening under the leadership of the National Security Advisor, Mr. Shivshankar Menon.

It is an important responsibility of the Indian government to provide adequate funding, resources and training for these resources on priority. The focus of the cyber security strategy should be on detecting and preventing the attacks as well as building up the capability to retaliate if needed.

Assessing the impact of the recent malware infections such as stuxnet, it is said to have infected at least 50000 computers in India, our government shall speed up the implementation of cyber defence strategies for the protection of critical systems.

In your views what are the weakest points of cyber security framework in India?

Cloud Computing and Enterprise risk management

by Leave a Comment

The number of organizations adopting clouding computing increases day by day. The COSO has published a thought paper on Enterprise Risk Management for Cloud Computing. In this paper, it provide guidelines on using the COSO Enterprise Risk Management . Integrated Framework for performing the assessment of risks from the cloud computing solutions.

Over 8 chapters, it details the opportunities and risks of cloud computing, how it changes the business environment, approaching the enterprise risk management (ERM) in cloud computing environment, recommendations on risk responses and what are the considerations for board oversight, management decisions etc..

The intent of this publication is to leverage the principles of COSO.s Enterprise Risk Management . Integrated Framework in order to provide guidelines that will identify succinctly the risks and impact cloud computing will have on an organization. The more educated executives become about the risks and benefits of cloud computing, the more effectively they will be able to prepare their organizations for the future. The guidance presented here will enable executives to identify, monitor, and mitigate or accept the risks that come with using cloud computing.

Download the COSO paper from here

Backtrack 5 R3 is available for download

by Leave a Comment

Backtrack developers had released a new version of the backtrack penetration testing live CD / VMware version yesterday.

This version adds a number of tools in addition to the bugfixes, several of which were released in BlackHat and Defcon 2012.

A whole new tool category was populated . .Physical Exploitation., which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection. Backtrack shall be used for penetration testing and ethical hacking only.

NIST Computer Security Incident Handling Guide

by Leave a Comment

NIST has published the final version of their guide on Computer Security Incident Handling. This guide is built based on the best practices adopted by governments, other non-commercial organizations and business organizations. This version emphasise the importance of coordination and information sharing between interested parties.

This guide provides a step by step instruction for incident response teams, whether it is new or well-established, to create a proper policy and plan as well as a incident response team.

The Computer Security Incident Handling Guide (NIST Special Publication 800-61, Rev. 2) is available at www.nist.gov/customcf/get_pdf.cfm?pub_id=911736

Flame. the 3rd known cyber weapon grade malware

by Leave a Comment

Kaspersky Labs announced its new finding on the cyber warfare space, FLAME, indicating that the cyberwar landscape is taking new dimensions. The new malware named Flame is located in the Middle Eastern region primarily Iran. The below image from Kaspersky blog indicates the detected Flame malware infections.

From the above, it may give a wrong impression that the infection rate is minimal. The above map indicates the detection only by Kaspersky, the infection rate would be 10 times higher than what we are seeing above. Still, considering a malware infection rate, it is minimal. So why we should worry about it? .

The key reason to worry about this malware includes:

  • Capability of information gathering using various mechanisms such as audio recording using the microphone, screen captures of interesting applications such as IM.s etc.
  • It has a command and control center thru which master-slave communication happens. Using this C&C center, a massive strike can be organized without much efforts.
  • The full impact of this malware is yet to be identified

The Flame Questions and Answers is a good post to give detailed information about the malware

Free Firewall from Checkpoint

by 1 Comment

Checkpoint is getting into the Free Antivirus game by offering its ZoneAlarm antivirus software as a free consumer product for the first time, adding the company’s no-cost firewall to the bundle to offer all-in-one PC protection. The following features are built into the Free Antivirus. Checkout here to see more details

Antivirus/Anti-Spyware Engine

Detects and blocks viruses, spyware, Trojan horses, worms, bots, and rootkits.

Two-Way Firewall

Makes your PC invisible to hackers and stops spyware from sending your data out to the Internet.

Advanced Firewall

Monitors programs for suspicious behaviour spotting and stopping new attacks that bypass traditional anti-virus protection.

Anti-Phishing/Site Status Toolbar

Blocks phishers and authenticates websites, and warns you if a Web site is dangerous.

Advanced Download Protection

Warns you if you try to download a dangerous program.

Identity Protection

Monitors your credit and alerts you of changes in your credit files.

Parental Controls . Not available in free version

Filters and blocks inappropriate websites and limits time spent online.

Support . Not available in free version

Customer service and technical support available 24/7 via live chat.

Virtual Browsing . Not available in free version

Frees you to surf the web protected from drive-by downloads and browser exploits.

PC Tune-up . Not available in free version

Optimizes your PC for faster speed and higher performance.

Automatic Antivirus signature updates . Every 24 hours

Based on hourly frequency. Plus unlimited real-time manual updates.

Dual Control or Segregation of Duties?

by 1 Comment

Many information security professionals, event at the senior level roles, are still getting the internal control mechanisms such as Dual Control and Segregation of duties wrong. I often see that they are confused between the concepts of Dual Control and Segregation of Duties. Both these controls are applied to prevent or reduce fraud but are slightly different in its objectives

FFIEC guidance on application access: Effective application access control can enforce both segregation of duties and dual control. (pg. 48)

ISO 27002   10.1.3  Segregation of Duties:  Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from it authorization. The possibility of collusion should be considered in designing the controls.

Segregation of Duties

Segregation of Duties address the splitting of various functions with in a process to different users so that it will not create an opportunity for a single user to perform conflicting tasks. The participation of two or more persons in a transaction creates a system of checks and balances and reduces the possibility of fraud considerably. So it is important for an organization to ensure that all tasks within a process has adequate separation.

Let us look at some use cases of segregation of duties

  • A person handling cash should not post to the accounting records
  • A loan officer should not disburse loan proceeds for loans they approved
  • Those who have authority to sign cheques should not reconcile the bank accounts
  • The credit card printing personal should not print the credit card PINs
  • Customer address changes must be verified by a second employee before the change
    can be activated.

In situations where the separation of duties are not possible, because of lack of staff, the senior management should set up additional measure to offset the lack of adequate controls.

To summarise, Segregation of Duties is about Separating the conflicting duties to reduce fraud in an end to end function.

Dual Control or Split Knowledge

Dual control enforces the concept of keeping a duo responsible for an activity. It requires more than one employee available to perform a task. It utilizes two or more separate entities (usually persons),
operating together, to protect sensitive functions or information. Whenever the dual control feature is limited to .something you know., it is often called split knowledge (such as part of the password, cryptographic keys etc.) This is typically used in high value transactions / activities (as per the organizations risk appetite) such as:

  • Approving a high value transaction using a special user account, where the password of this user account is split into two and managed by two different staff. Both staff should be present to enter the password for a high value transaction. This is often combined with the separation of duties principle. In this case, the posting of the transaction would have been performed by another staff. This leads to a situation where collusion of at least 3 people are required to make a fraud transaction which is of high value
  • Payment Card and PIN printing is separated by SOD principles. Now the organization can even enhance the control mechanism by implementing dual control / split knowledge. The card printing activity can be modified to require two staff to key in the passwords for initiating the printing process. Similarly, PIN printing authentication can also be made to be implemented with dual control. Many Host Security modules (HSM) comes with built in controls for dual controls where physical keys are required to initiate the PIN printing process.
  • Managing encryption keys is another key area where dual control / split knowledge to be implemented.

PCI DSS defines Dual Control as below. This is more from a cryptographic perspective, still useful

Dual Control: Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge).

Split knowledge: Condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.

It is key for information security professionals to understand the differences between Dual Control and Separation of Duties. Both complement each other, but are not the same.

Why we need Web application Security

by Leave a Comment

In the initial days, attacks were focused on the network and operating system vulnerabilities. We have seen many such attacks resulting in network unavailability, information disclosure, denial of service etc… However, such attacks were not providing much direct financial advantage for the attackers.

Now, the trend has changed and most of the attacks are focused on the web applications. Here are my thoughts on why there is an increase in the web application attacks and why we need to improve the web application security posture.

Challenges

  1. “Network or operating system” software attacks are becoming difficult. The number of exploitable vulnerabilities at this layer are getting reduced to a great extent. Most of these software vendors deploy rigorous testing process to identify most of the vulnerabilities even before the release of the software. Once the software is released, these vendors release security fixes for any vulnerabilities detected or reported within an acceptable timeframe. This reduces the possibility of vulnerabilities kept unaddressed from the operating system vendors. Additionally, implementation of security controls such as segmentation using Firewalls, better patch management, controlled network access etc are making it difficult for an attacker to perform effective penetration.
  2. Less organized web application developments: While the operating system software are developed by well known software vendors; the applications, specifically web applications are developed by not so well known vendors. Considering the uniqueness of the web applications, less focus, in terms of security, is given to the web applications. Not every web application development company has a solid security testing team and thus may not undergo proper security reviews of the application, also not to forget the freelance web developers sourced over the web. Additionally, the budgetary constrains of a web application development project also makes it difficult to ensure the security aspects of the web application.
  3. Bug reporting issues: In case of widely used software’s, such as operating systems and some application frameworks, security researchers and end users have mechanisms and interest to report vulnerabilities. However; when it comes to web applications since most of them are custom built, not many security researchers take interest in finding vulnerabilities and/or reporting them to the companies. Most of the time, these vulnerabilities on the web applications are detected and exploited by the hackers. Often the businesses come to know about these vulnerabilities only after a compromise
  4. Financial benefits for the hackers: Compromising a web application gives better financial benefit for an attacker. Compromising a card database or e-commerce application gives a financial opportunity and is a major incentive.
  5. Less effort to exploit web applications: Hackers consider exploiting a web application is easier than exploiting an underlying operating system. In addition, exploiting a web application gives higher incentives for an attacker.

“A vulnerability in a network will allow a malicious user to exploit a host or an application. A vulnerability in a host will allow a malicious user to exploit a network or an application. A vulnerability in an application will allow a malicious user to exploit a network or a host.” Carlos Lyons, Corporate Security, Microsoft

Some controls

So, now it is evident that the need for web application security is increasing and requires high attention in the changing world. Some of the key controls to be looked into includes the following:

  • Secure application development: Application development should undergo secure development process. OWASP top 10 is a very good resource on top web application vulnerabilities and on how to mitigate those vulnerabilities. SDL from Microsoft is a popular security development lifecycle process which can be employed for this purpose.
  • Application security assessments: Periodic application security assessments of various types (Whitehat, Greyhat, Blackhat etc…) should be employed to assess the vulnerabilities. Penetration testing is another way of performing security assessments.
  • Deploying Web application firewall: Like network firewalls, organizations should consider the deployment of web application firewalls, which are primarily focused on protecting the web application attacks.
  • Monitoring: Monitoring the logs of web servers, related database servers are key for detecting any potential web attacks. In many cases, such as the ones at Sony, the attacks are detected after several months and thus effective defence could not be established to protect the information. Having an effective monitoring and incident response function is a key for any organization
  • Patch management agreements with vendors: Have contractual agreements with your vendors covering an SLA for security patches.

To build secure Web applications, a holistic approach to application security is required and security must be applied at all three layers.

Image from Microsoft

Summary

To summarize, number of application layer attacks are increasing, they bypass the network firewalls and get into your network or databases through the web front door using HTTP or HTTPS (HTTPS makes it more difficult to detect). Conventional security controls such as firewalls and access controls are not sufficient for preventing these attacks. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles