Micheal Berman, the CTO of Catbird, summarizes his cloud provider requirements. For security, he is looking for:
Auditing: network and management
Control: policy and assurance
Metrics: continuous and interoperable
Are these capabilities to be provided by the cloud provider or should the enterprise adopt a solution it can use across multiple cloud providers? What about compatibility with private cloud deployments?
Insightful post by Lenny Zeltser regarding teenagers and adults sharing sharing accounts. i.e. sharing passwords.
Of course, those of us in security find this horrifying. Teenagers see this as a way of expressing affection. Adults in business do this to expedite accomplishing goals.
Can Security Awareness Training effectively communicate the risks of this behavior?
Insightful article on PCI DSS requirement 3.6 – encryption key management, which is very complex when done manually. If you doubt it, read this article.
The PCIGuru also points out that “… for users of PGP or hardware security module (HSM), you will have no problem complying with the sub-requirements of 3.6.”
Insightful post highlighting the difference between threat and risk.
Let us now turn that around and consider *threat modelling*. By its nature, threat modelling only deals with threats and not risks and it cannot therefore reach out to its users on a direct, harmful level. Threat modelling is by definition limited to theoretical, abstract concerns. It stops before it gets practical, real, personal.
Risks are where harm is done to users. Risk modelling therefore is the only standard of interest to users.
The subject of Information Security and its risks to the enterprise is becoming more mainstream. Last week, the World Economic Forum called out Cyber Attacks as a top risk. Today both the Wall St. Journal and the New York Times have significant information security articles:
18. January 2012 · Comments Off on CloudFlare vs Incapsula vs ModSecurity · Categories: Slides
How much protection can a Web Application Firewall provide? Are all WAFs pretty much the same? Zero Science Lab performed a detailed comparative penetration testing analysis to answer these questions. They focused on the two leading cloud-based WAFs, CloudFlare and Incapsula, and ModSecurity, the open-source, software based WAF that is an Apache add-on. The results may surprise you because of the huge disparity in effectiveness between the two cloud-based services.
If you would like a copy of this white paper, please fill out the form on the right side of this page.
John Kindervag, a principal analyst at Forrester, has developed an interesting approach to securing the extended enterprise. He calls it the Zero Trust Model which he describes in this article: Adopt Zero Trust to help secure the extended enterprise.
First, let me say I am not connected to Forrester in any way. I am connected to John Kindervag on LinkedIn based on a relationship from a prior company.
Second, the Zero Trust Model rings true for me in that the incident data available for review shows that we must assume that prevention controls can never be perfect. We must assume that (1) devices will be compromised including user authentication credentials and (2) some users interacting with systems will behave badly either accidentally or on purpose.
John uses the term Extended Enterprise to refer to an organization’s functional network which extends to (1) remote and mobile employees and contractors connecting via smartphones and tablets as well as laptops, and (2) business partners.
The Zero Trust Model of information security simplifies how information security is conceptualized by assuming there are no longer “trusted” interfaces, applications, traffic, networks or users. It takes the old model — “trust but verify” — and inverts it, since recent breaches have proven when an organization trusts, it doesn’t verify.
Here are the three basic ideas behind the Zero Trust Model:
Ensure all resources are accessed securely – regardless of location
Adopt the principle of least privilege, and strictly enforce access control
Inspect and log all traffic
Here are Kindervag’s (Forrester) top recommendations:
Conduct a data discovery and classification project
Embrace encryption
Deploy NAV (Network Analysis & Visibility) tools to watch dataflows and user behavior
Begin designing a zero-trust network
The article provides some detail on each of these key ideas and recommendations.
The report divides risks into five categories – Economic, Environmental, Geopolitical, Societal, and Technological. What I also found interesting is that within the Technological category, Cyber attacks scores highest as a function of likelihood and impact. See the chart below:
The report further defines “connectivity” as one of the “Three distinct constellations of risks that present a very serious threat to our future prosperity and security…” The report then goes on to identify the three types of objectives of cyber attacks using physical world “military strategy” and “intelligence analysis” analogies: sabotage, espionage, and subversion. Here are the examples they provide:
Sabotage
Users may not realize when data has been maliciously, surreptitiously modified and make decisions based on the altered data. In the case of advanced military control systems, effects could be catastrophic.
National critical infrastructures are increasingly connected to the Internet, often using bandwidth leased from private companies, outside of government protection and oversight.
Espionage
Sufficiently skilled hackers can steal vast quantities of information remotely, including highly sensitive corporate, political and military communications.
Subversion
The Internet can spread false information as easily as true. This can be achieved by hacking websites or by simply designing misinformation that spreads virally.
Denial-of-service attacks can prevent people from accessing data, most commonly by using “botnets” to drown the target in requests for data, which leaves no spare capacity to respond to legitimate users.
These do not map easily into our traditional method of categorizing threats as risks to confidentiality, integrity, and availability of information but may be useful because what’s really important is the focus on adversaries and the actions they take to threaten the confidentiality, integrity, and availability of our cyber assets.
Of course we need to focus on assets in the sense that we have to “harden” them to reduce the likelihood of a successful attack. But we cannot stop there due to the following.
The Connectivity case provides two axioms for the Cyber Age:
Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not been detected.
If these axioms are true, then we must go beyond hardening assets. We must also invest in technical controls that can detect obviously negative and anomalous behavior of assets.