E2EE (End-To-End Encryption) is not a bad thing, but it does have its own set of risks. And it is those risks that do not get discussed that concern me. The reason for my concern is that if you discuss E2EE with any merchant, most see it as this panacea, something that will get them out of the PCI compliance game altogether. However, nothing could be further from the truth. If anything, E2EE may make PCI compliance even more daunting than it is today.
However, the end-point device that accepts the credit card is in scope! And it’s difficult to prove that the end point has not been tampered with.
Lightweight Portable Security (LPS), created by USA’s Department of Defence, is a small Linux live CD focusing on privacy and security, for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client.
The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.
If you’ve been doing online banking on the same computer which you use for general browsing and social networking, you need to switch your banking activities to this.
During the last several years we have observed dramatic changes in the identity of attackers, their goals, and methods. Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.
The new dominant attack vector is at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s personal device, steals the person’s credentials, establishes a back-channel out to a controlling server, and, using the person’s credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the “Inside-Out” attack vector.
Here are my recommendations for mitigating these modern malware risks:
Reduce the enterprise’s attack surface by limiting the web-based applications to only those that are necessary to the enterprise and controlling who has access to those applications. This requires an application-based Positive Control Model at the firewall.
Deploy heuristic analysis coupled with sandbox technology to block the user from downloading malware.
Leverage web site reputation services and blacklists.
Deploy effective Intrusion Prevention functionality which is rapidly updated with new signatures.
Segment the enterprise’s internal network to:
Control users’ access to internal applications and data
Deny unknown applications
Limit the damage when a user or system is compromised
Provide remote and mobile users with the same control and protection as itemized above
Monitor the network security devices’ logs in real-time on a 24x7x365 basis
Full disclosure: For the last four years my company Cymbel has partnered with Palo Alto Networks to provide much of this functionality. For the real-time 24x7x365 log monitoring, we partner with Solutionary.
22. April 2011 · Comments Off on Extended Validation SSL Certificates still has tiny marketshare · Categories: blog · Tags: SSL Certificates
First let me amend a comment I made in my last post, How is SSL hopelessly broken. I said that browsers need to alert users about which type of SSL Certificate a web site is using. Actually browsers do alert you to when an Extended Validated (EV) Certificate is being used by turning all or a portion of the displayed URL green. Here are Paypal examples using Firefox and Internet Explorer (via Netcraft):
However the rest of my recommendation stands because the browsers do not provide any positive indicator of Organization or Domain Validated Certificates.I recommend Yellow for DV and OV certs indicating caution.
Second, Netcraft just published a survey showing that EV Certs represent only 2.3% of all sites tested. Of the 1,000 highest traffic sites, 81 accepted HTTPS and “nearly a third of these certificates used Extended Validation.”
The good news is that the use of EV certs is growing:
Excellent article discussing the flaws in SSL – mostly problems with Certificate Authorities.The Comments are also worth reading.
However, the deeper problem is that most end users don’t understand the three types of certificates – Domain Validated, Organization Validated, and Extended Validated.
Browsers need to alert consumers to the three types and indicate the low level of trustworthiness of DV certs, Consumers would begin to shy away from sites using DV certs. This would push web sites to use OV and EV certs. Without this, web sites are going to continue to use DV certs.
While this won’t solve all of the SSL problems Dan Goodin identified, I think it would be a big improvement.
Epsilon’s breach is the latest in a string of breaches at Email Service Providers. The ESPs respond by saying it’s only email addresses. However, RSA’s latest update on its SecureID breach said it was started with a spear phishing attack.
In 1980, Michael Porter published, Competitive Strategy explicating the five competitive forces that shape corporate strategy. This book is still must reading, although it is not universally accepted as the definitive book on corporate strategy.
I recently came across this blog post from Harvard Business Review, IT in the Age of the Empowered Employee. The author, Ted Schadler, who recently co-authored a book entitled, Empowered, seems to have coined the term, “highly empowered and resourceful operatives (HEROes).” These people represent 20% of the employees in an organization who aggressively seek out information technology solutions on their own without the IT department’s support.
Schadler recommends managers and IT support HEROes’ efforts:
What caught my eye of course is, “Provide tools to manage risk.” Yes, enable the use of Web 2.0 applications and social networking by mitigating the risks they create. Next Generation Firewalls come to mind.
BTW, in my experience, I have seen the total cost of a SIEM project (hard + soft) range from 10% of SIEM license costs (for shelfware SIEM “deployments”) to a mind-boggling 20x of license cost.
