Monday, May 27, 2013
Saturday, May 25, 2013
Securing big data: Architecture tips for building security within
Since “big data” is a hot topic these days, there’s no question an increasing number of
enterprise infosec teams are going to be asked about the security-related ramifications of big data
projects. There are many issues to look into, but here are a few tips for making big data security
efforts more secure during architecture and implementation phases:
- Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data.
- Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
- After you’ve made the move to encrypt data, the next logical step is to concern yourself with key management. There are a few new ways to perform key management, including creating keys on an as-needed basis so you don’t have to store them.
Friday, May 24, 2013
How to build C-level support for the benefits of penetration testing
Performing an external penetration
test is extremely valuable. At the same time, it can also be difficult to develop C-level
support when talking up the benefits
of penetration testing -- especially if the company hasn’t experienced a public
breach.
However, before trying to cross that chasm, it’s important to determine what type of external
penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I
would favor a Web application assessment over a network assessment. If you’re at a public company
or under some type of regulation, like Sarbanes-Oxley (SOX) or
the Payment
Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these
regulations to get a penetration test against your infrastructure in order to meet compliance
requirements. I’ve seen many security-related budget items pass simply because an auditor told the
company it needed the items to stay compliant. Pen
tests are expensive, but are done by professionals in the field and are considered a
third-party view.
If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.
Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-to-build-C-level-support-for-the-benefits-of-penetration-testing
If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
- Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
- Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
- Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
- Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.
Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.
Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-to-build-C-level-support-for-the-benefits-of-penetration-testing
Thursday, May 23, 2013
"Interview with a Blackhat" by Whitehat Security
This past week Whitehat Security, the leader in web application vulnerability assessment, released a series of interview's their Director of Product Management (Richard Hansen) held with a self professed blackhat. In this three part series Richard Hansen and his blackhat interviewee helps us get into the mind of the underground.
I found these interviews a fascinating insight into the psychology of the blackhat. Why they do what they do, how they feel about fraud, the tools of the underground trade, what security methods work and what doesn't.
Please do yourself a favor and read the following three part series from Whitehat Security:
Tuesday, May 21, 2013
Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2
I think we as security experts need to stop focusing on who or what
will attack us and start acting like we’re already owned. If we just
started thinking in terms of “I’m already compromised” the
security and monitoring of your network and systems would improve
drastically. The initial fear of security experts was of being hacked or
compromised, but in reality this is happening everyday while you’re on
the clock. If you’ve ever had malware infect a workstation you’ve been
breached. This is just a small example, but it’s true. There are two
types of security professionals:
Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
- Those that know they’ve been breached.
- Those who’ve been breached, but don’t know it.
Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
- Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.
- Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.
Network perimeter security: How to audit remote access services
There are a few ways to audit your domain for Internet-facing remote
access services. If you’re looking to audit your network
perimeter with free tools, then something like Nmap would be the way to go. Do your research
before firing away at your perimeter with a port scanner, though; you don’t want to inadvertently
create a denial of service by pummeling the network with port scans (obviously make sure you have
permission from your superiors as well). Also, when using Nmap, make sure you fingerprint the open
ports you find on the network to determine what’s running behind them. Using the Nmap –sV command
on a port will often times show you the application listening on the port. This comes in handy when
someone is running software on a non-standard port to exit your firewall.
Another tool that’s recommended when looking to audit remote access services is Nessus. There are multiple plug-ins available that can scan your port and determine if you are running particular remote access services. However, unlike Nmap, Nessus will let you know if a particular vulnerability will allow remote access into your organization unintentionally. This tool looks for vulnerabilities, whereas Nmap gives you hard facts as to what’s listening in your environment. There are many other tools that could be used, but these two are common and come at no charge.
Another way to prevent rogue services from listening on your network is by locking down what’s allowed to leave your organization. Many people still don’t perform egress filtering on their firewalls; this is a common way to prevent botnets, misconfigurations and malicious insiders from allowing remote connections into your network. Also, filtering traffic leaving the network with an IPS or next-gen firewall (NGFW) will enable you to inspect the allowed firewall traffic for malicious use. Many times, attackers take advantage of normally open ports, such as port 80, port 443, etc., to transmit data out of your network without you noticing.
Read the rest of the article here: http://searchsecurity.techtarget.com/answer/Network-perimeter-security-How-to-audit-remote-access-services
Another tool that’s recommended when looking to audit remote access services is Nessus. There are multiple plug-ins available that can scan your port and determine if you are running particular remote access services. However, unlike Nmap, Nessus will let you know if a particular vulnerability will allow remote access into your organization unintentionally. This tool looks for vulnerabilities, whereas Nmap gives you hard facts as to what’s listening in your environment. There are many other tools that could be used, but these two are common and come at no charge.
Another way to prevent rogue services from listening on your network is by locking down what’s allowed to leave your organization. Many people still don’t perform egress filtering on their firewalls; this is a common way to prevent botnets, misconfigurations and malicious insiders from allowing remote connections into your network. Also, filtering traffic leaving the network with an IPS or next-gen firewall (NGFW) will enable you to inspect the allowed firewall traffic for malicious use. Many times, attackers take advantage of normally open ports, such as port 80, port 443, etc., to transmit data out of your network without you noticing.
Read the rest of the article here: http://searchsecurity.techtarget.com/answer/Network-perimeter-security-How-to-audit-remote-access-services
Monday, May 13, 2013
How Facebook Updates Would Look in Real Life [Funny]
If we all thought of privacy like this we'd be a little more cautious on social media sites. Very funny.
Sunday, May 12, 2013
Two-Factor Authentication for Social Media Sites
Over the past couple weeks there's been a lot of talk about social media accounts being compromised and the legal aspects of a company having their accounts owned. I for one don't think there needs to be regulation on how companies secure their social media accounts. Increased regulation doesn't assume better security. Ever.
With that being said, I think we need to start looking at how easy it is for an attacker to compromise social media credentials (Key loggers, malware, XSS, phishing, etc.). I read a stat today which said, if you've had a social media account longer than 5 years there's a 50% chance you've had your credentials compromised. That's a pretty scary statistic.
One way to limit the risk of social media accounts being compromised is by using two-factor authentication. Two-factor authentication takes both something you know (your password) and something you have (a token of some sort) and applies both of them to your login. So if an attacker is able to easily steal your credentials it's unlikely that they'll have your token. These tokens can be generated by many systems, but in the case of social media we're going to use the free Google Authenticator app.
Google Authenticator is a free download that uses the Time-based One Time Password (TOTP) that allows you to generate codes/tokens from the Google app and input them into variety of sites that use the protocol for a second factor of authentication. A few sites/software that Google Authenticator can be used for are Dropbox.com, Facebook.com, Google Apps, Wordpress, Microsoft, etc. the list goes one. This isn't a silver-bullet when it comes to securing logins, but it does limit the risk that both the password and the token will be stolen.
After seeing the mini-market crash with the Associated Press's (AP) Twitter account compromise I started thinking about ways to secure social media accounts in an enterprise and was reminded that this technology could be placed on multiple sites (like Facebook), but that Twitter was still behind the eight-ball on this feature. I'm sure the $136 million dollar market crash might have pushed this Twitter feature to the top of QA's list.
So if you're using social media in anyway, especially from a corporate standpoint, I would highly recommend setting up two factor authentication with Google Authenticator (details can be found here), unless you're using Twitter. Which in that case you'll have to wait with the rest of us.
With that being said, I think we need to start looking at how easy it is for an attacker to compromise social media credentials (Key loggers, malware, XSS, phishing, etc.). I read a stat today which said, if you've had a social media account longer than 5 years there's a 50% chance you've had your credentials compromised. That's a pretty scary statistic.
One way to limit the risk of social media accounts being compromised is by using two-factor authentication. Two-factor authentication takes both something you know (your password) and something you have (a token of some sort) and applies both of them to your login. So if an attacker is able to easily steal your credentials it's unlikely that they'll have your token. These tokens can be generated by many systems, but in the case of social media we're going to use the free Google Authenticator app.
Google Authenticator is a free download that uses the Time-based One Time Password (TOTP) that allows you to generate codes/tokens from the Google app and input them into variety of sites that use the protocol for a second factor of authentication. A few sites/software that Google Authenticator can be used for are Dropbox.com, Facebook.com, Google Apps, Wordpress, Microsoft, etc. the list goes one. This isn't a silver-bullet when it comes to securing logins, but it does limit the risk that both the password and the token will be stolen.
After seeing the mini-market crash with the Associated Press's (AP) Twitter account compromise I started thinking about ways to secure social media accounts in an enterprise and was reminded that this technology could be placed on multiple sites (like Facebook), but that Twitter was still behind the eight-ball on this feature. I'm sure the $136 million dollar market crash might have pushed this Twitter feature to the top of QA's list.
So if you're using social media in anyway, especially from a corporate standpoint, I would highly recommend setting up two factor authentication with Google Authenticator (details can be found here), unless you're using Twitter. Which in that case you'll have to wait with the rest of us.
Thursday, May 9, 2013
8 charged in $45 million cybertheft bank heist
In one of the largest bank robberies every committed, all
without ski masks, weapons and thugs, there has been 8 people charged in the $45
million cyber heist that crossed the global and startled the financial sector.
Read more about this coordinated cyber robbery here:
- http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html
- http://www.nytimes.com/interactive/2013/05/10/nyregion/new-york-city-bank-cyberattack-map.html?ref=nyregion
- http://money.cnn.com/2013/05/09/technology/security/cyber-bank-heist/
- http://www.darkreading.com/attacks-breaches/8-new-yorkers-indicted-as-part-of-45-mil/240154595
- http://www.watoday.com.au/technology/technology-news/massive-21stcentury-bank-heist-cyber-thieves-steal-4447m-20130510-2jbf1.html
NSA's Manual on Hacking the Internet
So it seems that the NSA has literally wrote the book on how
to perform reconnaissance on the internet. You can read their little 643 page
book called “Untangling the Web: A Guide to Internet Research” and see the
steps the government uses to search the web. There are some very interesting methods they
focus on when using Google, nothing new, but still enlightening.
Download the book here.
Sunday, May 5, 2013
iFrame drive-by attack demo [Anatomy of Attack online]
Great educational video, by Sophos, on how iFrames are being used for attack. These types of attacks have exploded in popularity over the past couple months. In Microsoft's Security Intelligence Report, released a few weeks ago, they mention iFrame drive-by attacks as the following:
Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.Take a look at this video and become more aware of this growing threat vector.
Friday, May 3, 2013
Wednesday, May 1, 2013
The PR Implications Of Cyber Security
Here's a great new article by SteamFeed on the unforeseen consequences of a security breach. Jayme Soulati gives sound advice on how to prepare and manage a breach from a PR perspective.
Here are a few suggestions (read the entire blog post here):
2. PR needs to be involved during corporate crisis at all times; a company in crisis needs outward-thinking experts who put the customer top of mind.
3. While strategists are monitoring the situation moment to moment, the PR team needs to be preparing statements for media and customers in parallel.
4. Twice a year, the entire marketing team along with IT should meet for a dry run to determine the chain of events should a cyber attack occur in a company. In this case, “cyber attack” can also include the swiping of credit information and personal data; if it’s electronic information, then it’s a breach of cyber security.
5. Annually, meet with the C-suite to review the cyber crisis plan and ensure everyone is on board and ready to hit send when and if a crisis occurs.
Here are a few suggestions (read the entire blog post here):
Tips to Insulate Before A PR Crisis
1. A crisis communications plan has always been a necessity for companies. When was the last time it was dusted off and reviewed for cyber security?2. PR needs to be involved during corporate crisis at all times; a company in crisis needs outward-thinking experts who put the customer top of mind.
3. While strategists are monitoring the situation moment to moment, the PR team needs to be preparing statements for media and customers in parallel.
4. Twice a year, the entire marketing team along with IT should meet for a dry run to determine the chain of events should a cyber attack occur in a company. In this case, “cyber attack” can also include the swiping of credit information and personal data; if it’s electronic information, then it’s a breach of cyber security.
5. Annually, meet with the C-suite to review the cyber crisis plan and ensure everyone is on board and ready to hit send when and if a crisis occurs.
Subscribe to:
Posts (Atom)