0 оценок0% нашли этот документ полезным (0 голосов)
153 просмотров59 страниц
This issue cover story is related to Cloud Computing security which seems to be a hot and important topic lately. The subscription cost is $15 per issue. Everybody interested in the Enterprise IT Security feld would fnd out that our publication is worth the price.
This issue cover story is related to Cloud Computing security which seems to be a hot and important topic lately. The subscription cost is $15 per issue. Everybody interested in the Enterprise IT Security feld would fnd out that our publication is worth the price.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PDF, TXT или читайте онлайн в Scribd
This issue cover story is related to Cloud Computing security which seems to be a hot and important topic lately. The subscription cost is $15 per issue. Everybody interested in the Enterprise IT Security feld would fnd out that our publication is worth the price.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PDF, TXT или читайте онлайн в Scribd
We are proud to introduce the May issue of Enterprise
IT Security magazine! This issue cover story is related to Cloud Computing security which seems to be a hot and important topic lately. Best practices of using cloud environment are presen- ted in the article by Chris Poulin on pages 6-8. It is essential to understand what Cloud Computing really is and how does it work. Its main ideas and featu- res are described by Gary S. Miliefsky on pages 10-12. After familiarizing with those two articles, we can move forward to Ajay Porus article on pages 14-15 in order to get to know how does the cloud afect security. We also recommend further articles written by profes- sionals in IT security feld. I hope that you will fnd the articles presented in this issue useful and that you will spend some pleasant time reading Enterprise IT Secu- rity magazine. We put a great efort into this magazine collecting the best articles for our readers. We hope you apprecia- te the content of Enterprise IT Security magazine. In order to keep on developing the magazine has to be paid. The subscription cost is $15 per issue. Everybody interested in the enterprise IT security feld would fnd out that our publication is worth the price. You are welcome to contact us with your feedback. Enjoy reading! Best regards, ukasz Koka Publisher: Pawe Marciniak Editor in Chief: Ewa Dudzic ewa.dudzic@enterpriseitsecuritymag.com Managing Editor: ukasz Koka lukasz.koska@software.com.pl Art Director: Marcin Zikowski Graphics & Design Studio www.gdstudio.pl Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing: Kinga Poyczuk kinga.polynczuk@software.com.pl Editorial Offce: Software Press www.enterpriseitsecuritymag.com Enterprise Advisory Board: Rishi Narang, CEH www.wtfuzz.com Contributing Editors: Wayne Tufek, William McBorrough Beta Testers: Wayne Tufek, William McBorrough, Manu Zacharia Proofreaders: Wayne Tufek, William McBorrough, Manu Zacharia Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 Whilst every effort has been made to ensure the high qual- ity of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibil- ity for misuse of the presented techniques or consequent data loss. 4 1/2011 Content issue 01/2011 CLOUD COMPUTING 06 Defining Best Practices for IT Security Within a Cloudy World by Chris Poulin Much noise is made about the security infrastructure that cloud providers invest in, but the aphorism, Trust but verify, is warranted. Public cloud providers are looking at it from a traditional perimeter security framework []. 10 Cloud Computing - Is it Worth the Move? by Gary S. Miliefsky [] does anyone know what the Cloud really is? How does it differ from the Web or the Internet and why is it so important? Once we have a grasp of what the Cloud is, then we can better understand why it is a Hacker Haven and a Malware Magnet. 14 Coud Computing and Its Security Benefits by Ajay Porus Cloud computing is a new type of computing. There are many differences in cloud computing from normal computing. According to the definition Cloud computing is described by its five characteristics, four deployment models and three services. 16 Cloud Security Advancement and Its Effects on Data-Centric Persistence Layer by Stephen Mallik Clouds provide an easy access to IT resources. We have to be aware of the accompanying security bag- gage. Cloud computing security is typically grouped into three areas: Security and Privacy, Compliance, and Le- gal or Contractual Issues. 18 Evaluating the Security of Multi-Tenant Cloud Architecture by David Rokita As businesses evaluate opportunities to capitalize on the benefits of cloud computing, its important to under- stand how the cloud architecture either increases/de- creases vulnerability to potential threats. 22 How Application Intelligence Solves Five Common Cloud Computing Problems by Patrick Sweeney While cloud-based Web applications can offer business benefits in certain scenarios, they have the potential to rob companies of bandwidth, productivity, and confiden- tial data, and subsequently put them at risk of regula- tory noncompliance. 24 Cloud Computing Standards by Justin Pirie The cloud itself is a competent and established busi- ness tool that solves a range of security issues and drives efficiency. However once one delves deeper into the world of cloud computing, one finds that there are some issues that still need resolving. MONITORING & AUDITING 26 Firewall, IPS Whats Next? by Pavel Minarik The frequency and sophistication of IT infrastructure at- tacks is increasing, but, fortunately, the network protec- tion tools are rapidly developing too. Firewalls are the first line of protection. It was believed that the second and the last line of the computer network defense are Intrusion Prevention Systems (IPSs). But even those are not enough. IDENTITY MANAGEMENT 30 Privileged Identity Management Demystified by Jim Zierick Privileged Identity refers to any type of user that holds special permissions within the enterprise systems. Privileged identities are usually categorized into the fol- lowing types: Generic/Shared Administrative Accounts, Privileged Personal Accounts, Application Accounts and Emergency Accounts. 5 1/2011 ATTACKS & RECOVERY 36 Defence-In-Depth The Onion Approach by Matthew Pascucci It is impossible for any industry to be completely secure but there are ways to mitigate potential risk and breaches to an organization. By adopting a defense-in-depth strat- egy, you can continue to strive towards being secure. A successful defense-in-depth program is constituted of three equal legs: People, Technology and Operations. 40 Ready or Not Industrial Cyber Warfare Comes by Itzik Kotler Viruses and Malwares are nothing new, but Stuxnet, a Microsoft Windows computer worm discovered in July 2010, is not just any virus its a cyber weapon. A cyber weapon that pushes the concept of cyber warfare into the realm of possible. SECURITY IMPLEMENTATION 42 Enterprise IT Security Management by the Numbers by Shayne Champion Because computer security involves the enterprises to- tal set of exposures, from the local workstation or server to the Intranet and beyond, it cannot be attained by sim- ply implementing a magic bullet software product solu- tion or by installing a firewall. Computer security must be implemented by reliable mechanisms that perform security-related tasks at each of several levels in the environment. Implementation also involves applying se- curity procedures and policies at each of these levels. 46 Management of Knowledge Based Grids by Sin Louise Haynes & Stilianos Vidalis Grid computing is a technology that enables people and machines to effectively capture, publish, share and manage resources. The information overload is so big that human beings are not able to analyse that data in a timely manner and extract the much seeked knowledge that will allow to further science and better our lives. 50 Security Testing by Mark Lohman Every organization has to protect their customer informa- tion, employee data, and assets. This protection should start with a well written information security program with supproting procedures. Security Testing is the way to confirm that everything is being followed as it should be. 52 Simplifying IT Security Management by Richard Stiennon Another phase of rapid change and evolution of our IT environments has recently began. The two major inno- vations are cloud computing and an explosion of intel- ligent devices. Therefore ensuring that security is main- tained has become even more daunting. MANAGER CENTER 54 Security Challenges Facing Enterprises in 2011 by Amit Klein At the end of 2010 there were warning signs of how threats are developing and what the weapons of choice are shaping up to be. Mobile phone security, the blurred perimeter, financial malware, cloud computing security, platform diversification, consumerisation of IT, browser threat to main frames and social networks seem to be on the top of the list. TECH CORNER 56 Top 8 Firewall Capabilities for Effective Application Control by Patrick Sweeney Todays leading companies use a Next-Generation Firewall that can deliver comprehensive intelligence, control, identification and visualization of all the ap- plications on their networks. This is effective because Next-Generation Firewalls can tightly integrate applica- tion control with other intrusion prevention and malware protection features. LETS TALK 58 YOU As a Password by Tom Helou Your palm, your face, and your typing pattern are all unique characteristics that cannot be replicated, lost or stolen as more traditional methods of identification increasingly can. Instead, you become the key to your data. You become the password. CLOUD COMPUTING 6 1/2011 F or example, the Eighth Annual Global Information Se- curity Survey conducted jointly by CSO and CIO maga- zines and PriceWaterhouseCooper found that Sixty-two percent of respondents have little to no confidence in their abil- ity to secure all the data within the cloud. Even among the 49 percent of respondents that have already deployed cloud com- puting, more than a third (39 percent) have major qualms about security. The survey contacted by over 12,000 business and technology executives around the world is one of many similar studies that all highlight the same perceived security concerns around cloud computing. New technology, old school security The biggest fear in embracing a cloud strategy is loss of con- trol. But the extent to which this is a factor depends on whether youre the cloud provider or consumer. In many cases youll be both, since virtualization was in the Gartner top 3 for 2010 and is projected to have a strategic impact in 2011 and help pay for IT projects. If youre a consumer, there is some degree of trust you have to place in the providers hands. Of course, you should do your research, ensure the provider has implemented the appropri- ate security and privacy controls with adequate protection for the sensitivity of your data, and have a contract in place to hold them responsible. Much noise is made about the security infrastructure that cloud providers invest in, but the aphorism, Trust but verify, is warranted. Public cloud providers are looking at it from the old school perimeter security framework: provide protection around the cloud with firewalls, IDS/IPS, host-hardening and other point solutions. These are critical security controls, to be sure, but the defense-in-depth security doesnt go far enough in a cloud en- vironment; we cant rely solely on protection mechanisms, no matter how layered. If nothing else proves the point, cloud computing has blasted a gaping hole in the network perimeter, and the game is now about visibility and security intelligence. Information security in the cloud needs to protect the data as well as the infrastructure. This requires an understanding of the data and its value to the customers business. Cloud 1.0 isnt taking that into account as market forces drive rapid build-out and early adoption. Cloud providers havent fully defined a comprehensive and mature public cloud security model. One central issue is the collocation of customer data, which poses a number of interesting questions. For example, how do cloud providers react when one bad client attracts a criminal in- Defining Best Practices for IT Security Within a Cloudy World The rise of cloud computing has been one of the highlights of the last few years. The notion that information technology can be delivered in a highly scalable utility model is generating excitement for both customers and vendors alike. However, there is still a lot of concern regarding security. Defining Best Practice IT Security Within a Cloudy World 7 1/2011 vestigation? There is the potential for data to get mixed in with the malefactors and subjected to scrutiny by law enforcement. What happens if one client is running a service that heightens the risk of attracting an APT or a DoS attack? How do cloud pro- viders understand context around customer data and provide targeted mitigating controls? There are many difficult questions to answer but they are not unsolvable. Always start with a risk assessment Although cloud is perceived as a new technology, you could make the case that its just an evolution of managed services or web application hosting injected with a large dose of Inter- net. Like any shift, such as the move to a client server model, under closer examination, it turns out the cloud requires the same thought process needed as any other new technology: organizations have to define the benefits and risks of the cloud, and implement processes and technology to mitigate and enforce their chosen risk management policy. Lets agree on a basic assumption that says, before you can define an enforceable security policy that spans internal IT, cloud, and hosted environments, you need to understand the details of your data, business processes, and information flow; you have to conduct a risk assessment. Only after careful risk analysis can you define your cloud strategy. Phase one: Discovery The first step to adopting the cloud is determining which da- ta stays completely within your control and which data can be housed in the cloud. This process begins with eDiscovery: find- ing the data you have and where it lives. eDiscovery can be an arduous process and many organizations are shocked by the results: data is often co-mingled and spread far and wide. Per- sonally Identifiable Information (PII), such as employee records, may be stored on servers with orders for marketing actvities, and the security controls inadequate for protecting the more sensitive data; financial records or source code may be stored on laptops without encryption. Phase two: Classify Once you know where your data lives, you have to classify it. Your classification scheme could be based on the Unclassi- fied, Confidential, Secret, and Top Secret scheme used by the US DoD, or as simple as PII and Not PII, or even Green, Yel- low, Red. Then, organize the data on systems hosting data of the same classification and configured with associated security controls. Just this step alone can improve your organizations security posture and get you much of the way to meeting many compliance mandates. Phase three: Data transit After going through the exercise of classifying your data, its es- sential to define a data transit policy to decide what data stays at home and which is cloud-bound. Security Information and Event Management (SIEM) can watch your endpoints, firewalls, DLP solution users, content, and network activity to monitor data on its way to the cloud and determine if it should be allowed. With firewall and proxy logs or network activity, this may be through simple source/destination combination rules or on-the- fly content identification. For example, you may create a rule that states that PCI servers should not send data to the cloud. With content-aware network profiling, you can also watch for social security or credit card numbers on the wire and alert on matches, features typically found in Data Loss Prevention (DLP) solutions. And if you have a purpose-built DLP application, you can get even more granular and feed its results to the SIEM to perform complex correlations against other intelligence feeds, including those in-built to the SIEM. Through Windows object- auditing or endpoint protection software, SIEM can monitor file and directory access and correlate it to firewall logs or network activity. There are plenty of use cases that support security and the cloud, with SIEM as the cornerstone providing the overarch- ing security intelligence. Building in visibility In a traditional on-premise implementation of IT, organizations can define, implement, and monitor operational and security policies. The flow of information is controlled from end-to-end. In a cloud environment, security information is more difficult to gather. Even though security in the cloud is mostly opaque to consumers, SIEM can still be used to monitor data in transit and detect policy violations. If youre a provider, consider building in consumer-facing visibility. This means giving access to the application, iden- tity, and system events relevant to their tenancy, and to the extent possible, infrastructure intelligence from network ac- tivity. Next-generation SIEM solutions will even offer a virtual ver- sion of application profiling capability built for virtual environ- ments. And depending on how you compartment your infra- structure, you can give access to customers to view their data and charge for the service. SIEM as a cloud Looking at it from a different angle, SIEM itself provides cloud capability. I submit that in medium to large enterprises, SIEM should be managed as an internal security intelligence cloud. The role of a SIEM is to gather vast amounts of data from many internal groups, and even organizational divides, with dif- ferent interests: The frewall management group may feed logs into the CLOUD COMPUTING 8 1/2011 SIEM to be alerted on security events such as port scan- ning across multiple frewalls which may indicate a low- and-slow attempt to breach the perimeter. ThesystemsmanagementgroupmayfeedMicrosoftWin- dows Active Directory events into the SIEM to be alerted on user login failures signaling a brute-force password at- tack or escalation of privileges attempt. Thenetworkmanagementgroupmayfeedfowdatain- to the SIEM to detect denial-of-service attacks or trouble- shoot asymmetric routing problems. While many groups feed data into the SIEM, the security or risk management group often manages it. This is analogous to cloud services, which have consumers and a provider. When the two are in separate organizations, theres a clear dividing line between roles and responsibilities. Providers understand that the data belongs to the consumer, its customers, and providers have an obligation to: Protect the data under their care, employing the widely adoptedConfdentiality,Integrity,andAvailabilitymodel. Segmentdatabetweencustomers. Provideappropriatecontrolstoprotectunauthorizedac- cess to customer data from external entities and between customers sharing the same cloud. Avoidaccessingcustomerdatafortheprovidersuseor beneftunlessspecifcallyallowedbythecustomer Respondtoneedsoftheircustomers,suchascreatingre- ports or adding new users. Think of SalesForce.com or Google Mail: they provide the cloud service and have many customers. They must adhere, contractually, to the tenets above. Where this model differs between traditional public cloud services and an internal SIEM cloud, is that the SIEM provider generally has an over- arching security responsibility that spans the data from all groups. For example, security and risk management need to correlate firewall logs with IPS alerts and network activity to detect threats. The difference is only slight, though, be- cause while Google would not read customer emails, they do provide anti-spam filtering, track usage statistics, and look for intrusion attempts. While privacy advocates may see this as a violation, most consumers are fine with this level of access. What consumers would not tolerate, however, is if Google decided to start forwarding customer emails to other custom- ers out of their cloud. With a SIEM providing total context, or Security Intelligence, the security and risk management group may detect security threats, policy violations, or other actionable incidents that need to be escalated. When different groups are responsible for different areas and manage and consume data from different user commu- nities, the escalation process has to be treated with a level of diplomacy and maturity. Just like a public cloud provider, the escalation process needs to be clearly defined and the procedure must in- clude involving the data owners. This ensures that a chain of responsibility is followed and allows the issue to be re- solved closest to the group responsible for managing the incident. The point is SIEM can bridge the gap between security silos in an organization. There has to be a clear contract be- tween the operational management function and the SIEM consumers. The contract has to separate the duties of the managing entity and prescribe a process for handling inci- dents and policy violations that empowers the data owners, just like a cloud provider would be obligated to do. When managed properly, SIEM as a cloud engenders trust and co- operation, and ultimately yields a benefit to the SIEM con- sumers and the business at large. The SIEM-ready cloud It may not be a popular message in our industry, but some ex- perts contend that SIEM is not cloud ready. I disagree. If you can get the telemetry to the SIEM, you can use it to provide effective security visibility. At this stage in the game its not SIEM thats holding up security intelligence in the cloud; its that clouds are not yet SIEM ready. For that, well have to wait for Cloud 2.0. In the meantime, secure all the data. ChrIS PoulIN, ChIEf SECurITy offICEr, Q1 lABS Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Ofcer at Q1 Labs. As a key member of the companys Security Co- uncil, Poulin is responsible for the continual evo- lution of the QRadar family of solutions to keep pace with emerging security threats, customer needs, and industry trends, as well as evangelizing QRadar to strategic partners and customers. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., a successful information security consul- ting practice. CLOUD COMPUTING 10 1/2011 W hen it comes to regulatory compliance, if your cloud provider is not SAS-70 audited regularly (most are NOT) then dont expect them to be responsible for your compliance posture. If there is a breach in the cloud, the bottom line is that its your responsibility, if you are using Cloud Computing to host servers or services used for your outward facing business or if you store confidential customer records in the cloud. I would argue that it increases your risk and there can be no shift of blame for a successful Cloud attack and breach of confi- dential data stored in the Cloud. You are ultimately responsible. So before you make the move, lets get a better understanding of what the Cloud is and then you can decide if it is worth the move. Cloud Computing is the concept of offloading data storage, software applications and computing resources to one or more remote locations using various internet protocols. The big prob- lem with the Cloud is that you shift risk and lose control to gain flexibility, availability and the cost savings of shared, remote re- sources. This, of course, opens the doors wide open for hack- ers, cybercriminals and their malware. Ill give you some ideas on how to deal with this problem later in this article. For a more in depth understanding of Cloud Computing, Ive decided to use the definition provided by my friends at the Na- tional Institute of Standards and Technology (NIST.gov), as it is the best, most comprehensive so why try to recreate a good thing? According to NIST, Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of con- figurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of: A. Five essential characteristics, B. Three service models, and C. Four deployment models. Essential Characteristics: 1. On-demand self-service. A consumer can unilaterally pro- vision computing capabilities, such as server time and net- work storage, as needed automatically without requiring human interaction with each services provider. Cloud Computing Is It Worth the Move? Once we have a grasp of what the Cloud is, then we can better understand why it is a Hacker Haven and a Malware Magnet. With this understanding, we will be able to make intelligent judgments about whether this ecosystem is one in which we will shift portions of risk for our own organizations and how to ensure the risk is as minimal as possible. Cloud Computing: Is It Worth the Move? 11 1/2011 2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client plat- forms (e.g., mobile phones, laptops, and PDAs). 3. Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-ten- ant model, with different physical and virtual resources dy- namically assigned and reassigned according to consum- er demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. 4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the con- sumer, the capabilities available for provisioning often ap- pear to be unlimited and can be purchased in any quantity at any time. 5. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capa- bility at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, con- trolled, and reported providing transparency for both the provider and consumer of the utilized service. Service Models: 1. Cloud Software as a Service (SaaS). The capability pro- vided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are ac- cessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabili- ties, with the possible exception of limited user-specifc ap- plication confguration settings. 2. Cloud Platform as a Service (PaaS). The capability pro- vided to the consumer is to deploy onto the cloud infra- structure consumer-created or acquired applications cre- ated using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, serv- ers, operating systems, or storage, but has control over the deployed applications and possibly application hosting en- vironment confgurations. 3. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, stor- age, networks, and other fundamental computing resourc- es where the consumer is able to deploy and run arbitrary software, which can include operating systems and appli- cations. The consumer does not manage or control the un- derlying cloud infrastructure but has control over operat- ing systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host frewalls). Deployment Models: 1. Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. 2. Community cloud. The cloud infrastructure is shared by several organizations and supports a specifc community that has shared concerns (e.g., mission, security require- ments, policy, and compliance considerations). It may be managed by the organizations or a third party and may ex- ist on premise or off premise. 3. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. 4. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that re- main unique entities but are bound together by standard- ized or proprietary technology that enables data and ap- plication portability (e.g., cloud bursting for load-balancing between clouds). Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low cou- pling, modularity, and semantic interoperability. Some of the largest software and computing companies in the world have joined in the excitement and are now offering Cloud services. Here are a few Im sure youll recognize: Amazon Web Services (AWS), found at http://aws.amazon.com Google Cloud Services, found at http://www.Google.com/Apps/Business Microsoft Windows Azure Platform, found at http://www.microsoft.com/windowsazure/ RackSpace, found at http://www.rackspacecloud.com/ CLOUD COMPUTING 12 1/2011 SalesForce, found at http://www.salesforce.com/platform/ When becoming a Cloud consumer, there are also security ad- vantages to consider: 1. Reducing internal risk exposure to sensitive data because its no longer in your data center, on your server, in your building, on your network its offsite and hosted else- where. 2. Homogenous Clouds means security audits and vulnera- bility tests of these Clouds is easier what works for one private Cloud service for one customer also works for an- other customer. 3. Cloud computing enables automated security manage- ment. Auditing, Patch Management, Virus Scanning, Deep packet inspection can all be part of an automated security tools portfolio across the entire Cloud service operation. In other words, if the Cloud security is strong, multiple users benefit from the common security practices, tools and counter- measures. You also gain the advantage of redundancy and dis- aster recovery requirements necessary to deploy a more secure and stable data warehouse. However, one cannot simply assume that the Cloud is secure. Do you trust your Cloud vendors security model and what are their best practices? Have they been audited? Can you review the results of the audit? How did they respond to audit findings? You will lose physical control over your applications, data, serv- ers and services when you shift them to the Cloud. In addition, if the vendor you choose claims to have a proprietary solution be it the application or an internal encryption or security methodol- ogy, how can you trust the security of their implementation? So, before you take the chance and move to the Cloud, you should consider which Cloud Computing model will best fit your needs maybe a Private Cloud is the best answer because you can maintain some level of confidentiality over a Public Cloud service. Ive found the following areas of risk that you can address by ensuring you are completely satisfied with the service level agreement (SLA) of your Cloud Computing service provider: 1. Confdentiality 2. Availability 3. Integrity 4. Reporting 5. Alerting 6. Compliance 7. Policies 8. Quality of Service If you can get some level of guarantees in these eight areas that meet your own internal self-assessment requirements for best practices in providing uptime or access and the qual- ity you expect, youll be better positioned to make the right decision on which Cloud Computing service provider is best for you. Heres a quick side story. Netflix launched an amazing video on demand streaming service over the internet, following their successful DVD distribution model. For only $8.00 USD per month, you can stream any video you want from a collection of over 6,000 (and growing daily). Netflix decided to move this service to Amazons AWS Cloud Computing service offering because Amazon offered nearly unlimited bandwidth and could help guarantee little to no lag in the video streaming quality this is one of the elasticity features of their AWS offering the more customers, the more replicated virtual video streaming servers and bandwidth, worldwide. Seemed great on paper. Then, as Netflix grew, Amazon thought what a great idea lets offer our own TV and Movie streaming service. So, once Netflix put their service in the Public Cloud of Amazon, they were able to study it in detail and build their own similar service. Seems there was no non-compete agreement here. Later, Comcast, a large internet service provider (ISP) in the USA was tired of some users sucking up all their bandwidth when Comcast realized it was Netflix video streaming, alleg- edly they decided to send out TCP/IP session resets to slow down these videos (causing them to halt in the middle of the best scenes of course) and are planning to charge for higher Quality of Service (QoS) to their customers who demand these video streams. The battle rages on but the story is very interesting com- peting service providers, one Cloud Computing host, and an ISP, all affecting the Quality of Service (QoS) of the real cus- tomer in this story, Netflix. You dont want to become the next Netflix in the Cloud Computing model learn from this story. Ensure you have Non-disclosure agreements (NDAs) in place, get a SLA from your provider that you are comfortable with and ensure you can frequently test them and review that they are actually providing you the Security and Compliance posture you need so that if you ever do have a problem, you have the paperwork to show your own due care and due diligence at protecting your most treasured assets that youve moved to the Cloud. Conclusion The Cloud has many benefits but like all paradigm shifts, it opens up new doors and new possibilities for both increased rewards and risks. If you are certain that the benefits far outweight the risks, make sure you can back it up with an enforceable agreement from your Cloud Computing service provider. Remember, Its up to you to document the proper steps at se- curing your data in the Cloud and complying with regulations, no matter who you trust. The Cloud Computing provider is an extension of your own IT service offerings to your own organiza- tion, so do not hand over the keys to the castle without knowing who youve given them to and how they will guard your most critical and confidential assets, when youve moved the data into the Cloud. Gary S. MIlIefSky, fMDHS, CISSP Gary S. Miliefsky is a frequent contributor to various publications including Hakin9 Magazine, NetworkWorld, CIO Magazine and SearchCIO. He is the founder and Chief Technology Ofcer (CTO) of NetClarity, Inc, where he can be found at http://www.netclarity.net. He is a 20+ year information securi- ty veteran and computer scientist. He is a member of ISC2.org and a CISSP. Miliefsky is a Founding Member of the US Department of Homeland Secu- rity (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org).
BLACK BOX
Become a Black Box channel partner.
Join the winning team! Call today to learn more: 888 - 245 - 6215 Black Box, a leader in connectivity for more than three decades, has entered the security arena and is looking for channel partners. Now you can join our winning team and enhance your bottom line with an extensive suite of security solutions. Take advantage of award-winning products, generous margins, outstanding 24/7 technical support, and more by becoming a Black Box channel partner. Call for details today! Award-winning solutions: NAC Secure Gateway WAN Encryption Biometric Access Control CLOUD COMPUTING 14 1/2011 Evolution of Cloud Computing Cloud computing is an evolution and collaboration of many dif- ferent technologies together moving towards a new type of com- puting. There are many differences in cloud computing from normal computing as it differentiates cloud owner from cloud processors, as well as applications, information resources from the infrastructure, and the delivering and processing methods. This all began with the first mainframe architecture by IBM, then client-server architecture and finally to cloud computing that is now taking the lead in the industry. Cloud computing is pre- dominantly comprised of applications, services, information, in- frastructure, operating systems and processes which are com- promised of network, storage and computational power. Cloud computing enhances the agility, scaling, elasticity, cost effective computing, utility of computing, availability, resilience and col- laboration. According to the NIST Cloud Computing Definition: Cloud computing is described by its five characteristics, four deploy- ment models and three services. Characteristics of Cloud Computing On-demand self-service. A consumer can unilaterally provi- sion computing capabilities, such as server time and network storage, as needed, automatically, without requiring human in- teraction with a service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that pro- mote use by heterogeneous thin or thick client platforms (i.e., mobile phones, laptops, and PDAs), as well as, other traditional or cloud-based software services. Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources that are dynamically assigned and reassigned according to the consumers demand. There is a degree of location independence since the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (i.e., country, state, or data center). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same or- ganization. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some case automatically, to quickly scale up or rapidly released to quickly scale down. To the consumer, the ca- pabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (i.e., storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the service. Cloud Deployment Models: There are four deployments models Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organ- ization or a third party, and may exist on-premises or off- premises. Community Cloud. The cloud infrastructure is shared by several organizations and supports a specifc communi- ty that has shared concerns (i.e., mission, security require- ments, policy, or compliance considerations). It may be managed by the organizations or a third party, and may exist on-premises or off-premises. Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that re- main unique entities, but are bound together by standard- ized or proprietary technology, which enables data and ap- plication portability (i.e., cloud bursting for load-balancing between clouds). Cloud Service Models: There are three Cloud Service Models Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface, such as a web browser (i.e., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.. Cloud Platform as a Service (PaaS). The capability pro- vided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using pro- gramming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud in- frastructure including network, servers, operating systems, stor- age, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, Cloud Computing and Its Security Benefits Cloud computing is an evolution and collaboration of many different technologies together moving towards a new type of computing. Cloud Computing and Its Security Benefits 15 1/2011 networks, and other fundamental computing resources, where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, deployed ap- plications, and possibly limited control of select networking com- ponents (i.e., host firewalls). All these factors differentiate between the normal computing and Cloud Computing, but as every technology has its Pros and Cons, so does Cloud Computing. One of the major concern in adapting or implementing Cloud Computing is Security, which includes all aspects starting from administrative to legal, compliance to technological. There are many security issues with Cloud Computing, but considerable research on-going on these security issues. Next, we are going to talk about some of the benefits of Cloud Computing. Cloud Computing Security Benefits. There are many fac- tor in information security: Confidentiality, Integrity, Availability, Privacy and Non-Repudiation of data. There are many benefits of cloud computing many of them are follows: Monetary Benefits of cloud computing pertaining to security: To use the best security measures available in the industry, can cost considerable amounts of money, which small or medium businesses cannot afford. Large enterprises usually have higher budgets, which allows them to stay compliant to various stand- ards. In the case of cloud computing, the service provider is usu- ally a large enterprise who is required to maintain the highest level of security to protect their customers data. Another benefit of cloud computing is its massive scalability, multiple geographic locations, edge networks, and time effec- tiveness to respond to incidents, attacks and provide counter- measures. Accessibility to the cloud is very easy and can be accessed in various ways and on different platforms, including hand-held devices. Standardization. Standardization is a good practice for any industry. Maintaining standard products for employees and a companys customers reduces the overall provisioning and deployment costs. This is a service that Cloud Computing com- panies can offer to reduce their customers implementation ex- penses. Scalability and elasticity. This is another factor for using Cloud Computing. During peak times or demand, a companys own resources could become depleted trying to manage the in- creased load. This could lead to slow program operation, long web site access times, server crashes or buffer overflow. Cloud Computing services can rapidly scale up the services to meet the increased demand and reduce it back down once the de- mand returns to normal. Auditing and Evidence-Gathering. Auditing is the proc- ess insure that controls are in place for security compliance. In Cloud Computing services, centralized logging and auditing can be provided. Forensic images of Virtual Machines (VM) can also be provided, as necessary at a companys request, while con- tinuing to maintain the operation of the Cloud resources. Resiliency in the Cloud. Cloud providers use mirroring tech- nologies to protect their customers in case of computing failure. In the event of a natural disaster or catastrophic failure, a mir- rored images located in different geographic locations provide the resiliency and capacity to ensure sustainability through the unexpected event. Centralized Data. Centralized Data is a type of data ware- housing, where a single data warehouse serves the needs of several separate businesses simultaneously, or one large cus- tomer with multiple company locations, using a single data mod- el that spans the needs of all business divisions. Businesses that have multiple locations do not have to spread their data across multiple company-owned servers and attempt to keep the data in-sync across all servers. Cloud Computing synchro- nizes the data into a single virtual location so that all company locations and customers have access to the latest information. Monitoring Benefits. Cloud Computing providers maintain 24x7 monitoring of their systems and data access. They main- tain the latest virus protections and firewalls to attempt to keep the data safe from inappropriate access. The Cloud Comput- ing clients do not have to add additional expenses into their budgets to maintain constant security or have personnel avail- able on a constant basis to respond to these types of security emergencies. Password or key security testing. Cloud Computing is about increased computing power and scalability, which is a perfect en- vironment to perform password assurance testing. If an organiza- tion wishes to perform password strength testing by employing password strength verification tools, computing power can be in- creased during the time to crack a password and then decrease it when the task has completed. This makes Cloud Computing a perfect environment for the password security testing. The same applies with encryption keys as well. But, we also need to consider for all of these activities we need to have dedicated non-production computing instances, rather than a distributed re- sources, which can bring sensitive data in that environment. Logging. A companys data center usually uses their server storage for development and production programs, and data. Disk space is sometimes limited as managers approve budg- ets for company growth according to projected data projects or services. Logging is not usually considered a high priority and thus disk space can end up being limited. When using Cloud Computing, data storage is usually less expensive and clients are charged on a pay per use basis. Additional disk storage for essential logs is easier to get approved. Logging of E-mail, business transactions and other audit components are neces- sary because of various legal requirements to protect this data. Cloud Computing can be used to provide the extra disk storage space necessary to maintain and protect this data. Secure builds. Cloud Computing also enables a company to use more secure systems by using pre-hardened VM images prior to the installation of company data and programs. This is one of the major benefits of virtualization, by keeping the hard- ened and secured images in a secure location and off of the network. Installing and maintaining secure operating systems across an enterprise can be a daunting task. Testing a system for application compatibility and security can take months to complete. Allowing a Cloud Computing organization to provide this service lowers the cost to a company, since they do not have to provide the resources necessary for penetration test- ing and checking for security holes to ensure that the operating system is secure. Once a VM image has been proven secure, it can be cloned across many systems for implementation. It is the requirement of the Cloud Computing corporation to maintain the security of these images and to properly update them for known viruses or security holes. This can be performed usually faster than an enterprise can do it. AjAy PoruS Founder and Director Cloud Security Alliance Hyderabad Chapter Lead implementer Honeynet Project India CLOUD COMPUTING 16 1/2011 T hus many universities, government agencies, informa- tion technology advisory and strategy consulting organi- zations are proactively researching around the topic of Cloud Security. Not to forget the glorified IBM and Googles multi-university project, Academic Cloud Computing Initiative (ACCI), designed to address unknown challenges of cloud com- puting. Then quickly followed by Open Cirrus (a massive global test bed), a combined initiative of HP, Intel Corporation and Ya- hoo, designed to explore all aspects of cloud computing. How- ever, HPs Government Cloud Theatre, which is an intellectual property based flexible cloud computing demonstration facility, sets the perfect movement. I mean to address the security con- cerns and the always rumored unknown vulnerabilities. Obvi- ously the aim of HPs facility and other similar labs are to con- front the universal fears about the security of the cloud. The cloud has evolved and has matured to a point that even smaller companies are now coming up with cloud platforms without much security concerns. This is mostly because the server side security on the cloud is already addressed by the in- frastructure providers who are available for few dollars per day. Another reason is the advancement and maturity of the Serv- ice oriented architecture which is being adopted and welcomed globally. On the browser side of things, there is still wide open vulnerability though. In this article I want to talk about how clouds security maturity on the server side (Infrastructure as a Service) lead to technol- ogy advancement on Database as a Service (DbaaS). Thae again, cloud database service is not just a concept anymore, for example, Amazon RDS, Cloudant, MongoHQ, and Redis To Go provide fully-managed MySQL Community Edition, CouchDB, MongoDB, and Redis database services, respectively. If you had noticed DbaaS offering trend is mostly on NoSQL database systems rather than a traditional RDBMS. With the success of Internet based companies like Google and Amazon it is becoming obvious that existing unwieldy RD- BMSs are not capable to handle complex traffic sites. As a con- sequence todays enterprise-grade RDBMSs have evolved into systems attempting to solve everything for all types of applica- tions, thus also become less manageable. In fact such situa- tions forced most relational database vendors to focus devel- opment efforts on improving the ease and efficiency of routine system administration of on-premise databases: management- free cloud database offerings. However, administration is not the only problem as todays relational database servers (de- signed in the 1970s) are not intended to run in virtualized data centers that scale horizontally across tens or hundreds of small machines in reaction to varying application workloads. So the bigger internet players were forced to reinvent the database. These companies not only invented newer ways to persist and handle large data they also open sourced these technologies. NoSQL moment was thus literally formed. New technologies available today like MapReduce, Key-value store, Tuple store, Tabular, Ordered key-value store, Multivalue databases etc. are few examples. Essentially a new trend is beginning to evolve Cloud Security Advancement and Its Effects on Data-Centric Persistence Layer Cloud computing is substantially changing the IT landscape, because of its affordable computing resources instantly available to anyone. Clouds suddenly provide an easy access to any kind of IT resources. Anyway all this indicates that this modern delivery model, i.e., cloud based services is a reality, and we need to be aware of the accompanying security baggage. Cloud computing security is essentially an evolving sub-domain of information security, which is typically grouped into three areas: Security and Privacy, Compliance, and Legal or Contractual Issues. The recent WikiLeaks retaliation attempt on Amazon.com, and an isolated advanced attack on RSA Systems, which resulted in compromising RSAs SecurID two-factor authentication products, is just a tip of the iceberg. Cloud Security Advancement 17 1/2011 were there is a marriage between the NoSQL moment and cloud technology. Thats exactly why we see a lot of cloud based da- tabase services and solutions being launched. Some examples are: database.com (API based RDBMS technology for the cloud) Arrivu (API based Knowledge Base technology for the cloud)) AWS(APIbasedRDBMSandNoSQLtechnologyforthe cloud) GoogleAppEngine(MapReducesoftwareframeworkfor the cloud) WindowsAzurePlatform(Microsoftcloudplatform) While most have database service as one of their enabling tech- nology, there are companies offering exclusive cloud based da- tabase like database.com, Arrivu and AWS. Since the cost in- volved with the infrastructure setup is minimal, newer players are taking advantage and coming up with true next generation technologies. For example Arrivu is a startup, which utilizes the concept of Knowledge Base. Its basically a new kind of data- base that uses plain English instead of traditional SQL. These new kinds of database are enabling newer ways to develop web applications. The Cloud is maturing one layer at a time. We can look at it as three layers: the infrastructure layer, data persistence layer and application construction layer. The infrastructure layer can be declared as well matured and as we now have API based cloud infrastructures that can scale automatically. Security is also on the way of its maturity. In fact we have highly configura- ble options for security in the hardware and software layer at the Infrastructure level. On the Data persistent layer, it is still. In my opinion, the security side of things is no different than that of the Infrastructure layer. However, because of the advance- ment of server based and SOA security all layers in the cloud are being exposed using the same tried and tested techniques. The application creation layer is currently everywhere and to- tally lacks any kind of focus, standard or innovation. We at Arrivu Technologies are leading the way of innovation in the application constructions layer. Arrivu lets a user build web applications us- ing plain English. We use Artificial Intelligence to achieve this. Again the security concerns are the same at this layer. The thorn here is the browser based security that is still open to vulnerability. Browser standards are evolving and in HTML5 we are talking about storage at the client side. It remains to be seen on how the browser based security solution is going to affect the server side security. One thing to be noted is that once a server side security is compromised then all layers are affected. The author (creator of Arrivu) is writing from the experience of creating cloud platform solutions. StEPhEn MALLIk Stephen Mallik is a technology evangelist currently focusing on cloud tech- nologies. He is the visionary and Architect of Arrivu (www.arrivu.com) and Knowledge Base. He has also created RulesEngine and ProcessEngine (a tool that combines EAI, BPM & CEP) in the past. Subscribe to our newsletter and stay up to date with all news from Enterprise IT Security magazine! a d v e r t i s e m e n t http://enterpriseitsecuritymag.com/ CLOUD COMPUTING 18 1/2011 C loud computing exists at the forefront of technology mod- ernization, widely accepted as the obvious path toward IT efficiency, yet security concerns continue to be a sig- nificant hurdle for mainstream cloud adoption. Despite those concerns, the compelling economic and operational benefits drive more businesses to the cloud every day. As businesses evaluate opportunities to capitalize on the benefits of cloud com- puting, its important to understand how the cloud architecture either increases/decreases vulnerability to potential threats. Al- though many of these same security concepts can be applied to on-premises private cloud models, this article focuses on evaluating the cloud provider controlled security versus busi- ness user controlled security within a public, multi-tenant cloud environment. This whitepaper highlights security problems that exist within a majority of cloud infrastructures as most people know them today, and introduces an alternative configuration to achieve a more secure cloud architecture. With the information provided, IT professionals will have a cursory understanding of the differ- ence between flat and ideal cloud architectures to better evalu- ate the achievable level of security. Once businesses know that the secure three-tier architecture trusted in the physical IT world can be replicated within the cloud environment, they know what to demand from cloud providers and can rest assured that cloud adoption will not change their existing business, infrastructure, security, or Service Level Agreement (SLA) models in the ways previously feared. Scope When it comes to cloud computing discussions (especially on the topic of security), unintentionally boiling of the ocean often occurs. To properly frame this discussion, scope must be de- fined. This article will discuss security concerns as they apply to Infrastructure as a Service (IaaS). Specifically it will tackle IaaS as it is used in public cloud or otherwise shared environ- ments, but strong parallels can be drawn to dedicated or private clouds. When using the generic term cloud providers, this article is referring to providers like Amazon, Rackspace, OpSource and Evaluating the Security of Multi-Tenant Cloud Architecture Figure 1. Flat Cloud Architecture As businesses evaluate opportunities to capitalize on the benefits of cloud computing, its important to understand how the cloud architecture either increases/decreases vulnerability to potential threats. Internet Provider Managed Firewall Provider LAN Customer 1 VM Customer 2 VM Customer 3 VM Customer 4 VM Evaluating the Security of Multi-Tenant Cloud Architecture 19 1/2011 a multitude of smaller cloud providers that deliver IaaS servic- es. These providers are not all the same, but they share one or more of the characteristics discussed in this article. This is the only place where cloud providers are identified by name. Current Landscape In January 2010, Gartner predicted that, a fifth of enterprises will hold no IT assets by 2012. Even at the time it was a bold prediction. As of March 2011 it is mistaken. The majority of com- panies spent 2010 dabbling in on-premise virtualization or sim- ply watching from the sidelines to see how the market unfolds. There are many factors inhibiting adoption. One of the most commonly cited is general concern with the security model of various cloud providers. Apart from security concerns, many executives have anxiety about the impacts of cloud computing on existing business models. Both concerns are real, but they are not universal. Options exist that provide peace of mind for enterprise customers. Architecture Concerns In March of 2011 Context Information Security LTD (Context), released a whitepaper titled Assessing Cloud Node Security (http://bit.ly/ezZrXP). It contains the following quote: In a traditional hosted environment any attacker from the Inter- net must start at the outer firewall and work their way through But in the cloud all the systems within the virtualised network reside next to each other. According to Context, cloud providers are flat. Figure 1 de- picts a flat cloud where the provider manages both the edge of the cloud and the network in which the virtual machines (VMs) reside. Essentially, this flat network provides no isolation be- tween multiple tenants sharing the cloud. There are two major problems with this approach. The first problem is that the provider-managed firewall is the security equivalent of a screen door. The provider must accom- modate a huge variety of services for a multitude of custom- ers. There is no way to control whether or not a customer will be building web servers, ftp servers or private web services that could span nearly any network port. Furthermore, Layer 7 (application-level) technologies are useless because the pro- vider has almost no understanding of the underlying services exposed by the customers. Another major problem with this configuration involves the lack of isolation between VMs between customers (Figure 2). Since there is no isolation between clients, attacks are easily staged from with the same cloud by other tenants (intracloud attacks). A potential attacker may not have to know what he is looking for because the public nature of this network makes all traffic easily obtainable by others. Even more concerning is that if the attacker shares the cloud, an offensive can be launched directly at weaknesses in the customers virtual machines. To defend against this, one must install a firewall directly on the virtual node itself. Unfortunately, this approach does not scale. It should be noted here that there are other vectors of at- tack. There is always concern that attacks could be launched directly through the hypervisors that host the VMs. Furthermore the opportunity exists for attacks to be launched from the pro- viders side of the hypervisor. These concerns are legitimate and should be weighed when considering any cloud comput- ing strategy. The threat is acknowledged here, but will not be discussed in detail. Support for Custom Appliances As previously mentioned, another looming security issue con- cerns the providers inability to support customer provided im- ages. The customers must choose from a limited list of pre-con- figured images that may or may not meet the security demands of the customer. Furthermore, the cloud consumer must trust the cloud provider to properly lock-down the virtual image so that it can be used securely. This references the previously stated concerns about isolation between multiple customers. The only way to secure against this threat is to build a firewall on the device itself, but since this is a raw image, the software must be installed and configured each time a node is created. For environments where the end-users are deploying cloud in- frastructure, the practice is difficult if not impossible to enforce without direct involvement from the security organization. It is also possible for some operating systems to be compromised even before these security measures can be implemented. This approach is both not scalable and undesirable. Figure 2. Attack Vectors Figure 3. Flat User Hierarchies Internet Provider Managed Firewall Provider LAN Compromised VM Customer 2 VM Customer 3 VM Customer 4 VM No-Visibility Silo No-Visibility Silo No-Visibility Silo O r g a n i s a t i o n
1 User Account 1 User Account 3 User Account 2 User 1 Cloud Servers User 2 Cloud Servers User 3 Cloud Servers CLOUD COMPUTING 20 1/2011 Flat or Non-Existent User Hierarchies The untenable nature of how cloud providers handle access and control of cloud computing environments can be even more challenging. Most, if not all, cloud providers extend their cloud services as a function of a single user account. In many cases there is no chain of custody or ability to empower administra- tive users to deploy their own resources with limited access and control. Giving another individual access to the cloud manage- ment console means giving total access to all user-managed systems. Most security administrators will bristle at the thought of losing audit-trail accountability through generic accounts. To empower multiple users, multiple accounts are absolutely required; how- ever, there is no visibility or continuity between these silos in a flat user hierarchy. Even more vexing is the lack of account- ability, visibility or control that can be managed from a higher vantage point. Today, almost all IT resources are provisioned though some form of internal supply chain. Services flow down this chain while usage flows back up. Most cloud computing models today threaten this eco-system. Trust is Good, Control is Better Trust is required to use the cloud enterprises must trust their cloud provider with their business. This trust has been required since the advent of the co-location facility and continues on- ward through cloud computing. Trust is great if and when you can find it, but control provides peace of mind. If given the op- tion to trust a service providers firewall configuration or to re- tain complete control of the firewall product and configuration, security-minded organizations will choose the latter every time. Using the co-location facility example, trust was required, but a customer-managed firewall at the top of the rack was the rule. Why should cloud computing change this dynamic? Quite simply, it shouldnt. In fact, cloud computing should not change any of the following: Thebusinessmodel Thesecuritymodel Thearchitecturemodel Theservicelevelagreement It seems straight forward, but to date very few cloud providers see it that way. Either through technical inability, cost or unwill- ingness to accommodate multiple configurations, these cloud providers demand change to one or more of these aforemen- tioned criteria. Regardless, these cloud models misrepresent core cloud consumers and cloud deliverables. These models consider the user to be a single individual and the deliverables to be virtual machines. The expectations of the enterprise cus- tomer deviate from this considerably. For the enterprise, the consumer of cloud is the organization and the deliverable is a dynamic workspace for creating complex infrastructure. Meeting Enterprise Security Requirements Since the beginning of distributed computing, 3-tier architecture has been the rule. This model should be familiar to nearly all of security experts and system architects. It creates a security model by creating independent computing layers designed to force intruders to penetrate multiple defense mechanisms be- fore compromising the data. Since security is never absolute, these multiple layers create ample opportunity for security ad- ministrators to detect the attack and neutralize the threat before it becomes a calamity. Not All Clouds are Flat When providing IaaS to the enterprise, it might be surprising to hear that less security is sometimes better. Essentially, if the provider firewall services insufficiently support the enterprise use case, it calls to question whether or not there is any value at all in providing that service. This is another example of trust versus control. The enterprise customer wants to control the se- curity of their cloud computing environment. When securing its border against the edge of the Internet, trust is not enough. Sure, the enterprise customer may trust the provider, but the nature of threats from the Internet can never be completely un- derstood. Furthermore, the customer wants be free to act in- dependently from their provider when it comes to securing the border. A better model is for the service provider to provide an unconfigured public facing LAN as a service with no inherent security. At first the concept of no security seems counter intui- tive, but if the cloud consumer can install a security device of their choosing and configuration, it goes much farther to meet the enterprise security requirement. In this model, as shown in Figure 4, there are both public and private networks. It should be noted here that the public LAN is not shared among other cloud members. It is dedicated to that customer and defines a single broadcast domain with which no other customer can interfere. Of course the customer is free to create as many public servers as they wish, it is a best practice Figure 4. Tiered Cloud Infrastructure Figure 5. n-Tier Architecture Internet Customer 1 VM Customer 2 VM Customer 3 VM Customer 4 VM Firewall Firewall Firewall Firewall Firewall Firewall Firewall Firewall Private LAN Private LAN Private LAN Private LAN Edge Firewall Edge Firewall Web Server Web Server Web Server Desktop Desktop Desktop Business Tier Firewall Business Tier Firewall CRM Server Email Server Java Application Server Data Tier Firewall CRM Server Email Server Java Application Server Internet DMZ Business Tier Data Tier Evaluating the Security of Multi-Tenant Cloud Architecture 21 1/2011 to secure the border with a single security device and control all access through this device. All other servers are created on one or more private networks that the enterprise controls. This is the way it has always been done and cloud computing should not change this simple practice. When the cloud gives unfettered access to both public and pri- vate networks under the strict ownership of the customer, n-tier architecture is possible. Complex network topologies are now possible and the services can be exposed securely while other servers are strictly private in nature. Of course a cloud provider delivering this type of service will have provisions for accessing the consoles of the completely private servers. A typical setup in this type of environment will have separate, demilitarized seg- ments for both web based applications and user desktops. Be- hind both of these network segments are more access control layers separating these tiers from the business. The advantages of the tiered security model in the cloud are obvious, but there are additional benefits. Most importantly is the ability to have complete control over the edge security de- vice. This means that any service can be controlled at what- ever level the security model requires. For a service provider to manage a layer 7 firewall device in front of customer appli- cations would be, at best, impractical. Creating layer 7 policies require intimate knowledge of the services that sit behind them. As a service provider managing a multi-tenant cloud, this level of knowledge is just not possible. Also, VPN tunnels and intel- ligent load-balancing can be implemented using the very same technologies used in the physical datacenter. Custom Appliances The ability to install and manage customer appliances defines another trait of the enterprise ready cloud. When an enterprise customer is able to bring their own appliance to the cloud, it can be pre-hardened to meet the security requirements of the cus- tomer. It makes even more sense to bring an appliance directly from the enterprises on-premises datacenter. Since the logical network can mimic the network topology of the enterprise data- center, it becomes much simpler to use existing images as is. Once uploaded to the cloud, the user community can deploy the images as required by the business. Of course these images remain private to the enterprise customer that uploads the im- ages. Because they are pre-built with roles, ACLs, and polices, direct intervention from the security team may not be required to implement a server. Tiered User Hierarchy As important as the architectural details are to the enterprise acceptance of cloud, the method in which users access the cloud can be even more challenging. As stated before, the typi- cal cloud hierarchy is completely flat and featureless. In fact, the majority of cloud computing environments tie all infrastructure to a single user account. From an enterprise perspective this is simply not adequate. Enterprises allocate computing resources through internal supply channels. Sometimes these supply channels are de- fined by high-level business relationships or compliance require- ments, and other times those channels are a matrix across IT managed disciplines. Auditing and delegating control must be possible. Cloud computing user hierarchies support these rela- tionships. Once complex business relationships are facilitated in the cloud, it becomes possible to align the cloud computing model with the business model. Conclusion Despite the security risks, compelling economic and operational benefits drive more businesses to the cloud every day. With an ever increasing pool of cloud vendors touting solution reliability and efficiency, businesses should look to cloud architecture as the telltale sign of a more secure multi-tenant cloud offering. With technology advancing at lightning speed and sales-hype like blinding fog, understanding the security differences between flat and ideal multi-tenant cloud architectures provides a solid foundation for successful cloud computing strategies. Business executives and IT professionals should be relieved to learn that cloud architecture today allows the virtual world to replicate the same three-tier architecture that secures our physi- cal infrastructure today. In this ideal cloud architecture, busi- nesses no longer conform to cloud. Instead, the cloud adapts to accommodate existing business models, infrastructure models, security models, and Service Level Agreements (SLAs). Armed with this critical insight, readers need not feel com- pelled to compromise business standards to gain cloud com- puting benefits. Know whats possible, know your options, and demand cloud vendors to deliver solutions that best suit the se- curity and organizational requirements of your business. Knowl- edge is power, and cloud security can be the reward. DAviD RokiTA With nearly 15 years of experience in IT operations mana- gement, system design and architecture, David Rokita pro- vides technical leadership in developing Hexagrids state- of-the-art cloud computing solutions to match real-world enterprise IT requirements. For Union Pacifc Railroad, Da- vid participated in managing mission-critical systems deployments, 24x7 cri- tical issue response, and datacenter facilities and services migration betwe- en Saint Louis and Omaha. As a Senior Architect for MasterCard Worldwide, David specialized in secure Internet facing infrastructure, PCI compliance, re- al-time fraud detection, secure payment systems, and global outsourcing in- itiatives. David was also the Founding Principal and Architect for Precision Storage Solutions, a frm specializing in design and implementation of data storage, backup, document management, and disaster recovery solutions. Figure 5. Tiered User Hierarchy Marketing Department Security Department IT Operations Network Operations Project 1 Project 2 IDS Firewall LDAP Web Servers E-mail Routing LANs Enterprise Users Servers Networks ACLs Roles CLOUD COMPUTING 22 1/2011 M ission-critical cloud-based business applications (e.g., Salesforce.com, SharePoint, and SAP) are often prime targets for continuous, persistent crimi- nal attack from sophisticated profit-driven and even politically motivated hackers. Todays workers also go far beyond traditional applications in their cloud-based computing. They routinely transfer informa- tion via personal e-mail accounts such as Yahoo or Gmail; use peer-to-peer (P2P) applications like LimeWire and BitTor- rent; download files from Web 2.0 social networking sites such as Facebook; and stream rich media from YouTube. While these cloud-based Web applications can offer business benefits in certain scenarios, they have the potential to rob companies of bandwidth, productivity, and confidential data, and subsequently put them at risk of regulatory noncompliance. Finally, traditional approaches to network security become less effective in the public cloud. WiFi-enabled laptops and 3G/4G cellular smartphones, dynamic port selection, and traf- fic encryption have undermined traditional perimeter-based net- work controls over application access. Moreover, it is critical to prioritize and manage bandwidth for all of these applications in order to ensure network throughput and business productivity. Five Common Problems in Cloud-Computing These emerging cloud-computing trends present a host of new security concerns for IT. Weve seen the five of the most com- mon problems to include: P2P Traffc. P2P applications can steal bandwidth and in- troduce malware. These applications can be particularly diffcult to control, as developers frequently update new buildsspecifcallydesignedtoevadefrewalldefensesby alternating port usage. Streaming Media. Streamingmusicandvideotraffccan place a heavy burden on network performance, and over- whelmmission-criticalapplicationtraffc.Forexample,one ITadministratorwasperplexedwhyittookoveranhour andahalftodownloadapatchflethatshouldhavetaken How Application Intelligence Solves Five Common Cloud-Computing Problems Cloud-based computing is on the rise. Over 90 percent of recently surveyed companies expect to be using cloud computing in the next three years.1 Still, securing access to the cloud poses significant challenges for IT departments. How Application Intelligence Solves Five Common Cloud-Computing Problems 23 1/2011 How Application Intelligence Solves Five Common Cloud-Computing Problems onlyafewminutes.Hecouldnotfgureoutwhatwasbot- tleneckinghisrecentlyexpandedInternetpipe.Hethenre- alizeditwasthefrstdayoftheNCAAtournament:alarge number of employees had tuned in to online streaming vid- eo and audio commentary, killing network throughput and company productivity. Confdential Data Transmittal.Confdential,sensitive,and proprietary information can be maliciously or unintention- ally transmitted over FTP uploads or as email attachments. Job insecurity, whether actual or rumored, can cause em- ployees to download customer, order, and payment histo- ries. One study1 found over half of employees anticipat- ing rumored layoffs had downloaded competitive corporate data. Third-Party Email. Third-party email presents another channel for potential malware infection and data leakage. Notonlycanemployeesandcontractorstransferconfden- tial information over corporate SMTP and POP3 email, but also personal Web mail services such as Hotmail and Gmail. Large File Transfers. Withouteffectivecontrol,largefle transfers, whether over FTP or P2P applications, can bog down network bandwidth. Applying Application Intelligence to Cloud Com- puting Scenarios To resolve these common problems in cloud computing, IT requires a new approach to security: application intelligence. Utilizing application intelligence goes beyond the port- and address-blocking of traditional firewalls to intelligently detect, categorize, and control application traffic. With application de- tection, categorization and control, IT can block, restrict, or pri- oritize any specific application, whether it is SAP, YouTube or LimeWire. IT can then effectively apply application intelligence solutions to each of the five common problems: P2P Traffc.Becauseitcandetectandcategorizetraffcby specifcapplicationsignaturesratherthanportoraddress, an application intelligence gateway is especially useful in controlling variable-port P2P applications. For example, a university IT department could have the fexibility and granular control to restrict student access to LimeWire to only 10 percent of available bandwidth, thereby protecting throughput while discouraging non-productive behavior. Streaming Media. An application intelligence gateway can provide IT with granular control over streaming media and social networking applications. For instance, an adminis- tratormightpermitmembersofapredefnedActiveDirec- tory group for marketing staff to have access to YouTube sites for promotional activities, while restricting access to all others. Confdential Data Transmittal. IT could create and enforce application intelligence policy to detect and block email attachments carrying a watermark indicating sensitive or proprietary information. Third-Party Email.Fillingasecuritygapleftbymostfre- walls and email security solutions, IT could use application intelligence to identify, scan, and control any third-party Webmailtraffctraversingthegateway,suchasHotmail and Gmail. Large File Transfers.Torestrictexcessive-sizefletrans- fers,ITcouldconfgureapplicationintelligencepolicyto identifyandrestrictFTPandP2Pfletransfersbasedupon predetermined size limitations. Used in combination with traditional firewall features, applica- tion intelligence can provide greater protection against new and evolvingchannelsforemergingthreats.Forexample,acom- promised Facebook page might suggest a friend click a link to launch a YouTube video, which is actually a link to a mal- ware file. Because application intelligence can detect this link and file over the application traffic, it could enable anti-malware and content filtering policy to prevent the malicious file from downloading, thereby protecting both the user and the corpo- rate network. Conclusion Thegrowthofcloud-basedapplicationtraffichasexceededthe security capabilities of traditional firewalls. Fortunately, new ap- plication intelligence technology can address the most com- mon problems that come with these emerging trends. When deployed effectively on high-performance platforms, application intelligence gateways offer IT a viable solution for cloud-based application security. PAtrICk Sweeney, VP of Product Management Patrick Sweeney has over 18 years experience in high tech product marketing,product management, corpora- te marketing and sales development. Currently, Mr. Swe- eney is SonicWALLs Vice President of the Network Securi- ty Business Unit. Previous positions include Vice President of Worldwide Mar- keting, Minerva Networks, Senior Manager of Product Marketing & Solutions Marketingfor Silicon Graphics Inc, Director of Worldwide Sales & Marketing for Articulate Systems, and Senior Product Line Manager for Apple Compu- ter. Mr.Sweeney holds an MBA from Santa Clara University, CA. 1 The Goldman Sachs Group, Inc. (Jan. 10, 2010). Mapping 2010: Key Tech Trends to Watch 2 Cyber-ArkSoftwareInc.2008 CLOUD COMPUTING 24 1/2011 R ecent research conducted by Mimecast has found that a large proportion of businesses are now using some form of cloud service, with a further 30 percent planning on adopting more cloud services in the future. Fashionable new architectures within the technology industry are not unusual. However, even allowing for a certain amount of bandwagon jumping, this rate of cloud adoption has been considerable. The cloud itself is a competent and established business tool that solves a range of security issues and drives efficiency. However once one delves deeper into the world of cloud computing, one finds that there are some issues that still need resolving. One problem is that as more organisations turn to the cloud, the need for an effec- tive set of industry standards is becoming ever more pressing. There is a clear divide between those who argue for implementa- tion of cloud standards and those who argue against. At the heart of this debate is a clear need to balance the benefits of having a standard with the call fora sustained pace of innovation. The argument against cloud computing standards relies on the premise that standards just arent necessary. In this sense, indus- try wide uniformity and standardisation is seen as something which wouldstifle innovation and distract focus from more specific prob- lems. According to this train of thought, different providers need to be free to evolve solutions that best fitdistinctive domain and cus- tomer needs. The alternative one voice, one system argument sees the lack of standards in the cloud industry as a serious problem. With the industry being void of anycommonly accepted standards, vendors have nothing to hold them to account and as a result potential and existing customers have little objective information on which to base their buying decisions. A lack of homogeneity can cause a range of issues. For instance a deficiency of inter-cloud standards means that if people want to move data around, or use multiple clouds,the lack of fluency between vendors creates a communication barrier which is near impossible to overcome. Surely companies should be able to move their data to whichever cloud provider they want to work with without being tied in for the foreseeable future? Another issue is that there is considerable confusion around the term cloud itself. Among vendors there is a definite trend of cloud washing whereby less scrupulous companies re-label their products as cloud computing too readily, overselling the benefits and obscur- ing the technical deficiencies of what they have to offer. This cloud washing is in some areas leading to a mistrust of cloud. Furthermore, with the market becoming increasingly crowded and no clear standards in placeit is hard for customers to tell the differ- ence between a cloud vendor with a properly architected delivery infrastructure and one that has patched it together and is merely using cloud as a badge. All of this makes it increasingly difficult for customers to navigate their way through the maze of cloud services on offer and, of course, it is the customer who should be the priority throughout these discussions. Moving forwards, there are a range of bodies that are pursing some form of resolution to the standardi- sation debate. However for these organisations to have a genuine impact on the industry, companies and individuals need to rally be- hind them and actively support their calls for universal standards. The first standard that needs to be tackled is security. Its the number one customer concern about transferring data to the cloud and needs to be addressed as soon as possible. The reality is that this concern is mirrored by vendors who are similarly wary of any potential security breaches and, as a result in most cases go to extreme lengths to protect their customers data. In factone cloud security firm recently estimated that cloud vendors spend 20 times more on security than an end user organisation would. Security breaches would inevitably mean the reputation of a company falling into disrepute and in worst cases mark the end of their business al- together. Moreover,the creators of any new cloud based technology do not want to see their project fail for obvious reasons. It is those vendors that do not apply strict standards to their business that need to be called into question. An industry standard is the only way to manage this and good vendors would welcome one because they have nothing to fear from rules of best practice. The second standard that needs to be tackled is the Cloud Data Lifecycle. In previous years, when a customer bought software they installed it directly on their premises. Therefore if the vendor went away they could keep running the software until they found an al- ternative. With an increasing number of people flocking to the cloud, how can a customer ensure they continue to have access to their dataif the vendor goes out of business? It is for this reason that we need Data Lifecycle standards because currently the onus is on the customer to check the financial health of their provider. The good news for cloud users is that there is light at the end of the tunnel. The issue of standards is no longer being sidelined but instead being addressed on a large number of platforms with con- tributions from some of the industrys top decision-makers and influ- encers. For most, if not all conversations, it is simply a question of when, not if, cloud standards are established. However while the de- bate continues, customers will need to ensure that they are aware of the dangers and pitfalls associated, albeit rarely, with adopting a cloud service. Carrying out their own due diligence and research to ensure that their chosen technology is robust, properly architect- ed and secure will remain an essential practice until that time. Justin Pirie Director of communities anD content for mimecast, takes A LOOK AT THE ONGOING DEBATE AROUND CLOUD STANDARDS. Mimecast is exhibiting at Infosecurity Europe 2011 the No. 1 industry event in Eu- rope where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from 19th 21st April at Earls Court, London, the event provides an unrivalled free education programme, with exhibi- tors showcasing new and emerging technologies and ofering practical and pro- fessional expertise. For further information please visit www.infosec.co.uk cloud computing standards Recent research conducted by Mimecast has found that a large proportion of businesses are now using some form of cloud service, with a further 30 percent planning on adopting more cloud services in the future. MONITORING & AUDITING 26 1/2011 T he capabilities of attackers grow every day. The frequen- cy and sophistication of IT infrastructure attacks is in- creasing, sensitive company data is constantly threat- ened. Fortunately, hand in hand with this situation, the network protection tools are rapidly developing too. Certainly, theres no need to introduce firewalls, which are the first line of protection. For a long time it was believed that the second and last line of the computer network defense are IPSs (Intrusion Prevention Systems). However, even those are not enough to face the new threats requiring different approaches to protect the IT infra- structure and sensitive data. Figure 1. The principle of frewalls and IDS/IPS systems: work like guards who flter the trafc according to predefned rules and patterns. Firewall checks packet header only. IDS/IPS looks inside the packet. This fact is being pointed out since 2007 by Gartner, which de- fines the best combination of network security tools as follows: firewall + IPS + NSM/NBA. NSM is an acronym for Network Se- curity Monitoring and NBA means Network Behavior Analysis. This trend is also confirmed in a study called Network Behavior Analysis: Protecting the Predicting and Preventing, published in November 2009 by the Aberdeen Group. These new technolo- gies are not only about security, because solutions based on NSM or NBAare also used to detect network misconfigurations and operational problems or as a tools for increasing the overall IT infrastructure efficiency. In this article, we would like to explain the basic principles of the NSM/NBA technology and, in particu- lar, its contribution to the protection and management of data networks. For completeness we should add that the outputs of network monitoring offer a wider use, especially in the area of network infrastructure optimization or application performance. Products of this category are offered by the world-known manu- facturers such as HP, Cisco, IBM and CA. The influence of IT infrastructure in the organizations is in- creasing it is gradually becoming their nervous system. This entails increasing demands on the extent and quality of the IT infrastructure management. The problems are recognized late and their removal has a serious negative impact on the opera- tions of organization. An infected computer sending spam will cause black-listing of a company and before clarifying the situ- ation (and thanks to various caches even long time after), the e-mail communication is blocked by other servers. People are constantly complaining about the performance of network or applications, the guilt flips between suppliers and the IT depart- ment. As a consequence, people are restrained from work. The investments in the IT infrastructure development are not reflect- ing actual situation and needs. Difficult and insufficient monitor- ing of a network also attracts employees to abuse it for personal purposes and, last but not least, the door is open for various amateur and professional attackers. Sooner or later, as a net- work administrator or IT manager, you will face all these prob- lems. Without proper tools, you wont be able to deal with them, Firewall, IPS Whats Next? Figure 2. The principle of SNMP technology: it only provides information about the trafc volume, but the structure and possible failures remains hidden Certainly, theres no need to introduce firewalls, which are the first line of protection. For a long time it was believed that the second and last line of the computer network defense are IPSs (Intrusion Prevention Systems). However, even those are not enough to face the new threats requiring different approaches to protect the IT infrastructure and sensitive data. Firewall, IPS Whats Next? 27 1/2011 document them or even detect them. The analysis of an inde- pendent association Network Security Monitoring Cluster says that an inefficiently managed and maintained network costs a medium sized company (approximately 250 PCs) $50.000 to $100.000 (not counting the costs for the IT infrastructure secu- rity) every year.. Thanks to the NSM/NBA technology, more than 50% of these costs can be saved. For many years SNMP was a synonym for the monitoring and computer networks supervision. However, this protocol provides only a traffic summary and doesnt really shows what is actually happening in the network (what is the traffic distribution in time, who are the top users, etc.). Flow data monitoring Flows in computer network are similar to individual records on phone call listing. You can find out who talked with whom, when and how long it lasted. The content of conversation re- mains hidden. The flow-based monitoring technology is rep- resented by a number of industry standards the most widely used are sFlow, NetFlow and IPFIX. The flow is defined as a sequence of packets with the same five entries: destination/ source address, destination/source port and protocol number. For each flow the following data is recorded: time of creation, duration, number of transmitted packets and bytes, and other information (TCP flags and other header fields of transport protocols). From now on, we will mostly talk about NetFlow, which is the most widely used standard developed by Cisco and supported across other manufacturers (Enterasys, Juni- per, Nortel, ...). Flow statistics were until recently the domain of advanced and expensive routers and switches. However, the usage of the basic IT infrastructure elements for generat- ing the flow statistics faced a number of barriers and perform- ance limitations. Figure 3. The scheme and principle of NetFlow technology The barriers and performance limitations are eliminated by the use of specialized equipment network probes. These devices are capable of generating NetFlow statistics from any point in the network. The generated flow statistics are exported to the collector, where they are stored and prepared for visuali- zation and analysis or automatically evaluated. NetFlow probe is deployed same way as firewall or IPS in the form of an ap- pliance a server including software that ensures the export of statistics, remote configuration via web interface, user man- agement, etc. In the case of hardware-accelerated model, it is also equipped with special hardware based on field program- mable gate array, which guarantees the processing of packets up to the speeds of 10Gbps. The probes are typically placed at the central node of the network, or at the critical points or lines with the highest data transfer. The deployment of such a probe is made by connecting it to the mirror (SPAN) port of the router or switch, or by direct insertion into the line using optical or metallic splitter (TAP). Figure 4. A special hardware based on FPGA for generating NetFlow data on high-speed networks The modern collectors for NetFlow data storing and process- ing always include an application for displaying statistics about network traffic in graphs and tables with different time resolu- tions, generating so-called top N statistics, data filtering accord- ing to the required criteria, user profile creation and implemen- tation of manual traffic analysis enabling investigation even to the level of individual flows. Figure 5. Example of NetFlow visualization (the screenshot comes from INVEA-TECH FlowMon Collector) A manual analysis and processing millions of daily traffic records is certainly not an ideal solution to reveal the problems of the IT infrastructures. The next step is an automatic and au- tonomous processing and evaluation of NetFlow data gener- ating alerts (events) triggered by undesirable situation, attacks, configuration problems and anomalies in general. Thats the job for the Network Behavior Analysis technology. Network Behavior Analysis The processing and evaluation of statistics in the network traf- fic is an endless, repetitive process of searching for patterns of undesirable network behavior and states, updating behav- ior profiles and comparison with the common state in order to detect anomalies. And what results can we expect? It is a wide range of issues such as network scanning, dictionary attacks, Denial of Service attacks, attacks based on applica- tion protocols, peer-to-peer network activities, spyware, vi- ruses or botnets. MONITORING & AUDITING 28 1/2011 Figure 6. Detection of an attacker performing a dictionary attack by analyzing the network behavior And this is just the beginning behavior analysis can help detecting unwanted applications, misconfigured devices, the usage of anonymization services, top network users, or even identifying the source of network latency. An interesting result of the behavioral analysis is the profiles that are de facto living configuration database of all active devices in the network. With profiles of behavior, we are able to distinguish between servers and clients in the network and gain an overview of the services that are used and provided. What are the concrete benefits of the network behavior analysis for you? Firstly we should men- tion more efficient processes, because problems are detected and uncovered before they cause unplanned night shifts, down- times and resentful users or customers. Another benefit is a bet- ter protection against new security threats (social engineering attacks from the inside, data leaks ...), staff network abusing, use of unwanted network services or the distribution of illegal software. From an economic perspective, this approach leads to significant cost savings, primarily by reducing the labor intensity needed for an IT infrastructure management, minimizing costs resulting from the elimination of security incidents, or SLA fulfill- ment from the side of suppliers. Figure 7. The detection of anomalies based on the change in the network device profle (e.g. a new service occurrence on the server or the increase of communication partners) Finally, the question of success evaluation and comparison to the IDS/IPS arises. Each manufacturer, of course, argues that his system has the highest success rate. This can be truth in terms of the specific methodology. But absolutely the most im- portant factor (indeed, every manufacturer adds that theres no guarantee of future results) is the overall concept and philoso- phy of the specific tool or the number of evaluation methods of operation. In the context of development of outsourcing and the Software as a Service model, remote processing and evaluation of traf- fic statistic also can be used. A prerequisite for such services is the ability to generate statistics about network traffic NetFlow data. That makes possible to obtain an on-line solution for the undesirable behavior and anomaly detection without having to install or deploy any specific software or hardware in your net- work. With the Software as a Service model, virtually everyone can at least try the NBA technology. Figure 9. The principle of trafc analysis as an online service statistics are securely delivered to the evaluation center, which provides network administra- tors the immediate results (the scheme comes from the website www. nethound.eu the NetHound service is ofered by Czech company AdvaICT) Conclusion The deployment of an advanced solution for security monitoring and network behavior analysis enables organizations to pre- vent losses due to unavailability of the network, reduce costs for operations, increase network security, protect investments into the network infrastructure, improve reliability and network availability and maximize satisfaction of their users and custom- ers . These findings are also confirmed by Gartner in its Network Behavior Analysis Update released in 2007, identifying NSM/ NBA technology as an additional level of data network protec- tion needed in the 21st century. Aberdeen Group, engaged in the benchmarking of IT solutions, sees the future (according to the report issued in November 2009) particularly in the integra- tion of NBA/NSM outputs with outputs of other systems and increasing the credibility of detected attacks and anomalies us- ing the correlation of these outputs. In the United States there are known probes by the companies such as Endace, nPulse or Napatech. There are many collectors for statistics storage: NetFlow Tracker, Calligare Flow Inspector or a plenty of open- source solutions. In the U.S., the widely expanded platform is StealthWatch by Lancope (www.lancope.com), which offers a complete solution including behavioral analysis. In the seg- ment of internet providers, the well-known product is Arbor Peakflow designed to detect massive anomalies. Outside US the only manufacturers of NBA/NSM solutions are in the Czech Republic INVEA-TECH and AdvaICT. These companies of- fer their own solution called FlowMon which includes a probe, collector with a variety of extensions and a plug-in for anomaly detection system called ADS. More information is available at www.invea.cz and www.advaict.com. PAvel MINArIk received master degree from computers science in 2005 at Faculty of Informatics of Masaryk University in Brno. Cur- rently he works as a Chief Technology Ofcer in AdvaICT. He is the main architect of AdvaICTs ADS (Anomaly De- tection System) and outgoing products. His main focus is network trafc analysis and anomaly detection. He has participated in several research projects (mainly for U.S. and Czech Army) as a senior researcher of Institute of Computer Science of Masaryk Universi- ty. He is a co-author of two technology transfers (2010) from the University and co-author of 7 published research papers in domain of network beha- vior analysis (2007-2009). IDENTITY MANAGEMENT 30 1/2011 P rivileged Identity refers to any type of user or account that holds special or extra permissions within the en- terprise systems. Privileged identities are usually cat- egorized into the following types: Generic/Shared Administrative Accounts. The non-person- al accounts that exist in virtually every device or software application. These accounts hold super user privileges and are often shared among IT staff (i.e., Windows Administra- tor user, UNIX root user, and Oracle SYS account). Serv- ers, desktops and databases most critical accounts are all accessed with privileged identities Privileged Personal Accounts. The powerful accounts that are used by business users and IT personnel. These ac- counts have a high level of privilege and their use (or mis- use)cansignifcantlyaffecttheorganizationsbusiness. (i.e., CFO user, DBA user) Application Accounts. The accounts used by applications to access databases and other applications. These ac- counts typically have broad access to underlying business information in databases. Emergency Accounts. Special generic accounts used by theenterprisewhenelevatedprivilegesarerequiredtofx urgent problems, such as in cases of business continuity or disaster recovery. Access to these accounts frequently requires managerial ap- proval (i.e., fire-call IDs, break-glass users, etc.) Privileged identities touch upon virtually every commercial sector. This is because every enterprise has a critical component in cy- berspace that is accessible by end users, applications, de- vices, and accounts within this highly-complex collaborative ecosystem. US government and private sector information, once unreach- able or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, lost or stolen with comparative ease either by accident or delib- erately using sophisticated privileged identity attack tools. In an effort to improve business security, compliance and productiv- ity, privilege authorization policies must be redesigned and user permissions more granularly managed. Traditional Privileged Identity Management (PIM) tools ac- count for a significant portion of Identity Access Management (IAM) tools, yet feature a plethora of shortcomings: Failtoenabledesktopuserstoeffectivelydotheirjobas astandarduser(80%ofemployeesloginwithadministra- tor rights); Failtocontrolsuperuseraccesstocriticalservers,giving users complete and unchecked access (80% of all securi- ty breaches are committed by those working within an or- ganization); Forceorganizationstochoosebetweenproductivityand security when implementing a privileged identity manage- ment solution. While these challenges may have been his- torically acceptable, they are no longer good enough. It is time for businesses to expect more from their privileged identity management solution in order to improve security, compliance and overall productivity. Age of Authorization Technology is an ever-changing and evolving aspect of modern business. Most agree that the use of technology is essential to achieving many of the milestones critical to business reform. Identity and Access Management (IAM) govern three significant areas when ensuring proper identity security authorization, access and authentication. Authorization Authorization management is a significant pillar in identity se- curity, mainly due to the fact that industries are moving from pa- per to electronic records. Authorization is the process of giving someone permission to perform certain tasks, or obtain certain information. More formally, to authorize is to define permission policies. For example, human resources staff is normally authorized to access employee records, and this policy is usually formalized as permission brokering rules in a computer system. During operation, the system uses the permission brokering rules to decide whether permission requests from (authenticated) users shall be granted or rejected. Resources include an individual file, task, or item data. Privilege Identity Management Demystified Privileged identities touch upon virtually every commercial sector. This is because every enterprise has a critical component in cyberspace that is accessible by end users, applications, devices [...] Privilege Identity Management Demystified 31 1/2011 Access Access includes the process of centrally provisioning role based time bound credentials for privileged access to IT assets in order to facilitate administrative tasks. Super User Privileged Access (SUPM) and Share Account Password Management are two focal points for proper access controls. Super User Privileged Management (SUPM) & Shared Account Password Management (SAPM) When it comes to crashing your enterprise systems, destroying data,deletingorcreatingaccountsandchangingpasswords,its notjustmalicioushackersyouneedtoworryabout. Anyone inside your organization with superuser privileges has the potential to cause similar havoc, either through accidental, intentional or indirect misuse of privileges. Superusers may well also have access to confidential infor- mation and sensitive personal data they have no business look- ing at, thus breaching regulatory requirements and risking fines. The trouble is that accounts with superuser privileges, includ- ingsharedaccounts,arenecessary:Youcantrunacorporate IT system without granting some people the privileges to do system-level tasks. This is where SUPM and SAPM methodologies come into play.Sowhatsthebestwaytomanagepersonalandshared accounts with superuser privileges in a controlled and Global leaders appear to be protecting information security from budg- et cuts but also place it under intensive pressure to perform Pricewaterhouse Coopers Implementing controls over shared and super user accounts is essential to security & compliance auditable manner? That was akeyquestionResearchVicePresidentAntAllanaddressedat the Gartner Information Security Summit 2009 in London back in September. When it comes to best practices for managing per- sonal accounts with superuser privileges, Allan recommended creating three types of accounts: Personalaccountswithfull,permanentsuperuserprivileges Personalaccountswithfull(orrestricted)temporarysuperus- er privileges Personalaccountswithlimited,temporarysuperuserprivileg- es Superuser activity on any of these accounts should be moni- tored, logged and reconciled, Allan recommended. The first two types are intended for full-time system administrators, and the number of these accounts should be minimized. However,itsimportantnottomakethenumbertoosmall,Al- lan warned. Otherwise there might not be enough people avail- able at a given time to take required action when it is needed. Itsalsoprudenttoconsiderlimitingthescopeofthesuperus- erprivilegesacrosstheorganizationsinfrastructurebyasking yourself: Does a given administrator need to be a superuser on all the systems in the organization? The third type of account, the one with limited, temporary su- peruser privileges, is intended for application developers and database administrators. The superuser privileges of these ac- counts should be limited to the applications or other areas that they might reasonably need to access. Allan recommended us- ing superuser privilege management (SUPM) tools to control these three account types: Byprivilege(e.g.,byregulatingthecommandsavailable) Byscope(byresourcesorsystems,perhaps) Bytime(eitherbyprovidingprivilegesforafxedtimeperi- od or by time windows) Allanalsorecommendedusingsharedaccountprivilege management (SAPM) tools to control these three account types: Byprivilege(e.g.,byregulatingthecommandsavailable) Byformfactors(checksum,licensecode,IPaddress) Byscope(byresourcesorsystems,perhaps) Bytime(eitherbyprovidingprivilegesforafxedtimepe- riod or by time windows) Organizations continue to struggle with excessive user privilege as it remains the primary attack point for data breaches and un- authorized transactions. Mark Diodati, Burton Group Authentication Authentication is the process of determining whether some- one or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Inter- net), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is regis- tered by someone else), using an assigned or selfdeclared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the ex- change of money) is that passwords can often be stolen, ac- cidentally revealed, or forgotten. For this reason, Internet busi- ness and many other transactions require a more stringent authentication process. Identifying the Misuse of Privilege Problems that manifest themselves in an organization due to misuse of privilege stem from intentional, accidental, or indirect causes. The amount of threats posed to organizations have increased faster than security professionals can effectively ad- dress them, opening targeted organizations up to greater risk. Intentional Intentional misuse of privilege often stems from insider attacks. An insider attack is defined as any malicious attack on a corpo- rate system or network where the intruder is someone who has been entrusted with authorized access to the network, and also may have knowledge of the network architecture. A 2010 CSO Cyber Security Watch Survey published find- ings that demonstrate the significant risks posed from insider attacks. Cyber criminals now operate undetected within the very walls erected to keep hackers out. Technologies include rogue de- vices plugged into corporate networks, polymorphic malware, and key loggers that capture credentials and give criminals privi- leged authorization while evading detection. In 2008, the White HouseissuedtheCyberSecurityPolicyReview,whichprofiled systemic loss of U.S. economic value from intellectual property and data theft as high as $1 trillion. The Computer Security Institute and FBI report states that an insider attack costs an average of $2.7 million per attack. CSO magazine cites the following points regarding this threat: Organizationstendtoemploysecuritybased,wall-and-for- tress approaches to address the threat of cybercrime, but this is not enough to mitigate the risk IDENTITY MANAGEMENT 32 1/2011 Risk-basedapproachesholdpotentiallygreatervaluethan traditional security based, wall-and-fortress approaches Organizationsshouldunderstandhowtheyareviewedby cyber criminals in terms of attack vectors, systems of inter- est, and process vulnerabilities, so they can better protect themselves from attack Economichardshipsspawnedbythe2008-2009recession may generate resentment and fnancial motivations that can drive internal parties or former employees to crime Internationalconsultancyagency,Deloitte,statedthesur- vey conducted by CSO magazine reveals a serious lack of awareness and a degree of complacency on the part ofITorganizations,andperhapssecurityoffcers.Organ- izations may focus on unsophisticated attacks from hack- ers or insiders because they are the noisiest and easiest to detect. Yet that focus can overlook stealthier attacks that can product more serious systemic and monetary im- pacts. Accidental Though difficult for many to admit, humans are fallible. We are not perfectly consistent in our principles personally or profes- sionally. Accidental misuse of privileges on desktops and serv- ers does happen, and it does have a measurable impact on the organization as a whole. For example, desktop configuration errors cost companies an average of $120/PC, according to IDC report, The Relationship between IT Labor Costs and Best Practices for IAM. In September 2004, HFC Bank, one of the largest banks in the United Kingdom, sent 2,600 customers an e-mail that, due to aninternaloperatorerror,exposedrecipientse-mailaddresses to everyone on the list. The problem was compounded when out-of-office messages containing home and mobile phone numbers automatically responded to the mailing. As one famous hacker said, The weakest link in any network is its people. The most fortified network is still vulnerable if us- ers can be tricked into undermining its security -- for example, by giving away passwords or other confidential data over the phone, or performing some activity that allows malware to hi- jackadminrightsondesktops.Forthisreason,usereducation should be one cornerstone of a corporate site security policy, in addition to privilege authorization management. Make users aware of potential social engineering attacks, the risks involved, and how to respond. By controlling and auditing superuser access 10% of incidents can be averted, saving over $113,000 in prevented breaches annually. Encourage them to report suspected violations immediately. In this era of phishing and identity theft, security is a responsi- bility that every employee must share. Indirect Indirect misuse of privileges is when one or more attack types are launched from a third party computer which has been taken over remotely. A startling statistic revealed by Gartner is that 67% of all malware detections ever made were detected in 2008. Gartner also estimates managed desktops, or users who run without admin rights, produce on average a $1,237 savings per desktop and reduce the amount of IT labor for technical support by 24%. The Georgia Tech Information Security Center (GTISC) host- ed its annual summit on emerging security threats on October 15 and published its annual attack forecast report. According to their research, the electronic domain will see greater amounts of malware attacks and various security threats in the coming year. Data will continue to be the primary motive behind future cy- bercrime, whether targeting traditional fixed computing or mo- bile applications. According to security expert George Heron, Its all about the data, so he expects data to drive cyber-attacks for years to come. This motive is woven through all five emerg- ing threat categories. Best Practices for Evaluating PIM While understanding the standard definition of PIM is simple, privilege identity management can mean very different things to different business units within an enterprise: Evaluating PIM CFO Chief Financial Officers (CFOs) relate to PIM in financial terms. From a CFO perspective, authorization most likely impacts the cost of a company budget (i.e., productivity, security) or costs incurred due to misuse of privileges (i.e., compliance, fraud). A primary advantage in directing attention to PIM best practices is the reduction in costs that result from improving the efficiency of handling information and accessing exactly what you need to inordertoperformyourjob. Realrisksandpotentialcoststoanenterpriseduetopoor management of security and authorization will also be of greater meaning to a CFO. Information technology will be the medium of choice for all exploitation of privileges in an enterprise. In fact, the future has 67% of all malware detec- tions ever made were detected in 2008 already arrived, with annual losses from viruses, intrusions, and data breaches estimated by some entities to be in the millions of dollars annually. It is especially important that a CFO understands the risks as- sociated with unsecured systems due to improper authorization. Otherwise, management choices may unwittingly jeopardize the companys reputation, proprietary information, and finan- cial results. A CFO does not need to be a security expert, but understanding the basics behind authorization will lend itself to implementing best practices.
The Most Important Strategy for Meeting Security Objectives CEO CFO CIO CISO Increasing focus on data protection X X Prioritizing security based on risk X X Most CIOs stress the importance of security to senior man- agers. In order to ensure an enterprise is implementing proper PIM policies, a CIO should look to ensure the ability to collect user activity and authorization information from a variety of re- sources, associate this data with candidate roles and responsi- bilities, propose alternative roles and leverage decisions made about the data on an ongoing basis. Without a standardized so- lution in place, productivity can be impacted as this takes many resources and time to complete. Improper PIM practices can lead to serious problems due to misuse of privileges. Security initiatives have a higher success rate when it is tied to business initiatives and a corporate goal. When PIM security is built into business initiatives, funding will come. Likewise, tying PIM to the corporate security goal (i.e., to ensure the integrity of company data), implementing such poli- cies will show an executive commitment to security. Privilege Identity Management Demystified 33 1/2011 Evaluating PIM Administrator Security policies are the first line of defense to an IT environ- ment. Without them, an enterprise will be at war. Not only will there be battles between the different support organizations, but administrators could be battling hackers (internally or ex- ternally). There will be no politics from misuse of privileges just a raw desire to change, steal, or accidentally destroy data. Additionally, proper authorization security empowers ad- ministrators to eliminate the risk of misuse of privilege by no longer requiring the distribution of administrative rights or root passwords. Executives often hand off the responsibility for security to sys- tems administrators without providing adequate resources to deploy the authorization controls needed to secure and maintain privileged access. As with CIOs, demonstrating the tie-in to busi- ness initiatives and/or corporate goals will help an administrator meettheirobjectivesaswell. Evaluating PIM Auditor Compliance, compliance, compliance Mandates that require greater privilege authorization control include but are not limited to SOX, HIPAA, GLBA, and PCI DSS. Auditors are well aware of policies that must be in place to comply with federal, state and industry regulations. Non-compliance can result in fines, severe financiallosses,databreaches,anddamagetoacompanys reputation. Sound authorization security will help auditors vali- date corporate compliance. Proper authorization detection and audit-friendly logs to track privilege use helps an auditor per- form the complex duties of this position. Audits have become so important that they command board- level attention. The advantage of using an identity and au- thorization management tool is that it provides the ability to log, control, audit and report on which users have privileges towhatinformationassets.Regulatoryandcomplianceissues are among the main drivers behind identity and authorization brokering tools. Organizations require the ability to demon- strate that account administration and authorization controls are performing according to policy. A good tool should serve as the cornerstone of enterprise governance, risk and overall compliance strategy. Some of the finer points a solution should deliver are: always knowing who is accessing what; when they are doing it and if they are authorized; automatic provisioning of accounts; and integration with enterprise applications; to name a few. An auditor is interested in seeing proof of compliance. Most of these tools create an audit trail that auditors should accept for a general controls audit and proof of compliance. A basic identity and authorization management tool should help organizations comply with most of the challenges that regulations like HIPAA and PCI DSS place on our organizations. In fact, HIPAA may have a new enforcement mechanism because of the HITECH Act signed into law in February 2009 aspartoftheAmericanRecoveryandReinvestmentAct.The new law gives government officials more power when enforcing HIPAA policy, especially when dealing with companies that do business in multiple states. An identity and authorization man- agement tool would be the perfect solution for this kind of com- pany, creating a common reporting framework. Privileged Access Lifecycle Management Banks, insurance companies, and other institutions are faced with the monumental task of managing authorization to mission- critical systems. These organizations have large numbers of internal and external users accessing an increasing number of applications, with each user requiring a different level of secu- rity and control requirements. In addition, these organizations must also address identity management concerns that arise from compliance issues related to regulations like SOX, HIPAA, GLBA, and PCI DSS. High administrative costs due to account maintenance, password resets, inconsistent information, inflexible informa- tion technology (IT) environments, silos due to mergers and acquisitions, and aging IT infrastructures make this even more challenging for organizations. Together, these factors are pro- pelling the adoption of privileged lifecycle access management solutions across all industries. Privileged Access Lifecycle Management (PALM) is a technology architecture framework consisting of four continual stages running under a centralized automated platform: access to privileged resources; control of privileged resources; monitoring of actions taken on privileged resources; and remediation to revert changes made on privi- leged IT resources to a known good state. Privileged Access Lifecycle Management Access includes the process of centrally provisioning role based time-bound credentials for privileged access to IT assets in or- der to facilitate administrative tasks. The process also includes automation for approval of access requests and auditing of ac- cess logs. Control Control includes the process of centrally managing role based permissions for tasks that can be conducted by administrators once granted access to a privileged IT resource. The process al- so includes automation for approval of permission requests and auditing of administrative actions conducted on the system. Monitor Monitor includes audit management of logging, recording and overseeing user activities. This process also includes automat- ed workflows for event and I/O log reviews and acknowledge- ments and centralized audit trails for streamlined audit support and heightened security awareness. Remediation Remediation includes the process of refining previously as- signed permissions for access and/or control to meet security orcomplianceobjectives,andthecapabilitytocentrallyrollback system configuration to a previous known acceptable state if required.Automation of the Privileged Access Management Li- fecycle includes a central unifying policy platform coupled with an event review engine, that provides controls for and visibility into each stage of the lifecycle. HowtocostjustifyPrivilegedAccessLifecycleManagement Security:PrivilegedAccessiscriticalforsmoothongoing administration of IT assets. At the same time, it exposes an organization to security risks, especially insider threats. Compliance: Privileged Access to critical business sys- tems,ifnotmanagedcorrectly,canintroducesignifcant compliance risks. The ability to provide an audit trail across all stages of the Privileged Access Lifecycle Management iscriticalforcompliance,andisoftendiffculttoachievein large complex heterogeneous IT environments. ReducedComplexity:EffectivePrivilegedAccessLifecy- cle Management in large heterogeneous environments IDENTITY MANAGEMENT 34 1/2011 with multiple administrators, managers and auditors, can be an immensely challenging task. Heterogeneous Coverage: An effective PALM solution supports across a broad range of platforms including Win- dows, UNIX, Linux, AS/400, Active Directory, databases, frewalls,androuters/switches. Beginning Steps Before Implementing PALM Set Security as a Corporate Goal Enterprises may have trouble maintaining security be- cause everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of man- agement. Provide or Enlist in Training as Required For security to work, everyone needs to know the basic rules.Oncetheyknowtherules,itdoesnthurttoprompt them to follow those rules. Ensure All Managers Understand Security It is especially important that all members of management understand the risks associated with unsecured systems. Otherwise,managementchoicesmayunwittinglyjeopard- izethecompanysreputation,proprietaryinformation,and fnancialresults. Communicate to Management Clearly Too often, system administrators complain to their termi- nals instead of their supervisors. Other times, system ad- ministratorsfndthatcomplainingtotheirsupervisorsisre- markably like complaining to their terminals. If you are a manager, make sure that your people have access to your time and attention. When security issues comeup,itisimportanttopayattention.Thefrstlineof defense for your network is strong communication with the people behind your machines. If you are a system administrator, try to ensure that talk- ingtoyourimmediatemanagerfxestheproblemsyousee frompotentialorrealizedmisuseofprivileges.Ifitdoesnt, you should be confdent enough to reach higher in the management chains to alert for action. Delineate Cross-Organizational Security Support If your company has a security group and a system ad- ministration group, the organization needs to clearly de- fnetheirrolesandresponsibilities.Forexample,arethe systemadministratorsresponsibleforconfguringthesys- tems? Is the security group responsible for reporting non- compliance?Ifnooneisoffciallyresponsible,nothingwill get done. And accountability for resulting problems will many times be shouldered by the non-offending party. Freeware vs. Licensed Software To be able to understand pros and cons of Open Source soft- ware, one must first understand the philosophy in which it is rooted.Supposeforamomentyoureastudentreadingaphys- icsbookwhichexplainstheTheoryofRelativity. Now, you are able to read the book, use the notorious formula E=mc 2 tosolveallofyourexercisesand,ifyoureaparticularly brilliant student, why not, even start from there to come up with a new formula leading to a new scientific discovery. In other words, the scientific knowledge is in public domain, freeforeverybodytouse,modifyandredistribute-youdont havetopayaroyaltytoEinsteinsnepheweverytimeyousolve a difficult physics exercise or you daydream about time-space travel. In this sense, freeware may be regarded as an attempt at making the world of technology much more similar to that of science, particularly in the field of computer software. Every software distributed with an open source license grants to eve- rybody the rights to disassemble, rebuild, manipulate and per- sonalize the product, making it possible to understand its inner mechanismsandadapttheproducttotheusersneeds. However, using open source software for IT security purposes is generally discouraged simply because the entire source code is available for free download would usually make it much easier for a malicious user to find an exploitable bug in the program in order to bypass all protections. Whereas using the proprietary software in this case tends to make things difficult for the potential attacker, as he would have to reverse-engineer a large part of the program in order to achieve the same result. Sure, open source software may be free, but the propeller- heads you need to actually get it working, customized, and sup- portedarent. Spendingtimecustomizingasoftwareproduct,justbecause its open source,doesntmeanthattimeiswellspent.Business owners should stick to the boring, off-theshelf stuff for now. Conclusion Letsfaceitorganizationscannotsimplybuildwallsto protect vital information anymore. However, in the proc- ess of adapting to this new virtual collaborative environ- ment comes the enormous challenge of ensuring that priv- ileged access to critical information is not misused. Walls that may have worked a decade ago are now practically ir- relevant as users seek ways around, over, or under these obstructionsbecauseitinterfereswiththeirmainjobdu- ties.Aswemoveforwardinthisevolvingera,itsimportant to develop an awareness of how to protect our resources, whatever they may be, using boundaries to guide us, not walls. Havingwelldefnedawarenessofboundariesenablesend users and applications to communicate freely within an IT environment without worry of intentional, accidental or in- direct misuse of privilege. Boundaries allow a more pro- ductive and compliant dialogue to take place between us- ers and the IT department and proactively deters attempts of misuse. If boundaries are respected, then IT remains in control of security, compliance and productivity, and has the authority to take proactive steps in which to protect the enterprise. Privileged identity management is critical business sys- tems, and if not managed correctly, can introduce signif- icant compliance risks. Privileged authorization is criti- cal for smooth ongoing administration of IT assets. At the same time, it exposes an organization to security risks, es- pecially insider threats. JIM ZIERICk Mr. Zierick brings more than 25 years of enterprise expe- rience building technology companies in operations and sales to BeyondTrust where he will be responsible for di- recting the companys global initiatives to drive product growth and technical thought leadership in the Privilege Identity Management market, as well as adjacent mar- kets. He will be will be responsible for development methodology, process and management for the entire BeyondTrust product suite. ATTACKS & RECOVERY 36 1/2011 A successful defense-in-depth program is constituted of three equal legs: People, Technology and Operations. These vectors should be treated equally, and without proper balance could leave a potential gap in your security pos- ture. Certain legs like technology might take longer to implement and maintain, but it does not mean that it is any more important than the other two. These legs need to walk in stride in order to arrive at your goal, and that goal is to protect your data. A com- panys data is what hackers are after, either to steal, change, deny or delete. The data is what a defense-in-depth initiative is aimed to protect. The taxonomy of a hacker could fall into multiple categories with numerous motivations. The individuals attacking you could be in the form of a nation or government, cyber-crime gang, competitor, malicious insider or a kid in his mothers basement. They could be looking for financial data to sell, government se- crets to exploit, intellectual property, or to embarrass and black- mail. At this point it does not matter who or why they are at- tacking, but to verify that your data and systems are safe from their assault. A defense-in-depth program cannot be successful or protect you from attack without the CIA triad of confidentiality, integ- rity and availability. These three roles are at the heart of what this program is attempting to achieve, without this framework the three legs cannot move. Included with the CIA framework a successful program needs to have the ability to alert, protect, react and report on the attacks that have occurred. There have been many analogies of an onion when describ- ing a defense-in-depth strategy, and I think this is a great way of thinking about it. You have to peel back multiple layers of the onion until you reach the core, and this is exactly what we are trying to achieve here with defense-in-depth. We want some- one to pass through multiple layers of security before they get to the core of our data. You need to have fail safes in place at other layers to catch the intruder if they happen to get through a previous layer. The Onion Approach is how you apply a suc- cessful defense-in-depth program. This makes sure that you are not relying on one leg of the program too heavily and creates a robust approach to securing your data. Now lets take a closer look at each one of the three legs that make up our defense onion. The People Layer Many times people fail to realize that people are actually the problem. People are the ones that are hacking into your sys- tems, people are the ones that are accidentally or purposefully releasing confidential data outside your network, people are the ones that are not configuring the systems properly and leaving security holes in your network. Long story short, people are the problem. But there is a bright side, people are also the solution. We need to be working this leg of our defense-in-depth program to our advantage. This part of the program is more focused on the tangible aspect of securing data, and this is not just by lock- ing a server in a closet. The security of your data is directly related to the caliber of people that are working at your company. By doing proper back- ground checks, credit checks and drug screening allows for em- ployers to become more selective with their on-boarding proc- ess. This does not mean that an employee with a clean record is not a threat; it just means that the organization is performing its due-diligence to protect itself against a potential unwanted situation. Hiring good people and rewarding them appropriately allows for people to become more involved and protective of the company they work for. On the flip side, if there is inappropriate Defense-In-Depth The Onion Approach There is no such thing as being completely secure in any industry, especially in technology, but there are definitely ways to mitigate potential risk and breaches to your organization. By adopting a defense- in-depth strategy based on the framework of industry best practices and technology, you can continue to strive towards being secure. Defense-In-Depth 37 1/2011 behavior, an employee should be disciplined appropriately to enforce the companys policies & procedures, and establish authority. Physical security is another area that falls into The People Layer sector of our program. Having the appropriate levels of security on your physical perimeter defers a malicious person from gaining physical access into your facility. By having en- trances equipped with swipe cards and biometric access will stop the majority of people from entering a physical location; having pictured badges also helps identify intruders. Another form of physical security is having cameras setup on key parts of the building recording information that can be reviewed at a later time. Being able to rewind the recording to a particular point in time is key to this security, as well as having an alarm system that can alert the proper authorities when needed or having an on-site security guard. Lastly, having physical locks on file cabinets and server racks to protect the physical data from being stolen is a form of security that should not be over- looked. How many companies have a third party cleaning crew with full access to the building? As we mentioned in the begin- ning of this article, we need a way to have the ability to alert, protect, and react on incidents. By having an alarm system in place we are able to alert on a physical breach of the perimeter, by having locks and access cards with appropriate permissions we are able to protect our physical infrastructure and data, by hiring security guards and camera systems we are able to react to incidents in real time. Another role of The People Layer is user training and aware- ness. People are not secure by nature and will indubitably make errors and mistakes throughout their time in the company. This is human nature and there is no way to stop this issue with 100% certainty, but there is a way to mitigate some of the pain. By having a successful security awareness program that focuses on the dos and donts of information security, you can educate a user from making a potentially dangerous decision. Having an educated user population might be the greatest form of secu- rity that a company can bolster in its information security arse- nal. This can be accomplished with in-person training, monthly newsletters, signs and handouts, etc. The main focus is to have users understand that is part of their responsibility to assist with keeping the company secure. The last responsibility of our People Layer is the policy and procedure layer. This is glue of the previous People Layers, and of many other layers to follow. Having secure policy and proce- dures in place to let people know how to act and achieve cer- tain tasks is paramount. Examples of this would be a policy on separation of duties within departments to segregate data from being treated insecurely, or having a third party vendor policy to review all external vendors before doing business with them. Without this layer the other layers will tend to act independently of each other. The policy and procedure layer ends up being the laws of the layers and will keep the people, technology and operations on a path towards security. The Technology Layer There is a wide breadth of information security technologies available to assist with securing your systems, network, and applications. This can be the most difficult layer to implement due to the large amount of planning, implementation and inte- gration with other areas of technology. The Technology Layer is here primarily to alert, protect, react and report on cyber- security related incidents. This layer heavily bleeds into both the people and operation layers since both layers relying on the technology. Before technology can actually assist with the protection of data it needs to be researched, reviewed and implemented. If there is a need for a technology to help secure a particular part of the organization, there should be thorough investigation into the products that are on the market that can assist with filling this need. Third party reviews by reputable organizations should take place to verify that a niche or fly-by-night product is not se- lected. After choosing a handful of potential vendors that can fit the bill, a Request for Proposal (RFP) should be created with the needs that you are looking to fill with their products. Once the vendors return these RFPs a choice can be determined based on their input and you can start reviewing their product. A proof-of-concept should be determined in the RFP to review the product before purchase. With this phase you will decide if this technology will actually perform the way it was intended to in your environment. During this phase the technology should be placed in a staging environment and tested to make sure that it protects and works as desired, it is here that you need to determine if this technology will actually improve your security posture. If you cannot get the desired effects or resources to run the technology, it will never run properly and could poten- tially give you a false sense of security, leaving the company vulnerable to attack. If after you run through these steps and you determine that you have the right technology, it does what it is intended to do, and you have the resource to run, than its time to purchase and implement the system. Before implemen- tation can begin a detailed architecture discussion should begin with updated network drawings, resources and project plans. Preparing for an implementation is important, because missing details could lead to a misconfigured product or cause other ar- eas of the network to fail. There needs to be a diverse layered approach of where the technology is implemented throughout the organization. This is mainly due to resist attack by having many fail safes installed within the architecture. There are 3 ma- jor locations that technology can be implemented for security in your infrastructure: border systems, externally facing systems, and internally facing systems. Border systems are the first line of defense from outsiders trying to gain unauthorized access to your data or cause the organization harm. The technology that many people think of if you say the word security is firewall. Firewalls should be stood up on the boundary of your networks with only the necessary ports open for access. Locking down the policies on your fire- wall to allow only traffic that is needed and deny all that is not is a recommended standard. The firewall in many cases is one of the first lines of defense in your network, and by limiting what Diagram 1. ATTACKS & RECOVERY 38 1/2011 can get through the firewall, will help take pressure off the tech- nology layer beneath it. Firewalls do not have to be used on just the outside of your network, and should be in place to separate any major segments of the architecture. The next layer of tech- nology that would be hit on the external network would be an Intrusion Prevention System (IPS). Depending on your network architecture you could actually have an IPS positioned before the firewall, behind the firewall, or implemented within the fire- wall. In our case we are going to have it implemented behind it to watch the flow of traffic come through. An IPS in our situation blocks malicious traffic that made it past the firewall, because it acts on intelligence and scans traffic for signatures and known intrusion attempts at a higher OSI layer. The IPS and firewall walk hand-in-hand as the first real defense against malicious at- tacks coming inbound towards your company; they could also be used to catch malicious traffic leaving your network. These two technologies complement each other by securing traffic from different standpoints. Even with a firewall and IPS installed and configured properly, it is still very possible for an intruder to get past this technology. It is for this reason that an organization should be concerned with their externally facing systems and install a demilitarized zone (DMZ) within their network. A DMZ is a network that serves public facing systems to the public for use. An example of this would be a web DMZ, where all publicly accessible applications are available over the Internet. Even though they are behind the firewall and IPS they are still considered a high risk and should have proper procedures and polices created on how to harden these systems from attack by intruders. Systems within the DMZ should not have direct access back into your internal network and should, for the most part, be segregated for the companies protection. The majority of systems that are publicly available on the DMZ are web applications. These systems are on the DMZ for the purpose of being accessed by people outside of the com- pany. The use of encryption to access personal data on these systems should be used to provide confidentiality and integrity of the transmission. This will secure the flow of data from the companies systems to the intended recipient without the risk of it being monitored by an attacker. This is for the protection of data into your network by an intruder who was looking to steal or cause damage within your systems, but what if the purpose of an attacker was to knock your presence off the Internet? Denial- of-Service attacks are directed toward a companys services to prevent them from performing their intended service. When these attacks are sourced from multiple locations its considered a Distributed Denial-of-Service and can effectively take down a company from serving up web content, e-mail, or anything that involves the Internet. Having a DDOS service established to either scrub or absorb the overload of malicious traffic is your best bet in attempting to mitigate this type of malicious traffic from overloading your systems and bandwidth. Even with all this technology in place an intruder could still gain access to your internal systems, and you have to be as diligent with protecting your internal systems as you are with your external ones. With a defense in depth framework, you cannot rely on your perimeter technologies to protect your internal systems; espe- cially when the threat is occurring from the inside. Internal sys- tems historically are not as hardened as their external counter- parts, for the simple reason being that they are there to serve up data or access for internal use with a certain amount of trust. This does not mean that the security on these systems should be lax, and they should be treated with the same security mind- set as a system in your DMZ. There are systems and standards that should be followed to catch either internal abuse or external attacks that have slipped past your first layer. In order to secure your LAN there are network based systems and node by tech- nology that can assist as you continue to focus your security efforts down to the node level. The protection of the internal systems starts with the access to the systems themselves. By applying access control to networks and hosts will limit the ability for attackers to easily gain control or at least slow them down. Utilizing an identity management system helps with the monitoring of users and assists with the accidental permission creep that a user can accumulate over time. As well as using a centralized authentication system to limit the need for multiple local user accounts to manage equip- ment is also recommended. Access to a system is an integral part of security, and this should be closely guarded. From here the next layer down is implementing a Network Ac- cess Control (NAC) across your LAN which will limit the misuse of nodes gaining access to your network. This system forces your guidelines and standards to nodes connecting to your net- work before they are allowed to connect internally. This stops rouge PCs and insecure nodes from causing damage before they are able to connect to your data or internal systems. Installing a Security Incident and Event Management (SIEM) on your network is a technology that touches all other systems that in attempts to pull needed information from each. This sys- tem essentially can collect logs from all your devices and have custom correlated rules to look for suspicious and known mali- cious traffic. A SIEM is constantly searching logs from your sys- tems for hostile activity, and when done correctly will be a major layer of defense between the other technology layers. Another technology that is designed for internal use is Data Leakage Prevention (DLP). With the biggest threat to your net- work being inside abuse, DLP is one of the only tools that are going to protect and detect this type of attack. If a user has the permission to a file, no other system is going to stop them from accessing it. By utilizing DLP and seeing who, what and where your data is going, will you give a step up on protecting your information and potentially stop insider abuse. Web content filtering is a technology that allows for organiza- tions to block unwanted web traffic from being accessed. This also helps with data loss, but can assist with protecting your Diagram 2. Defense-In-Depth 39 1/2011 user population from accessing known malicious web content. This system is in place to proactively stop threats from coming down into your LAN. There are also preventions that can be placed on single sys- tems like anti-virus and encryption that are aimed to protect the individual node. Encryption technologies like tokens and full disk encryption are aimed to keep the confidentiality and integrity of the data either at rest or in transit, while anti-virus/ anti-spyware/anti-malware are aimed towards keeping the node clean from malicious software running on the system. These technologies are really focused to prevent unauthorized activ- ity at the node level. Utilizing security technology both on your internal and ex- ternal systems that allow for countermeasures and unique ob- stacles for intruders to pass will be most successful in organi- zations security. Each technology will allow another hoop for a hacker to jump through in order to gain access. You can think of this security as a siphon, you should have your most rigid security at the top of the siphon in attempt to catch as much as possible and then filter down the access and security to the particular node. By having more stringent security at the top of the network, will hopefully protect your workstations at the bot- tom. With the security technology now in place, there needs to be a group of people managing, monitoring, and responding to threats that your systems are now taking. This brings us to our next major layer. The Operations Layer The operations layer is the piece of the onion that ties all the others layers together and focuses on the day-to-day tasks that are needed to uphold a companys security posture. This layer is the adhesive for the other layers. Without this layer an organi- zation can have all the policy and technology in place without fully taking advantage of what each layer has to offer. The efforts that were put in place by the other layers are not fully achieved, until the operations layer is put to work enforcing them. Lets review how the operations layer reaches out and touches the other layers. Within The Peoples Layer, the operations layer is fully re- sponsible for getting the word out about information security. This layer needs to have people educated to know what poli- cies and procedures have been created and how to act accord- ingly. There should be a location that employees can go to get updated informational policy and procedure, which should be vetted on a regular basis by the appropriate personnel. Without updating the policies and procedures in visible locations, people will not be educated properly. Also, going through a risk management assessment of your systems so that you are aware of where the potential threats and risk lie within your network and organization should be reviewed on a regular basis. Risk management will give you and education on where your data is most vulnerable and how to achieve a bet- ter understanding of the risks that your data is open to. Another standard to follow in the operations layer is strict change control policies. By scheduling changes to your sys- tems based of criticality and risk, gives the decisions makers a better understanding of what is in store for a particular change. Making unauthorized changes to the network is dan- gerous and leaves the systems open for potential vulnera- bilities. Having procedures in place for change control limits these types of errors. There is another group in the organization that assists with keeping the people that operate the technology honest, and they are internal audit. An internal audit department should be verify- ing that the operations teams are doing what they are supposed to, when they are supposed to. They should make the appro- priate departments accountable for their actions and regularly verify that procedures are being followed. Lastly, the final group in the operations team is the incident response team. This team in involved when an incident has oc- curred, and brings it the appropriate people to resolve the issue. An incident could be both technical and non-technical, and the teams should be organized to have the appropriate resources called upon when needed. Within The Technology Layer, the operations layer is respon- sible for keeping the technology running efficiently, while at the same time monitoring and reacting to attacks against the company. These proactive tasks include, but are not limited to include verifying up to date anti-virus and IPS signatures on a regular basis, patching all systems in a scheduled manner, verifying renewals of equipment, performing audits of access lists, etc. There should also be scheduled vulnerability scans, either internally or by a third party, against the organizations web and network infrastructure in attempts to find compliance and security holes in their security architecture. Having monitoring against your systems is essential to hav- ing a successful defense-in-depth program. Without proactively monitoring your systems could be under attack constantly or successfully breached and you would not even know. Reviewing alerts from your technology and creating baselines against your systems are ways to proactively look for attacks against. Being able to tell when something is not right and review it in a timely manner is important for the security of your systems. Lastly, creating a security metrics program to deal with week- ly, monthly, quarterly and yearly statics is a way that allows you to gauge your improvement in certain areas of your security posture. These metrics can also be used to show patterns that might have gone by unnoticed. Having a successful metric pro- gram that shows thoughtful metrics displayed in an easily under- stood format can also be used to justify and verify your security program to management. With all the layers now unfolded, a defense-in-depth program should not rely on one layer alone. It takes multiple layers, de- partments, and technology to have defense-in-depth actually brought through to fruition. When one layer fails, this model should be constructed in a way that another layer is there to catch the failure. These layers are hand in hand with each oth- er and work both independently and cooperatively at the same time. there is a relationship between each layer and its partner layers. In order to be successful at this approach, you cannot rely on one layer too heavily and assume that the other layers are just going to pick up the slack. Just because you have all the newest technology implemented does not mean that you are se- cure? You need to have proper steps taken to secure the human aspect of your organization, while also operating the systems to their full potential. Without this that new technology will not get you too far. Defense-in-depth is a team sport and needs all the players in the game playing to their full potential.
MATThew PAscuccI Matthew Pascucci is an Information Security Analyst in the fnancial sector with over 10 years experience in the techno- logy feld. He holds numerous technical certifcations and a degree in Network Security. You can follow his blog at www. frontlinesentinel.com. ATTACKS & RECOVERY 40 1/2011 I n July 2010, a Microsoft Windows computer worm called Stuxnet was discovered. Stuxnet targets industrial software and equipment, and is the first malware to include a program- mable logic controller rootkit. Speculations are that it caused a months setback to the Iranian Nuclear Program. Viruses and Malwares that do damage are nothing new, but Stuxnet is not just any Virus its a cyber-weapon. A cyber- weapon that pushes the concept of cyber warfare into the realm of possible. Today its a country that seeks to destroy another nation and tomorrow its a commercial company that seeks to make a rival company go out of business. Goodbye World! Can Software cause damage to Hardware? Yes. Software con- trols Hardware and it can make it perform damaging Opera- tions. Software can damage other software in the hardware that makes it work. And last, but not least, Software controls Hard- ware and can make it perform Operations that will result in dam- aging a different hardware. This is all leads toward Permanent Denial-of-Service, an attack that damages hardware so badly that it requires replacement or reinstallation of hardware. One Permanent Denial-of-Service attack method is known as Phlashing. Plashing is an attack that exploits security flaws which allow remote administration on the management interface of the hardware, such as routers, printers, network-attached storage, or other networking hardware. The attack replaces the devices firmware with a modified, corrupt, or defective firmware image. A successful Phlashing attack bricks the device, render- ing it unusable until it repaired or replaced. The Phlashing attack can also be applied to internal hardware devices such as CD-ROM and DVD-ROM drives that can have their firmware updated or replaced by running an application on the system that they are connected to. External hardware de- vices such as Mobile Phones, Tablets, and PDAs that are con- nected by USB or FireWire to a system can also be attacked. Taking the process of Jailbreaking of an iPhone, iPod or iPad as an example, Jailbreaking is conceptually the same as Phlash- ing. One of the common side effects of an unsuccessful Jail- breaking of an iPhone, iPod or iPad is bricking it, now imagine that every time that you will connect an iPhone, iPod or iPad for syncing purposes it will get bricked. Other Permanent Denial-of-Service attacks are Overvolting, Overclocking, Power cycling, and Overusing. Overvolting is the act of increasing the CPU, GPU, RAM or other component volt- age past manufacturer specification. Although it may sound like a bad idea, overvolting is sometimes done in order to increase the computer performance. Taking the process of overvolting a CPU as an example, it is possible to change the CPU core volt- age (aka. Vcore) Which is the power supply voltage supplied to the CPU from the BIOS settings. Increasing the voltage creates more heat and more heat means high temperature. Now computer hard- ware and transistors specifically can sustain damage from lengthy exposure to high temperatures. Standard cooling measures are usually ineffective for such high temperatures and so its possible to cause hardware damage. Another byproduct of increased volt- age is Electromigration. Electromigration is a phenomenon that manifest in transport of material caused by the gradual movement of the ions in a conductor due to the momentum transfer between conducting electrons and diffusing metal atoms. In other words, an Electromigration increase the resistance of the metal intercon- nects which can interfere with the processor operation and also can cause interconnects to break entirely. Once a CPU intercon- nect is broken, it cannot be used to send voltage high signal down through, and there is hardware damage. Overclocking is the act of running the CPU, GPU, RAM or other components at settings that are faster than the manufac- turer originally intended. Much like overvolting, overclocking can also be done from the BIOS settings or by a running software (as in the case of GPU) on the system the hardware is installed at. Overclocked hardware creates more heat due to its operating at a higher frequency and standard cooling countermeasures are not always effective. The result is lengthy exposure to high temperatures which leads to hardware damage. Power cycling is the act of turning a piece of equipment, usu- ally a computer, off and then on again. This simple yet effective attack works on damaging hardware by causing temperature flection and spikes. Whenever the hardware is on theres elec- tric current passes through which causing it to heat and when turning off the electric current stops and the hardware cools down. Thus power cycling can cause wear on the hardware as well as keep humidity levels from lowering. Power cycling can also result in spikes, a sharp momentary increase in voltage or electric current that can damage an electronic circuit. Last, but not least there is the overusing attack. Overusing is yet another Permanent Denial-of-Service that is simple yet effective. Overusing can be used against hardware with me- chanical parts as well as solid-state one. Starting with overusing attack on mechanical parts, hardware such as CD-ROM drive or DVD-ROM drive usually contains mechanical parts to either eject the CD, or open the tray. Repetitively opening and closing the tray is a good example for overusing that will wear down the mechanical parts till the point it will no longer work. Ready or Not Industrial Cyber Warfare Comes In October 1987, a DOS file virus was detected in Jerusalem, Israel. The virus, known as Jerusalem contained one destructive payload that was set to go off on Friday the 13th, all years but 1987. On that date, the virus deletes every program file that was executed. In April 26, 1999 a Microsoft Windows computer virus called CIH (aka. Chernobyl) payload was delivered for the first time. CIH is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS. Ready or Not Industrial Cyber Warfare Comes 41 1/2011 Ready or Not Industrial Cyber Warfare Comes Keeping the same type of thinking, lets see how a similar con- cept works on a solid-state hardware such as Flash. Flash mem- ory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It is primarily used in memory cards, USB flash drives, MP3 players and solid-state drives for general storage and transfer of data between computers and other digital products. Flash memory is vulnerable to a Memory Wear, a form of overusing attack that results in preventing from further infor- mation to be written. Flash memory has a finite number of pro- gram-erase cycles, meaning there is a limitation on the amount of writing a flash memory is capable of accepting. Running an application that excessively writes to a flash memory will result in wearing it out and in devices such as tablets, thin clients, and routers where it is not always physically possible to replace the memory it can result in a downtime and a complete bricking. Its important to remember that all though not all Permanent Denial-of-Service attacks are easy to execute, have immediate effect or causes the same degree of damage. All Permanent Denial-of-Service attacks cause sabotage that gets in the way. Wrong Browser, Wrong Website Depends on the Permanent Denial-of-Service attack, it can be mounted either remotely or locally. For the local part, a Perma- nent Denial-of-Service attack payload can be embedded into a malware much like Stuxnet. Getting infected with malware is usually much easier than getting rid of it, or detecting it. An at- tacker has multiple ways to infect the companys employees, starting with exploiting Client-side vulnerabilities such as in Web Browsers and Browser plug-ins. Vulnerabilities in Adobe Read- er, Internet Explorer, Java, Firefox and more are exploited by attackers when the companys employees visit infected web sites. A common misconception is that infected web sites are either illegal or bad but the truth is that nowadays malware is delivered using Advertisements on legitimate web sites such as Yahoo, Google, Fox and more. Another infection vector is social networks, social networks has an increased amount of malware and online scams embedded in it and as such it can be used and directed toward infecting the companys employees. Most social media networks do not check the links in users posts to see if they could lead to malwares or other threats. Also, much like web sites, social networks do not seem to screen their ad- vertisements for malwares. Last, but not least there is social engineering infection vector. Social engineering attacks such as phishing, spear phishing and whaling are still very effec- tive. The latter describes going after a bigger fish which surely would be an executive. When someone is being whaled, their initial contact might not be some generic Dear sir/madam mes- sage, but might actually include their specific name, job title, or more. Once contact is made, the victim is most often tricked into opening some kind of file attachment that contains the malware. Once the malware is executed it does not have to set off imme- diately but rather it can wait and be a part of an orchestrated at- tack. The trigger to star the Permanent Denial-of-Service attack can be anything from a predefined date to command sent from the attacker itself. Such campaign will be known as Advanced Persistent Threat (APT) and as in the case of APT the detection rate of anti-virus products will be lower. Putting All the Pieces of the Puzzle Together The following is a fictional scenario for an Advanced Persistent Threat that includes a Permanent Denial-of-Service in it. You walk into your office on Monday morning. Plug your laptop into the power and go get some coffee while it boots up. Coming back to your desk and clicking on your favorite Email Client. Starting writing Emails, replying to others, making phone calls and soon enough its launch time. You grab your jacket and join a few col- leagues on their way out. After an hour or so youre making your way back to the office, ready to do some more work when you find out your laptop is frozen. You reboot it and an error message appears, saying the hard-drive crashed and it unable to boot from it. You are puzzled by it, its a brand new laptop and there were no signs of any hard drive problems. You are about to pick up the phone to call IT and then one of your colleagues steps into to your office and asks you if you are also experiencing any problems with your hard drive. That day the whole company had problems with their hard drives and it took a few more days until IT depart- ment replaced all the damaged hard drives and in the meantime the employees could not properly work and as a result the com- pany suffered both operational and financial losses! Not all Threats are Equal and not all the Risks worth the Time and Money to deal with There is no silver bullet for it, this threat requires a threat modeling that reflects not only technological understanding but also busi- ness understanding. The company needs to know where their assets are and how to protect them. Not all threats are equal and not all the risks worth the time and money to deal with. A targeted attack means theres one or more failure points that the attacker can exploit and the company should be ready to detect and miti- gate any attempts to strike them. Its a challenge, the company needs to protect 100% of the attacks while the attacker needs only to succeed once, and that one time is enough to cause con- siderable damage. It is time to move beyond the casual Website penetration testing to a more methodological, in-depth risk survey and penetration testing that will test for such attacks and their out- comes on the company, a genuine red team testing. Hardware manufactures plays a major role in this threat and they should address these attacks in their products. Software that is either embedded in hardware, or controls it should im- plement safety checks and controllers to avoid been abused. In addition, it is mandatory to digitally sign firmware updates or patches to prevent from the attacker to use it as an entry point. The Hardware itself should also be able to detect and mitigate attacks such as Overvolting, Overclocking and etc. to avoid sus- taining a permanent damage. Perhaps these protections would only be able to reduce it to a level of Denial-of-Service but even that is better than having a permanent damage to the hardware. Finally the general security of the products is also a factor if the attacker manages to exploit vulnerability and to gain access to the product filesystem or internal memory it can be then lever- aged to perform a Cyber Warfare attack. This is IT Cyberwarfare is expected to hit the commercial market in the next few years and we will see more and more companies been attacked by APT that will blow up in their face. Today its a na- tion that seeks to harm another nation and tomorrow its a com- mercial company that seeks to make a rival company to lose business. Make sure its not your company. ITzIk koTlER serves as Security Arts Chief Technology Ofcer and brings mo- re than ten years of technical experience in the software, tele- communications and security industries. Early in his career, Itzik worked at several start-up companies as a Security Researcher and Software Engineer. Prior to joining Security Art, Itzik worked for Radware (NASDQ: RDWR), where he managed the Security Operation Center (SOC), a vulnerability research center that develops update signatures and new techniques to defend known and undisclosed application vulnerabilities. Itzik has published several security research articles, and is a frequent speaker at industry events including Black Hat, RSA Conference, DEFCON and Hackito Ergo Sum. SECURITY IMPLEMENTATION 42 1/2011 W e take for granted that everybody reading this mag- azine probably knows that Information Security is about ensuring the Confidentiality, Integrity, and Avail- ability (CIA; called the CIA Triad) of your organizations informa- tion. However, for the average person Information Security can be an overwhelming concept to grasp. Mention it in the local shopping mall and you will get a mixed set of reactions ranging from fear to confusion to amusement. Yet for those of us who spend time reinforcing our tin-foil hats with chicken wire (after all, everybody KNOWS that Faraday cages are the best way to stop signals from leaking) the everyday duties required to keep an enterprise computing environment safe is a staggering ballet of firewalls, intrusion detection, policies, and encryption algo- rithms. The correct answer to what Information Security is will depend on whom you ask - the firewall administrator sees it as a set of complex and interlaced rules, while all the Active Direc- tory team may see is users and their associated groups. For the new manager of an Information Security program, you must ask which of those answers is correct. The answer to your question is that both of them are right. Each of these answers are but parts of the greater system consisting of an interlocked series of layered controls which provide defense- in-depth against all potential threats to your computing environ- ment. As cryptologist Bruce Schneier said, Security is... more than designing strong cryptography into a system; its design- ing the entire system such that all security measures, including cryptography, work together. Unfortunately, Information Security solutions are complex, diverse, and are not usually of the plug-and-play variety. How do you make all of these processes, technologies, and prod- ucts fit together? How do you make sure that your Information Security plan is comprehensive? Deciding how to start a pro- gram is one of the most fundamental complexities of managing an Enterprise Information Security Program (EISP). According to the International Information Systems Security Certification Consortium, Inc., (ISC), there are ten domains [1] in Informa- tion Security: Access Control: 1. Application Development Security 2. Business Continuity and Disaster Recovery Plan- ning 3. Cryptography 4. Information Security Gov- ernance and Risk Man- agement 5. Legal, Regulations, In- vestigations and Compli- ance 6. Operations Security 7. Physical (Environmental) Security 8. Security Architecture and Design 9. Telecommunications and Network Security. Covering all of these areas with an effective and system- atic strategy is complicated and can be overwhelming. Enterprise IT Security Management by the Numbers [...] the everyday duties required to keep an enterprise computing environment safe is a staggering ballet of firewalls, intrusion detection, policies, and encryption algorithms. NIST INFOSEC DOCUMENTS The Federal Information Process- ing Standards (FIPS) Publication Series is the ofcial series of pub- lications relating to standards and guidelines adopted and promul- gated under the pro-visions of the Federal Information Security Man- agement Act (FISMA) of 2002. The Special Publication 800-series reports on ITLs research, guidelines, and outreach eforts in information system security, and its collaborative activities with in- dustry, government, and academ- ic organizations. ITL Bulletins are published by the Information Technology Labo- ratory (ITL). Each bulletin presents an in-depth discussion of a single topic of signifcant interest to the information systems com-munity. Bulletins are is-sued on an as-need- ed basis. Source: Guide to NIST Security Docu- ments [2] Enterprise IT Security Management by the Numbers 43 1/2011 Figure 1. NIST Information Security structure Fortunately there is help. The United States (US) National Insti- tute of Standards and Technology (NIST) Special Publications (SP) 800 series and the US Federal Information Processing Standards (FIPS), which are also published by NIST (which is part of the U.S. Department of Commerce) provide a solid basis for any security program, whether in-side or outside of government space that can scale to meet the unique needs of your organization. NIST currently has about 300 documents which are the security guidelines used by most U.S. Federal agencies. These documents are provided free to the public at the NIST Computer Security Divisions Computer Security Resource Center (CSRC), at http://csrc.nist.gov [3]. Knowing where the data is helps us close the gaps. ISABELLE THEISEN Chief Security Officer, First Advantage Corp. [5] It is important to note that the NIST framework is based on a Data-Centric Security Model (DCSM). DCSM operates on the principle that all information is not created equal; this is because some has more inherent value to your organization than does others. According to IBMs experts, the primary goal of data- centric security is to drive security controls from a business re- quirements perspective [4]. Effectively this level of security is driven by questions that determine the significance of data in context of its use within the agency, or an information risk man- agement approach. There are a number of guidelines and frameworks which provide direction on how to categorize information. For example, FIPS 199 is the definitive guideline for Federal organizations to determine data classification, and it bases informations value on its value com- pared to inherent threats to determine the risk to the organization [6]. Regardless, DCSM should drive the decisions that determine ap- propriate security controls: physical restriction, encryption, least- privileged access, logging, etc. One additional general note on NIST documentation: many of the documents are aging (for example, 800-12 was written in 1995!)... do not let this fool you. Where NIST or FIPS publications get into specific technological concepts, they are updated. However, many of them are tech-agnostic, choosing instead to provide sets of gen- eral best-practice principles that apply to almost every organization. Consider NISTs website as your own resource for almost two dec- ades of time-proven, highly researched, and historically effective lessons learned that your organization may benefit from starting with your EISP strategy. Planning When beginning the strategic planning process, there are some practical issues that should be considered for your program. A great place to start is SP 800-14, which provides a foundation up- on which organizations can establish and review information tech- nology security programs. The eight Generally Accepted System Security Principles in SP 800-14 are designed to provide the public or private sector audience with an organization-level perspective when creating new systems, practices, or policies. [6] Another key resource is SP 800-12 An Introduction to Computer Security [7]. 800-12 is a great reference regardless of your security experience and background, because it provides technology-neu- tral concepts, security program structure guidance, common-sense considerations, as well as supporting resources that you might use to develop security controls. For example, section 2 details the eight elements which are the foundation of the documents general ap- proach to computer security: Computersecurityshouldsupportthemissionoftheorganiza- tion. Computersecurityisanintegralelementofsoundmanage- ment. Computersecurityshouldbecost-effective. Computersecurityresponsibilitiesandaccountabilityshould be made explicit. Systemownershavecomputersecurityresponsibilitiesout- side their own organizations. Computersecurityrequiresacomprehensiveandintegrated approach. Computersecurityshouldbeperiodicallyreassessed. Computersecurityisconstrainedbysocietalfactors. Other guidance can be found in other documents like SP 800-27 Revision (rev) A, Engineering Principles for Information Technol- ogy Security (A Baseline for Achieving Security) [8] which provides security management principles in six categories: SecurityFoundation RiskBased EaseofUse IncreaseResilience ReduceVulnerabilities,and; DesignwithNetworkinMind 800-27 goes into greater detail about each category, providing a total of 33 sub principles which have a lower level of detail about each of the six categories. Each of these discusses the system de- velopment life-cycle, at which stage of the principles applies, and a discussion about the importance of each item. It is all about Risk! In order to know if you covered your bases when developing your strategy, you must determine (as with all Information Security de- cisions) where the risk lies. The core of the NIST system is a Risk Management Framework (RMF), which analyzes risk at three tiers: the organization, mission, and Information System view and is described in NIST SP 800-39, Managing Information Security Risk [9]. The RMF is focused on the entire security life cycle, and is comprised of six steps: SecurityCategorization SelectSecurityControls ImplementSecurityControls NIST Publications 800 Series / FIPS Series Technical and IT Infrastructure Specific Guidance FIPS 140-2, 800-42 800-44, 800-56, 800-57, 800-61, 800-63 PLANNING 800-12, 800-14, 800-18, 800-27, 800-59, 800-60 800-100. FIPS 199 IMPLEMENTATION 800-16, 800-50, 800-30, 800-34, 800-35, 800-36, 800-37, 800-53, 800-61, 800-47, 800-55, 800-64 ASSESSMENT 800-26, 800-53 Internal/External Audits and reviews Security Program SECURITY IMPLEMENTATION 44 1/2011 AssessSecurityControls AuthorizeInformationSystems MonitorSecurityState Risk is the underlying driver for all Information Security systems, processes, and yes, even budgets. Risk is critical because it ex- plains, in empirical terms, why Information Security activity x matters to the business unit it is designed to support by protect- ing tthe CIA of its information resources. In order to better un- derstand this process, lets review each of the NIST RMF steps: categorize, select, implement, assess, authorize, and monitor and apply them to your Information Security program. Categorize FIPS 199, SP 800-60 As the DSCM concept suggests, categorization is a critical task in Information Security. According to NIST, Security categoriza- tion provides a structured way to determine the criticality and sensitivity of the information being processed, stored, and trans- mitted by an information system. The security category is based on the potential impact (worst case) to an organization should cer- tain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets and individuals, fulfill its legal respon- sibilities, and maintain its day-to-day functions. [11] FIPS 199 provides guidelines for the information owner to classify (categorize) your information as High, Moderate, or Low values but you can substitute the appropriate term for your organization (e.g., Public, Internal, and Sensitive) based on the culture, function, and political environment of the company. Additionally,SP800-60,Volume1:GuideforMappingTypesof Information and Information Systems Security Categories [12] is practical guidance that explains the categorization process func- tionally by describing the lower level processes used to categorize enterprise information. Select FIPS 200, SP 800-53 One of the documents that has been around for years and con- stantly updated is NIST SP 800-53 rev 3, Recommended Security Controls for Federal Information Systems and Organizations [13]. This has been combined with FIPS 200, Minimal Security Require- ments for Federal Information and Information Systems [14] to en- sure that appropriate security requirements and security controls are applied to all Federal information and information systems. An organizational assessment of risk validates the initial security con- trol selection and determines if any additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other or- ganizations [13]. NIST 800-53 breaks its Information Security requirements into seventeen control families: (AC) AccessControl (AT) AwarenessandTraining (AU) AuditandAccountability (CA) Certifcation,AccreditationandSecurity Assessments (CM) ConfgurationManagement (CP) ContingencyPlanning (IA) IdentifcationandAuthentication (IR) IncidentResponse (MA) SystemMaintenance (MP) MediaProtection (PL) SecurityPlanning (RA) RiskAssessment (SA) SystemandServicesAcquisition (SC) SystemandCommunications (SI) SystemandInformationIntegrity A with many of these Federal documents, they are largely driven by the Federal Information Security Management Act (FISMA) of 2002. While your organization may not be directly subject to FISMA, do not let this stop you from considering how these guidelines might apply in your environment. 800-53 provides a simplified RMF, revised and updated security controls, security baseline configurations, and a variety of other useful tools. Implement SP 800-70 SP 800-70 is deceptive. While it appears to be directed solely on the provisioning and use of Governmental security checklists, this is a very extensible concept for every enterprise. 800-70 [15] pro- vides directions on how to use security checklists, as well as a link to the National Checklist Repository (NCR), which is located at http:// checklists.nist.gov [16]. The NCR is part of the National Checklist Program (NCP). These checklists are step-by-step security configuration guidelines for most major technologies, and they are currently being migrated to align with the Security Content Automation Protocol (SCAP). SCAP provides a common standard which allows you to import NCR con- figuration files and run them natively within many major security tools. With a SCAP-compatible tool and a few clicks, your security program could provide reporting and analysis on the security con- figurations of most of the organizations technology systems. Figure 2. NIST Risk Management Framework [10] CATEGORIZE Information Systems Starting Point FIPS 199/SP 800-60 MONITOR Security Controls SP 800-37/SP 800-53A SELECT Security Controls FIPS 200/SP 800-53 AUTHORIZE Security Controls SP 800-37 IMPLEMENT Security Controls SP 800-70 ASSESS Security Controls SP 800-53A Security Life Cycle SP 800-39 Enterprise IT Security Management by the Numbers 45 1/2011 While not a NIST publication, security practitioners might also consider the SANSTM (SysAdmin, Audit, Network and Security) re- sources available to assist in security control implementation. SAN- STM provides a wide-array of Information Security resources like their extensive training seminars, the Internet Storm Center (for new patches and alerts), podcasts, and security white papers. However, one of most popular SANS resources is the SANSTM Top 20 Security Controls [17], which is available online (http://www. sans.org/critical-security-controls). This details the 20 most critical security controls based on the research of a consortium sponsored by the Center for Strategic and International Studies. SANSTM pro- vides details on each of the top 20 controls, guidance on implemen- tation, and tested resources proven to be an effective way for organ- izations to implement continuous monitoring. For example, when the U.S. State Departments CISO John Streufert implemented the SANSTM top 20 cyber-security controls they realized an 80% re- duction in measured security risk [17]. NIST 800-53 may also be useful for reducing your compliance overhead as related to other security requirements that impact your organization (ISO, SOX, CObIT, PCI, etc.). By meeting the NIST requirements, you may be able to address other requirements by cross-referencing to other security controls. For example, a simple and free resource was created by symantecTM, called the IT Controls Reference [18]. This docu- ment can be downloaded as a PDF or even printed at poster size. It cross-references ISO 17799, CObIT 4.0, SOX/COSO, HIPAA, PCI, GLBA, NERC CIP, and PIPEDA. You can download a copy of the IT Controls Reference from several online sources. A more comprehensive solution is the Unified Compliance Framework (UCF) [19], which harmonizes hundreds of authori- tative compliance requirements in a cross-referenced Rosetta Stone spreadsheet. The UCF allows your organization to select applicable requirements, and creates a single register to clarify control conflict with four updates per year. Paid subscriptions avail- able online at http://www.unifiedcompliance.com. Assess SP 800-53A 800-53A [20], published in June 2010, is a highly adaptive docu- ment wherein NIST describes how to test the effectiveness of the controls listed in 800-53. More importantly, 800-53A provides guidance on how to provide assurance of the effectiveness of your security controls, including penetration testing, and step-by-step instructions for each of the controls and control enhancements (the number varies between versions, but usually around 200). If you need to have the frame- work to evaluate your controls, this is the place to look. It provides information on what constitutes successful implementation of the security requirements, what type of documentation would be valid testing evidence, and other useful evaluation tips. These guidelines can be used to establish management self-reporting of controls as- signed to management, and even to develop your own repository of audit evidence that can be used to meet audit requests for control documentation. Also note that recent feedback from FISMA pushes the impor- tance of automated controls. There is no doubt that automation can increase the effectiveness of some controls, but it can also make them very predictable. Keep in mind that automation can be effec- tive, but it cannot totally replace the analysis of a skilled Information Security professional. Authorize SP 800-37 This section is easy: if you do not know what it means, it probably does not apply to you. Authorization is the process by which Federal organizations or their contractors certify a system has appropriate Information Security controls in place, and is ready to be author- ized. External assessors review and validate the systems controls, and if the agency agrees with the evaluation the system gets offi- cially blessed by the responsible agency. This process is designed to confirm that the system is ready to go into a live or production status. Monitor SP 800-37, SP 800-53A Monitoring is the part of Information Security most EISP programs forget to account for, but is critical in the Total Cost of Ownership (TCO) calculation. You cannot just stand up a piece of equipment in your environment and expect it to work forever; the threats, risks, and even your own environment are far too dynamic for that. The monitoring process should be fully funded to provide for the care and feeding of all of the controls you implemented in steps 1-5. Fail- ure to do so will ultimately result in a failure of your tools to live up to the full functionality you touted during your business justification. This is particularly true for staffing concerns. Many Information Security managers keep buying all-encompassing, enterprise-class tools, yet maintain the same level of staffing. These solutions even- tually reach a point of diminishing returns as your staff may be- come so overworked that they end up being ineffective with any of the tools they administer. Shepherding your staffs time helps not only ensure that you do not get blindsided during your next audit, but may also help you make sure you dont get owned by the next hacker or virus. Conclusion In conclusion, as the manager of your EISP there are a few items you should keep in mind. Firstly, while all of these concepts are really important the most important factor not discussed in your program is culture. Create a culture of Information Security aware employees, who understand that compliance with security rules and regulations is not the Information Security departments role alone - it is the charge of every employee. The corollary to this rule is that culture is driven by the tone at the top. Without the support of your executive leadership, your Information Security program will develop a Russian culture (characterized by check- offs and mark-offs). Secondly, keep in mind that all of these security controls are not the pole that you must jump over, but the floor your organi- zation jumps from. They represent the minimum you must do, but not necessarily everything that you should be doing to your companys information. By implementing your program and be- ing an evangelist for a data-centric & risk-based security, you should ensure that risk management becomes an inextricable part of your organizations culture. Finally, for all of this guidance remember: your expert opinion IS THE KEY. Unless you are legally bound to NISTs guidelines, they should only be guidelines; use them where they make busi- ness sense in your organization and drop anything that does not fit with your business, unique risks, or technology footprint. Eve- ry dollar you spend or packet your program inspects should be based on ensuring the CIA of your organizations information in order to fully support your business operations. Use the NIST and FIPS documents in order to help provide a standard framework that is the backbone of your companys robust EISP strategy. SHAYENE CHAMPION Financial & Organizational Compliance Advisory Tennessee Valley Authority schampion@tva.gov SECURITY IMPLEMENTATION 46 1/2011 G rid computing is a technology that enables people and machines to effectively capture, publish, share and manage resources. There are several types of Grids but the main types are; Data Grids, Computational Grids and Knowledge Grids. Data and Computational Grids are quite similar in the fact that they are used to manage and analyse data. With technology in- creasing and developing at such a dramatic rate, average com- puters cannot cope with the amount of data or the calculations they are being asked to perform. To analyse a complicated set of data it could take a standard computer a few days or even weeks to analyse. Whereas if a grid was used to perform the same analysis it could take considerably less because it would harness the computational power available on the grid, paral- lelise the load and allow the calculations to be performed with a small turnaround time. Knowledge Grids are self-explanatory; their purpose is to share knowledge. At this day and age we have come to a point where we are using computers to create vast amounts of data. The information overload is so big that human beings are not able to analyse that data in a timely manner and extract the much seeked knowledge that will allow to further science and better our lives. We are at a point where we now have to teach computers how to extract knowledge from raw data. Going back to the HPC Wales Project; the project is set across a minimum of nine sites including Swansea, Cardiff, Aberyst- wyth, Bangor, Glamorgan, Swansea Met, Newport, Glyndwr and a range of other sites. The grid will allow all of the sites to share and distribute resources freely. A number of pilot applications will be sponsored via HPC Wales to test the capabilities of the grid. In Newport we are considering G4CP. Grid for Crime Prevention The Grid for Crime Prevention, also known as G4CP will stim- ulate, promote and develop horizontal methods and tools for strategically preventing and fighting cyber-crime and guaran- teeing security and public order in the Welsh cyber-space. The application was originally called Inter-Organisational Intrusion Detection System (IOIDS). Furthermore, G4CP will promote a coherent Welsh strategy in the fields of cyber security through the exploitation of the projects artefacts, and will play an ac- tive role in the establishment of global standards in the areas of cyber-crime prevention, identification and prosecution. The centre of gravity of G4CP is to design and implement an application that promotes collaborative working, using data fu- sion and data mining techniques, and allow knowledge discov- ery from raw security incident data. Trying to defend the European cyber-space against organ- ised cyber-crime can be seen as a complex problem. One of the problems being companies are afraid to report it because they feel their reputation will be damaged if they report it. This means that many private organisations and law enforcement agencies are forced to face cyber crimes with next to no help from other organisations in the same supply chain. The G4CP felt that was a need for the defenders of the European Informa- tion Infrastructure to come together to form a number of virtual Management of Knowledge Based Grids Fujitsu is set to bring high-performance computing (HPC to Wales. They will provide a distributed grid which is a project set over five- years costing up to 40 million. The grid will include over 1400 nodes which are spread across more than eight sites, linked using Fujitsus middleware technology SynfiniWay which will deliver an aggregated performance of more than 190 petaflops. (A petaflop is a computer measuring unit equal to 1000). Management of Knowledge Based Grids 47 1/2011 communities in order to take actions collectively against the perpetrators of cyber-crimes and promote a culture of security amongst and across the members of these communities. These communities should allow for secure information sharing and fa- cilitate organisations to be proactive in defending their networks against ongoing cyber attacks. G4CP will make grid technology attractive to establishments across the cyber-crime fighting field. It will help the uptake of grid type architectures and extend their concept from computa- tion grids to knowledge grids. all the components that are required to control that grid and its environment. User Management There has to be some form of security and authentication on the grid to ensure that the users on the grid are accessing material which is appropriate to them. There are two methods which can control help monitor users on the grid and their security; public & private key cryptology along with X.509 certificates. Public & Private Key cryptology is used regularly in many different kinds of computing projects and environments for a secure authentication method. The main reason it is still in use is that it helps indicate the true authors of a piece of in- formation. E.g. If Sian wanted to send a message to Stelios, she would encrypt it with her Private Key so that when Stelios received the message he would be able to unlock it with her Public Key and read the message but because Sian encrypt- ed it with her Private Key he knows it is from Sian. There are flaws in Public & Private key cryptology along with all methods of authentication, however; this method of secure authentication is put in place as a contract of trust between the user and the manager of the grid. To ensure that the grid is used on appropriate applications or web browsers an X.509 certificate could be issued to au- thorities who use the grid. The X.509 certificates are stand- ard for a public key infrastructure for a single sign on and privilege management infrastructure. It basically specifies (amongst other things) standard formats for public key cer- tificates, certificate revocation lists, attribute certificates and a certification path validation algorithm. If we go back to the example of G4CP, we could manage the users on the grid via a X.509 certificate (similar to an E-Science Certificate). For example; when a user joins the G4CP (or attempts to join) they will have to meet up with a member from the authority management team of the G4CP who will then run through an application process which will identify whether they have a need for accessing the grid. If they are suitable then an X.509 certificate with the correct permissions for accessing the grid could be issued to them. The certificate however will have sufficient permissions built in stating which sections they are allowed access to and IP rights stating that it can only be installed on one computer. An error message would display saying that the certificate is currently in use and has already been applied. All certificates will have public and private key encryption so if they are sto- The application that G4cP developed would manage to effectively police the cyberspace and minimise the threats against computing infrastructures. This will promote a co- herent European strategy in the field of crime prevention through the exploitation of the projects products and will play an active role in the establishment of global standards in the area of crime prosecution through the dissemination of the projects results. The G4CP raises a lot of questions around grid management, for example if a user wanted to know about Denial of Service against web servers in Wales, once they received the result what would happen with it? The knowledge would be stored so that if another user needs it then it would be available and instead of using up resources creating the same query it could just locate the knowledge and deliver it to the user. However, if this occurred with every search then it could become too overloaded with information and cause the system to slow because the stor- age would quickly run out. To store every query it would take thousands of terabytes at least. The only solution would be to keep the information available for a short period of time and if the query was not called for during that time frame then to de- lete the query. If it occurs again outside of the time frame then the query will be developed again and held on the server. The demand for information and harnessing the power of the grid to deliver information and knowledge faster is the key. Managing a Knowledge Grid In a communication network, a node is a connection point, ei- ther a redistribution point or a communication end point. How- ever, the definition of a node does depend on the network and protocol layer referred too. The main goal of grid man- agement is to measure and publish the state of resources at a particular point in time. To be effective, monitoring must done from one end to the other end, meaning that the entire environment and its components must be monitored. Understandably this is no easy task, if we take HPC Wales for example; it will provide to G4CP 1400 nodes set across 9 different sites. It is a huge task on its own just to manage Figure 1. G4CP Centre of Gravity Figure 2. E-Science Certifcate (X.509) G4CP Crime Pervention Generic enabling applicatioan technologies Tools and enviromments for data miming,knowledge discovery, collaborative working... Next Generation GRID Architecture design and development addressing security, business models, open source standards, interoperability SECURITY IMPLEMENTATION 48 1/2011 len or attempted to be copied they wont be able to be used without the two keys. There will also be an expiration date on the certificate whereby the user would have to re-apply for a certificate close to the time of expiration. Therefore, if a user doesnt wish to continue having access to the grid or doesnt have a need for it anymore there wont be any rogue accounts which could become vulnerable and used maliciously. The above figure is a typical E-Science certificate. It shows the registered owner and the expiration date for the certifi- cate. The IOIDS Subsystem must be connected to the subjacent communication platform G4CP in order to allow integration with other platforms this issue will be solved using its own module too. The employment of a dispatcher will perform the processing of incoming messages sent over through the Grid for Digital Security. How to manage the nodes Managing the users has been covered but what can you do to manage the nodes? As previously mentioned G4Cp could be using up to 1400 nodes running across 9 different sites. If one of the sites goes down and there is no one there to man- age it then what happens when the user needs access to that specific piece of information? There are several software packages available which can be used to manage the nodes on a network. One specific software package is Conga; it is an integrated set of software components that provides centralised configuration and man- agement of clusters and storage. It has features such as one web interface which manages clusters and storage, automated deployment of cluster data and supporting packages, easy integration with existing clus- ters with no need to re-authenticate them, integration of clus- ter status and logs along with fine grained control over user permissions. This software basically manages the clusters and the nodes of the grid without altering the user permissions already in place. The user permissions would be set by the authority figure or manager of the grid using the Public & Private Key infrastructure combined with X.509 Certificates which manage the users already on the grid. The expiration date of the cer- tificate could be set by the authority figure after an interview. The time length could vary dependent upon the relevance of the knowledge grid to the user. The primary components in Conga are luci and ricci which can be separately installed. Luci is a server than runs on one computer and communicates with multiple clusters and com- puters via ricci. Ricci is an agent that runs on each computer which in turn would be managed by Conga. Luci can manage the nodes on the grid; there is an ad- ministrative menu which can do the following options: make a node leave or join a different cluster, fence a node, reboot a node and delete a node. All these options would be extremely helpful to manage the grid especially if its nodes are spread worldwide. E.g. If a node was broken in Germany and the main administrative authority was based in Wales it could take anywhere from a few hours to a few days to arrange for someone to either instruct someone how to fix it or to travel to Germany to fix it. Whereas with Conga, it is all done by a network and remote log in which means that the node can be managed from Wales (or wherever the headquarters is) near instantaneously with next to no disruption. The above image (figure 3), shows a screen from Conga running on Redhat which is a Linux based Operating Sys- tem. What does this mean? The High Powered Computing (HPC Wales Project) will mainly be based in Swansea and Cardiff which will then be connected across the remaining sites. This means that each placement will have a taste of the high power computer performance that can be used for research. Grids are developing everyday and are predicted to become the norm in the future. Similar to the internet, it is widely used and spread across the world. Grids will give scientists and researchers the power to get results faster and to expand the knowledge they already have. The demand for information is increasing as is the rate of expecting the information. Sin LoUiSe HayneS Sin Haynes is currently a fnal year student at Universi- ty of Wales, Newport studying BSc (Hons) Forensic Com- puting due to complete her studies in June 2011. She is aspiring towards getting a job as a digital evidence tech- nician or a role within the forensic evidence technician feld. She is an active member of the British Computing Society and is hoping to develop her education further in the future. StiLianoS VidaLiS Dr. Stilianos Vidalis was born in Athens, Greece, and was raised on an island in the Aegean Sea. He moved to Wa- les in 1995 where he did his undergraduate and postgra- duate studies. He received his PhD in Threat Assessment in July 2004 from the University of Glamorgan. He joined the Department of Computing of the University of Wa- les, Newport in 2006 where he is currently the Head of the Centre for Infor- mation Operations. He is the program leader for the BSc Computer Forensics, and BSc Information Security. Dr. Vidalis is a member of the BCS South Wales Committee, a member of the E-Crime Wales Steering Group, and a member of the Military Educational Committee of the Welsh OTC. His research intere- sts are in the areas of information operations, digital forensics, threat asses- sment, and efective computer defense mechanisms. Dr Vidalis is involved in a number of R&D projects with the Welsh Assembly Government, Law Enfor- cement Agencies, and private companies. Figure 3. Conga GUI SECURITY IMPLEMENTATION 50 1/2011 T here are a variety of ways to confirm the security health of an environment but the two most common are vulner- ability assessments and penetration tests. A vulnerability assessment is performed to identify any holes in the security of an environment, but does not attempt to exploit any of the discovered issues. A penetration test takes a vulnerability as- sessment one step further and actually attempts to exploit any discovered vulnerability. Organizations should perform some sort of vulnerability as- sessment on a regular basis. The frequency of the assess- ments depends on the size of the company and what the in- frastructure is protecting. In addition, publically traded and companies governed by financial regulations should receive an annual, independent review from an outside company that specializes in security testing. The testing company should utilize up to date tools which are different than the tools used in house. The rest of the article describes the steps to com- plete an independent security review project. Contract It is important that the two parties negotiating the contract are familiar with security testing and understand the required scope. Additionally the testing company should understand why the testing is taking place. It could be to comply with regu- latory requirements, a requirement for partners or customers, or just internal checks and balances. This will guide the testing plan to the most appropriate and relevant options. The contract needs to include the scope of the testing. This will define the internal and external devices to be tested as well as the type of test, vulnerability assessment only or pen- etration testing. The organization should identify any device it considers out-of-bounds. It is important here to note if testing will be white box (administrators are aware and supportive of testing) or black box (responsible administrators are unaware of the testing engagement). The benefit of black box testing is it tests not only the vulnerabilities of the system, but also the response mechanism. If the organization being tested has any outsourced or host- ed devices that will be part of the testing it is their responsibil- ity to confirm they are permitted to authorize such tests. This is a common issue with hosted websites. Most web-hosting companies have many customer sites on a single box and do not allow testing out of concern for the effect on other customers. Also without prior knowledge of the test, there is nothing to separate your testing traffic from an actual attack, so the hosting company will treat you as a hostile party first and foremost. Once all the details are finalized both parties should sign the contract and retain originals. Copies should be made and provided to the staff members that will be responsible for per- forming or overseeing the security tests. Before the Scan The organization being tested should assign a staff member to oversee the testing scope of work. This employee should be familiar with the contract and all it entails. They will be respon- sible for working with the testing company and providing any needed information and access. The employee or team that will be performing the testing should likewise be familiar with the contract, especially the identified out-of-bounds devices. Communication between the assigned points of contact for both organizations is essential to a successful security test. The employee of the company being tested should share any negative experiences from previous scans, such as The last scan performed took down our phone system or The last time we ran a scan the switches were acting up. Likewise the test- ing company employee can share any potential issues they foresee based on the environment, such as Our testing tools Security Testing Every organization is responsible for protecting their customer infor- mation, employee data, and assets. This is a daunting task in todays security environment full of vulnerabilities and attack vectors. A star- ting point for this protection is a well written information security prog- ram with supporting procedures. But how do organizations confirm that everything is being followed as it should be? Security Testing! Security Testing 51 1/2011 typically crash Cisco phones or HP switches with specific firmware versions. Divulging these potential issues before testing will enhance the scanning experience for both parties and avoid potential down-time for the organization. Scheduling of the test is also an important aspect that needs to be driven by the organization being tested. It would not turn out well if the testing occurred during the time payroll is being processed and the testing took down the payroll server. The tester should also share any IP addresses they will be testing from. This will allow the organization to differentiate between the contracted security test and a malicious attack that happens to be occurring simultaneously. During the Scan The company employees main job during the scan is monitor- ing the various aspects and impacts of the scan. They should be aware of any negative consequences to the systems and receive any third party vendor security notices. If it is a black box test, they should also monitor the incident identification and response. This is where the fun begins for the tester. The tester should follow their methodology and document everything along the way. The testing methodology should follow closely to what a malicious attacker would perform; finger printing, foot print- ing, service identification, vulnerability identification, and pen- etration (if the contract allows). Documentation is most critical during the scan. The value of the security testing will come with the report provided to the organization and having supporting documentation will greatly enhance the quality of the report. After the Scan When the scan is complete, the tester should notify the com- pany point of contact. If there are any gaping security holes discovered during the test, it would be appropriate for the tester to share those at this point so the company can quick- ly address them. For example, if the test identified a router opened on a public IP address with default credentials the company should fix that immediately and take steps to con- firm that a compromise has not already occurred. The com- pany can also share with the tester any issues that came up during the scan. Reporting Now for the not-so-fun part of security testing the report! This may not be the most exciting part for the engineer that is performing the tests, but it is by far the most important. The report is the main vehicle to share the findings with the organization. The report should point out the vulnerabilities discovered and discuss the potential impact to the business. It is essential that the report be written in business terms so the organization truly appreciates and understands how each discovered vulnerability could impact production activities or the loss of confidential information. Simply providing the cus- tomer a stock report from the testing tool with a list of found vulnerabilities is not sufficient. The engineer should provide recommendations on how to improve the network and how it would improve the security posture of the organization. The report should have an executive summary section that provides a high level overview of the risks for upper manage- ment. It should also provide a technical summary for IT man- agement to understand where the policy or procedures need to be improved. It is a good practice to provide the customer with a draft of the report after it is completed for them to review and ask the tester any questions. This is where discovered issues can be discussed and identified as false positives and for the organization to pick the brain of the tester to ensure they understand the vulnerability and associated risk. This step ensures that the company being tested is comfortable and understands the various aspects of the report, adding value to the overall experience for them as well as providing ex- cellent feedback to the testing company that can be applied to later reports. Perfect Report Not Likely! Anyone who is tasked with keeping all devices in an environ- ment up-to-date understands the challenges that go along with it. End users are constantly looking for and installing new software and even the basic everyday software is in need of updates - sometimes daily! These challenges make it very unlikely that any organization can patch to zero. For the test- er writing the report or the organization reading the report it is important to view it from a systemic issue standpoint. What are the procedures in place for patch management? Is it a manual process or does the organization have software that centralizes and automates the process? These systemic is- sues should be the focus of the results, not each vulnerability on each device. What Else? Security testing is becoming more complex as environments are becoming more intricate and diversified. Mobile and cloud computing are pushing the organizations perimeter further out, and in some cases obliterating it altogether. It is important that both administrators and security testers understand these implications and work together to develop a testing methodol- ogy that is capable of identifying any weaknesses. Organizations also need to remember that the human is often the weakest link in the security chain. As locked-down as the perimeter may be, an employee browsing the Internet and clicking on an interesting link could introduce malware to the environment compromising all the security controls in place. Ensuring that employees are properly trained and adding social engineering testing to annual security testing is a good starting point. Conclusion Security testing is an essential part of maintaining a healthy computing environment. Regular scans by internal staff and annual, or more frequent, contracted scans will help identify any gaps in the security procedures. It is important for ad- ministrators and security testers to stay on top of the findings because we know the malicious attackers sure are! MARk LohMAN, CISSP, C|Eh, MCITP Mark Lohman is an Information Security Assessment Engineer with NET- BankAudit. NETBankAudit provides a wide range of IT Audit and vulne- rability assessment services to customers in the financial services sector. www.netbankaudit.com Contact the author: mlohman@netbankaudit.com
SECURITY IMPLEMENTATION 52 1/2011 T he number of intelligent devices deployed exceeded PCs in Q4 of 2010. IT environments were already struggling with increased complexity; adapting to remotely hosted applications and an inux of iPads, Android based platforms, and even always connected eBook readers will only complicate things more. Ensuring that security is maintained has become even more daunting. Keeping it simple is a security mandate. Complicated policies, multiple solutions from multiple vendors, and in many cases dif- ferent security solutions deployed in different regions or even for different projects, adds to complexity and often introduces vulnerabilities. Choosing security solutions and organizing your IT security operations should be made as simple as possible. I use three simple rules to evaluate security solutions and as a basis for organizing security operations. These are: A secure network assumes the host is hostile A secure host assumes the network is hostile Secure applications assume the user is hostile These three simple rules help to make sense of the thousands of different security solutions available. Products and practic- es that conict with these three simple rules might not be the best solution. Many security operations are already organized around these three principals. I propose below one additional group responsible for countering targeted attacks. A secure network assumes the host is hostile It has been years since a rewall that enforces policies based only on source-destination-service has been sufcient. Trusted end points harbor malware, are controlled by attackers, and are launching points for attacks. Network security solutions must be in-line and inspect all the trafc that passes through them. They must look for viruses, worms, exploit trafc, and even unu- sual behavior. IDC dubs these solutions complete content in- spection rewalls. Many vendors refer to them as UTM, Unied Threat Management. I have written extensively on UTM as a simplifying security solution. One aspect of a secure network that is often overlooked is that the computers on the inside of the network are often the danger. It could be an infected computer brought in by an employee or contractor, it could be a poorly patched server that has been compromised by an outside attacker. Even the smallest organizations have to invest in network security solutions to block attacks from devices on the inside of the network. This is accomplished through network segmenta- tion and deploying content inspection capabilities internally. As threats multiply watch for solutions that either sit on top of the access switch or incorporate the switch in their conguration. The network security team within IT operations is tasked with conguring network devices and ensuring that policies are uni- formly deployed without introducing conicts. There are mod- ern policy management solutions available from companies like AlgoSec, FireMon, and Tun that can evaluate rewall policies for redundancies, un-used rules, etc. and consolidate rules be- tween multiple vendors products. A secure host assumes the network is hostile This is another way of stating the requirement for a layered de- fense model. A laptop, desktop, notebook, or server cannot rely on the network to keep it safe. AV, rewalls, and anti-spyware solutions have to be installed and up-to-date. Patches for critical applications and OS have to be installed as quickly as possible. Browsing shields should be turned on and Microsoft IE should not be used if at all possible. I believe we passed a critical inection point just in the past twelve months where the number of viruses, Trojans, and worms introduced every day (some vendors report evaluating over 200,000 pieces of code every 24 hours), has exceeded the ability of anti-virus vendors to cost effectively protect end points. Whitelisting solutions from Bit9, CoreTrace, Lumension, and Sa- vant Protection and others are becoming mature enough to war- rant deployment. In particular, as new platforms running on new operating systems (Android, iOS, OSX, Linux) are deployed it is highly recommended that you start with whitelisting rather than repeat the morass of virus update infrastructure needed to deal with Windows platforms. Simplifying IT Security Management We have recently entered yet another phase of rapid change and evolution of our IT environments. The two major innovations are cloud computing and an explosion of intelligent devices. Public and private cloud initiatives are needed to enhance availability and scalability at reduced cost. Simplifying IT Security Management 53 1/2011 Secure applications assume the user is hostile This is where authentication and authorization come in. One of the best deterrents of malicious behavior is the end users awareness that their actions are associated with them (strong authentication) and logged (behavior monitoring). Many online services have failed to protect themselves from their custom- ers. This applies to internal le sharing and community services as well. The identity and access management space is growing quick- ly to accommodate the plethora of new applications and deliv- ery models. Access management should belong to a separate group within IT operations. Countering targeted attacks New threats and new measures to counter them call for a re- organization of IT security teams so that they can focus on de- fending the organization from targeted attacks. It is only ten years since most enterprises established sepa- rate security teams to address vulnerabilities and deploy and maintain patches and virus signature updates as well as con- figure and maintain firewalls. To ensure that policies were cre- ated and enforced most organizations also created the position of Chief Information Security Officer (CISO) who enacted those policies and became responsible for ensuring that the organi- zation was in compliance with standards and regulations. The rise of targeted attacks must be met by similar organizational enhancements. The terminology and titles are not important but the roles and responsibilities described here are required to mount an effec- tive cyber defense. Countering targeted attacks calls for new measures. One of those measures is creation of specialized teams that are not bogged down in the day to day tasks of blocking viruses and cleaning up machines. Here is my proposal for such an organi- zation. Team Lead: Cyber Defense Commander The title may evoke a too martial image. Perhaps cyber de- fense team lead, or director of cyber defense, will be a better fit. But the idea of one-throat-to-choke in establishing a leadership role is an effective way to motivate a team and its leadership with the seriousness of its task. They must be instilled with the idea that they are targeted, under attack daily, and engaged in a battle to protect the organization from a malicious adver- sary. The cyber defense team replaces the traditional computer emergency response team (CERT) and will probably incorpo- rate most of the same people. The cyber defense commander is responsible for establish- ing the cyber defense team, assigning and directing roles, mak- ing sure the correct tools and defenses are deployed, putting in place controls and audit processes, and reporting to upper management on the results of those processes, and audits. The cyber defense commander would also be the primary point of contact for communicating to law enforcement and intelligence agencies when the inevitable situation arises that requires out- side help or communication. A large organization with divisions spread around the globe or separate large business units may well have cyber defense teams deployed in each division with their own leaders who report up to the cyber defense commander. (Call them lieuten- ants if you must but I am not going to take the military command structure that far.) The cyber defense team should have three primary roles: an outward looking role, an operational role, and an inward looking role. Each of those roles is described next: Cyber defense ana- lysts are the intelligence gatherers. They study the threatscape with an eye towards emerging threats to the organization. Most organizations assume that because they have so many people in IT security that someone is looking out for the latest attack methodologies or tools, and even keeping tabs on the various groups that engage in cyber attacks. Unfortunately the opera- tional aspects of IT security are too consuming to allow this type of outward looking focus. The second role within the cyber defense team is the op- erational role. Members of the cyber defense operations team must: Select and deploy network and host based tools to monitor activity, alert on unusual activity, block attacks, and assist in removing infections that have made it through all of the cyber defenses. Interact with the rest of IT operations to ensure that infec- tions are quickly snuffed out and cleaned up. Engage in forensics activities to perform post mortems on successful attacks, gather evidence, and improve future operations. The members of the internal cyber defense team supplement the rest of IT operations. They are not responsible for the daily updating of servers and desktops or the distribution of AV sig- natures or maintaining firewalls. Their job is to discover and mitigate attacks as they occur. The third component of the cyber defense group is the Red Team. They look inward. They scan the network for holes in the defenses and new vulnerabilities. They engage in attack and penetration exercises to test defenses. They evaluate new IT projects to ensure that authentication, authorization, and de- fenses are included in the initial design all the way through to deployment. The organization and duties of the Cyber Defense Team arise from the new threat of targeted attacks. There is a fundamental difference between defending against random attack from vi- ruses, worms, and botnets and targeted attacks. When the vi- ruses and worms are written to pecifically infect an enterprises system and gain control of internal processes, communications, and data, traditional tools are ineffective and traditional organi- zations are at a loss. By assigning responsibility to a core team of cyber defense specialists the enterprise can begin to address their vulnerability to targeted attacks. Conclusion Good security is simple security. Applying these three rules will help any organization establish a more secure operating envi- ronment. It will also be easier to assign responsibility and avoid cross department nger pointing. Incorporating a cyber defense team will off load the day to day operations to specialists that can react quickly to incursions and build up an organizations defenses. RIChARd STIennon Chief Research Analyst IT-Harvest March 24, 2011 MANAGER CENTER 54 1/2011 A t the end of 2010, for those astute enough to look for them, there were warning signs of how threats are developing and what the weapons of choice are shaping up to be. Top of my list are: Mobile phone security The more cynical among you may argue that there have been issues with mobile phones introducing insecurities into the en- terprise for many years but this is not whats bothering me - its the increase in mobile phone malware that Im concerned about. I believe it is a matter of time before traditional PC malware, such as Zeus, makes the leap to smartphones as this is a growing area offering increased opportunities to criminals. While some may argue that malware is already targeting mobiles, which is true, a PC is still involved in the infection process but I think this is set to change. First, lets first look at why. An individuals mobile phone is increas- ingly being used as a means of verifying a users identity. The most prominent of which is among financial institutions. Banks will send an SMS to the registered mobile phone containing a code which the individual then uses in an online verification process when complet- ing transactions. However, what we have already seen happen is malware on the PC intercepts the registration process and diverts subsequent SMS messages to a phone controlled by criminals who are then free to make legitimate transactions. I believe over the coming year we will see smart phone verifica- tion increase combined with mobile banking apps more widely avail- able and adopted. At the same time we will also see the various dis- parate mobile operating systems begin to converge to a more open platform. These three alignments will attract the criminals interest, who will use the experience they have gained enhancing their PC malware, to adapt it to directly infect smartphones in an effort to fol- low and intercept the money trail. To overcome this threat users will need to develop the same hy- giene for their mobile phones as they do for their PCs. Links and attachments sent to their phones should be treated with caution, as many already do with PCs and emails. Organisations wishing to rely on mobile technology need to educate their stakeholders to the risks laying out exactly how they will and more importantly wont contact them and what they will and wont ask them to do. Its not just criminals who can learn from the PC environment, organisa- tions can to, and ultimately the weak link will still be the browser so organisations need to protect themselves, and their users, as they would in the desk top world. The Blurred Perimeter While ten years ago the only device that would hook up to the en- terprise would be corporate owned this is no longer true and fair to say hasnt been for a long time. Employees seeking a more flex- ible working environment use their own personal devices to link up, often utilising the corporate VPN. External partners are also granted access to the system to complete tasks and collaborate on projects. In fact, some organisations are considering opening up the virtual doors to allow customers to link directly into systems. All of this means the perimeter line of defence has become blurred as machines outside of the enterprise are embraced into the en- terprise via the VPN. Although this may have been happening for a number of years, attacks have usually been initiated by individuals hacking into the system. However, this threat is now evolving with malware that re- sides inside the browser that sniffs out and modifies the traffic into the intranet. In fact, I have recently seen Zeus malware specifically designed to target enterprises by capturing the credentials from VPN gateways. Criminal gangs can then use these credentials to unlock the door and gain unrestricted access to all areas - CRM systems, financial accounts, and anything else they can translate into monetary gain. To protect themselves organisations need to view any user con- necting through a VPN as a potential malware carrier, while restrict- ing users access to more sensitive parts of the enterprise is one solution, it might not always be feasible. Its a fine balancing act between granting users access and the risks this access poses I dont claim to have all the answers! Financial Malware Yes Zeus, and other malware like it, has existed before 2011, but what I believe will be significant in the next 12 months is how it will continue to involve and include more operating systems and browsers. Criminals have invested too much time and money in the malware, and its proved way too resilient, that I cant see it being replaced any time soon. Instead, its attack methods will become increasingly sophisticated with tweaks made to the way it surgically injects into banks web pages. In fact, I predict it will be the leading platform for financial fraud in 2011. What can we do about that? Well, fight fire with fire is my view. While we continue to make improvements in the ability of organi- sations, such as banks, to detect Zeus on the server side I feel an area that needs to be improved is procedures within the bank to use the intelligence these solutions provide to identify, track and prevent fraud in real time. While today it might be impossible to shut down Zeus command servers we should still strive for law enforcement collaboration to bring these criminals to justice when we finally cre- ate the ideal world. The Cloud No 2011 prediction would be complete without a look to the cloud. However, I believe there is a degree of hype surrounding insecuri- Security Challenges Facing Enterprises in 2011 With the last mince pie eaten, and the frolics of New Years Eve a distant memory, its time to get back to business. As 2011 stretches out before us Amit Klein, CTO for Trusteer, has given his crystal ball a good firm rub and has the following predictions of whats hot, and whats not in the coming twelve months: Security Challenges Facing Enterprises In 2011 55 1/2011 Security Challenges Facing Enterprises in 2011 ties in the cloud which I attest are based purely on speculation. In fact, in my humble opinion, I think it can be as secure as regular hardware applications. That said, I wouldnt recommend moving every application you use to the cloud, but those that require scal- ability could certainly benefit. It just requires a degree of sensibility and a secure approach af- ter all, you wouldnt step out into the road without looking both ways first. If you wouldnt do it on the desktop dont do it in the cloud. Platform Diversification Whereas consumers, at present, use a PC to connect and complete transactions online, I think this is set to change dramatically this year. With smartphone apps progressively more sophisticated and tablets in every smart briefcase this might seem an obvious state- ment but I envisage this will evolve even further to include computer enabled devices as customisable options for new cars, a service available as part of in-flight entertainment and even touch screens at bus stops anytime, anywhere, anyhow will be the mantra of tomorrow. This will allow the market to develop so that the services we all use in our everyday lives, like online banking, will be offered over many different channels. The technology exists its just wait- ing for the investment to develop and launch it. While it is true that the threat posed to the enterprise, from any particular device, may be trivial the more you open up your services the more threats you face and its just going to get more complicated to prevent them all. While we may not see the full fruition of this diversity in 2011, perhaps this decade is a more realistic timeframe, organisations still need to start thinking ahead to make sure what they do today prepares them for tomorrow. Consumerisation of IT Again the sceptics among you may argue that this has been around for a while now and is nothing new, in my view its the type and ability of the devices that is changing and shouldnt be ignored. As well as the usual array of electronic devices with serious mem- ory capacity that are wrapped up in shiny paper waiting to come into work and steal information, users may have a new weapon in the bag. Wireless access points present a real danger with users choosing to plug them in an effort to make their life a little bit easier! Consumers have been using them at home to link up their printers, PCs, TVs and even games consoles therefore its only natural that, blissfully unaware of the risks these transmitters pose, they may try to create the same flexibility in the workplace. One way of overcoming this problem is to control the technology users are allowed to utilise in the workplace, although telling them not to do something wont necessarily stop them. The best form of protection is to fully consider the damage they could inflict and develop a strategy to negate the risk - I didnt say it was all going to be easy either! Browser Threat to Main Frames Its true that this isnt an issue for every organisation, but the scale of the problem and its potential affect on us all deems it worth examin- ing and so its inclusion in my list of security threats to watch. Traditional organisations, such as banks, insurance companies and government organisations particularly healthcare, have re- lied on ancient legacy mainframe systems and applications to store and manipulate their data records. Green screens were used to communicate with the mainframe, display information and update records. However these entities have started to migrate their inter- face to web based modern terminals. No longer hidden from view, browser infecting malware, such as Zeus and Spyl, have quickly sniffed out this fresh blood and gained an insight into areas of the enterprise that they couldnt hook into and target before furthering fraudulent activity. Organisations who either find themselves in this predicament, or are considering taking the leap to web based services, need to focus their attention on securing the browser which is where these attacks are occurring. Some Banks have already heeded the warn- ing and are becoming increasingly proficient at doing so - it is time for others to learn the lesson and lock down these databases be- fore we all get hurt. Social Networks Finally, where would we be without a quick glance at the damage social networks pose. Again, this is nothing knew but growing at an alarming rate and almost impossible to mitigate against. My feeling on this subject is perhaps we all need to start thinking differently about how we tackle this growing phenomenon. Employees should be educated of the dangers displaying all of their personal lives on social network sites pose both personally but also for the organisation. For example, it may be possible that they become befriended by someone who is purely interested in their where theyre employed. By monitoring what your employees are doing and saying, and even who they are friends with, you can work together to limit the risk their online behaviour poses you might even prevent them becoming victims to identity theft. While some of these threats might not be new per se, I think Ive provided original food for thought to all of them. 2011 is a promising year, with talk of a recovery all be it fragile and very early days. What Id like to see is it being a secure one where we start to fight back against the malware controllers who, at the moment, I feel have the upper hand in too many battles. Lets work together to block them out and take them down. Be safe out there. About Trusteer Trusteer is the worlds leading provider of Secure Web Access serv- ices. The company offers a range of services that detect, block and remove attacks launched directly against endpoints such as Man in the Browser, Man in the Middle and Phishing. Trusteer services are being used by leading financial organizations and enterprises in North America and Europe, and by tens of millions of their em- ployees and customers to secure web access from mobile devices, tablets and computers to sensitive applications such as webmail, online payment, and online banking. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and BMO Financial Group are just a few of the companies using Trusteers technology. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our services, please visit www.trusteer.com. AMIT KlEIN noted malware researcher and CTO of web browser security specialist Trusteer, is an expert on Internet and endpoint secu- rity technologies. Prior to Trusteer he was Chief Scientist at Cy- ota, Inc. (now part of RSA Security) a leading provider of lay- ered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, pharming. Previously, he was director of security and research at application security vendor Sanctum, Inc. (now Watchfre) where he was responsible for the security architec- ture of all Sanctum products. Mr. Klein spent almost 7 years in the Israeli Army as a research ofcer and project manager. He has published over two dozen articles, papers and technical notes on the topic of Internet security. Mr. Klein is a gradu- ate of the prestigious Talpiot programme of the Israeli Army. He holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University (Jerusalem). TECH CORNER 56 1/2011 U nfortunately, the stateful packet inspection firewalls used by many organizations just dont cut it. They rely on ports and protocols, and are not able to identify cloud and SaaS applications, along with many of the Web 2.0 services that rely on the browser for the delivery of application. There- fore, they cant weed out the good from the bad, productive from unproductive. As a result, IT is left with a binary approach to traffic control block or allow. Should you block ports or en- tire protocols just to block a few undesirable applications? Or do you open the floodgates and allow access to any application that might be useful, even at the risk of sapping productivity and exposing your organization to threats? Neither is a satisfactory choice. Todays leading companies avoid this dilemma with a Next- Generation Firewall that can deliver comprehensive intelligence, control, identification and visualization of all the applications on their networks. This is effective because Next-Generation Fire- walls can tightly integrate application control with other intrusion prevention and malware protection features. To manage applications effectively, your Next-Generation Firewall must meet each of the following criteria: Scan all application traffic First, your Next-Generation Firewall needs the capability to scan all traffic, including network layer and application layer traffic. This requires going beyond simple stateful inspection to con- duct deep packet inspection, regardless of port and protocol. Additionally, the firewalls deep packet inspection engine should be updated dynamically to identify the latest intrusion threats, malware attacks, spyware, and Web sites that could affect the security of your network. Most importantly, the firewall should be able to block those security threats without introducing latency and degrading the network to unusable levels. Fingerprint and show applications coming thro- ugh the firewall To allow you to create and adjust application policy controls based upon critical observation, your Next-Generation Firewall must let you monitor and visualize all your network application traffic. To do this effectively, the device needs to fingerprint the specific applications running on your network, and understand for whom the traffic is destined. It needs to present this infor- mation in an intuitive graphical form, allowing you to observe real-time application activity, aggregate trend reporting on ap- plications, ingress and egress bandwidth, Web sites visited, and all other user activity. Top 8 Firewall Capabilities for Effective Application Control IT administrators try to deliver critical corporate solutions efficiently, but also have to deal with employees using wasteful and often dangerous applications. In order to increase network and user produc- tivity, IT needs to prioritize critical application bandwidth and throttle or completely block social media and gaming applications. Top 8 Firewall Capabilities for Effective Application Control 57 1/2011 Create granular application control policy Your Next-Generation Firewall must let you to create applica- tion-related policies easily and flexibly, based on contextual cri- teria, such as by user, group, application, or time of day. For ex- ample, you might grant access to a particular application based upon the business need of the person in the organization us- ing it. Someone in your marketing group might have legitimate reasons to access Twitter and Facebook for social media cam- paigns, while someone in your accounting group might not. In addition, for effective and easy management, a policy should be centralized, unified, and object-based. Next-Generation Fire- walls with application intelligence and control allow you to cre- ate granular, application-based firewall policy, helping you to re- gain full control over application traffic by managing bandwidth. This increases productivity, prevents data leakage and protects against application-borne malware. Manage application bandwidth To help you manage application bandwidth, your Next-Gen- eration Firewall must let you prioritize bandwidth allocated to essential and latency-sensitive applications (e.g., Salesforce. com, LiveMeeting, or VoIP). At the same time, it needs to let you limit bandwidth allocated to non-essential applications (e.g., YouTube, MySpace or Facebook). In addition, your firewall should help you increase productivity further by controlling ac- cess to Web-based application sites (e.g., ESPN). At the least, it should allow you to limit access to specific feature sets within applications. For example, you could allow access to Facebook, but block access to Farmville and other gaming features. Block application-borne malware Malware no longer requires user intervention to run. Distribu- tion of malware has evolved from simply sending virus-laden executables and attacking systems on local networks to exploit- ing documents, files and browser features traditionally consid- ered safe. For example, Adobe PDF files and Flash are now prime targets for exploits due to their ubiquity and the invis- ibility of attacks embedded inside of them. These threats come into networks through various channels, and can only be pre- vented by devices that support dynamic security services and that continuously receive malware intelligence from dedicated research labs. Control distributed applications Once you have upgraded to a Next-Generation Firewall at your central gateway, your next logical phase is to apply application control and bandwidth management policy at any distributed branch sites. Because todays branch networks connect directly to the Internet, you need to be equally vigilant in securing ap- plication traffic to and from branch sites. Managing bandwidth is also crucial to optimizing distributed network performance and remote employee productivity. Application controls enable you to set policy based upon any unique geographic or site-specific needs (e.g., a retail branch location requiring prioritized band- width for a cloud-based transactional application). The same granular controls also ease administration by enabling you to push standardized policy for object-based roles and groups across distributed sites from a centralized console. Moreover, robust visualization capabilities are critical to widely distributed network security, as they let you monitor and track usage, traffic and performance trends, and adjust policy accordingly across the globe. Deliver optimal performance Finally, none of this matters if your firewall doesnt have the horsepower to get the job done. Your firewall needs the per- formance capability to control applications fully, without bogging down your network throughput. Performance technology (e.g., multi-core architecture and non-buffering reassembly-free scan- ning) can dramatically increase the viability of your application intelligence and control solution. In summary, your firewall needs to keep up with the times. It must fully control the application layer (not only the network layer), and provide the capability to: Scanallapplicationtraffc Fingerprint and show applications coming through the frewall Creategranularapplicationcontrolpolicy Manageapplicationbandwidth Blockapplication-bornemalware Controldistributedapplications Deliveroptimalperformance Application intelligence and control, along with real-time visuali- zation, should be integral components of your Next-Generation Firewall. They help manage both business and non-business applications, and help increase network and user productivity. PATriCk SwEEnEy VP of Product Management Patrick Sweeney has over 18 years experience in high tech product marketing, product management, corporate mar- keting and sales development. Currently, Mr. Sweeney is So- nicWALLs Vice President of the Network Security Business Unit. Previous po- sitions include Vice President of Worldwide Marketing, Minerva Networks, Senior Manager of Product Marketing & Solutions Marketing for Silicon Gra- phics Inc, Director of Worldwide Sales & Marketing for Articulate Systems, and Senior Product Line Manager for Apple Computer. Mr. Sweeney holds an MBA from Santa Clara University, CA. LETS TALK 58 1/2011 C an a parallel be drawn between freedom to cross the Berlin Wall and the freedom to post on a Facebook wall? Can such borderless liberty be defined in a 140 character Twitter feed or does it require an updated Declaration of Independence? Theres no question the prolifera- tion of technology around the globe has opened new portals for expression to those otherwise silenced by their governments and as a means toward equality for the oppressed. Call it Freedom 2.0. Yet while this expressive new flame flourishes, our collective fail- ure to protect such channels threatens both the integrity and usability of online forums. Last years hacking of Googles source code the se- cret instruction manual, if you will, of the search engines inner work- ings should serve as a warning sign to the international community of cyberspaces next stage of growth. First built as a tool for convenience, the Internet is simply not equipped to ward off todays sophisticat- ed attacks. If this modern marvel is to continue to thrive and serve as a beacon for all things innovative, security must now be our top priority. The Google attack was not an isolated event. As the global recession drags on, sensitive information only becomes more valuable and more vulnerable. Former employees, upset over a recent layoff in these hard economic times, have insider information that can be used to access com- pany networks and obtain corporate data. Depending on how big their axe to grind is, now its all too easy for the disgruntled former staffers to plaster sensitive intelligence all over the cyberworld. Corporations are hardly the sole victims. Consumer records can be left uncovered in the process of a breach, and the virtual identities of millions are left for the taking. In 2008 alone, 285 million consumer records or nearly one per American were compromised. Is the problem intractable? It is if we continue the same, static approach to fixing it. For centuries, humans secured data primarily through two meth- ods of identification: what you have (house keys, car keys, key fobs) and what you know (the combination to a lock, your Social Security number, your password). These methods typically work in limited and controlled environ- ments. However, with the proliferation of the Internet and the abundance of data sharing sites, such identification tools are hardly secure. Today, the Internet has 1.7 billion users, a number that is increasing at the rate of nearly 1 million per day. Facebook itself would boast the third largest population on Earth if it were an autonomous nation. Ashton Kutcher tells his 4.25 million Twitter followers what he eats every day for breakfast. Our world has moved into a virtual dimension, and as such, security requires an upgrade. To do so, we must examine what makes an item secure through an en- tirely different lens, moving from simple identification to complete authenti- cation. In addition to what you have and know, network access points must be able to authenticate who you are. Your palm, your face, and your typing pattern are all unique characteristics that cannot be replicated, lost or stolen as more traditional methods of identification increasingly can. Instead, you become the key to your data. You become the password. While it may sur- prise some, these advances are no longer the subject of sci-fi movies and are ready to be applied today. The question is how do we use them? Must retinal scanners be immediately installed on every computer? Prob- ably not. However, new ways to secure login portals should at least be con- sidered. More importantly, we all should take the initiative to become better educated on the state of cybersecurity. As we gain more exposure to cyber- space resources through e-mail, Facebook and online banking, for example, it becomes easier to trust the security and privacy of such applications. It is critical we resist this, however, remaining continually aware the information could be intercepted somewhere between send and receive. Further, this new paradigm of security where users become their pass- words is only effective if the concept is ingrained system wide. Google is a notable example of the many global businesses continuously under cyber- attack. As the Internet matures into the primary forum to exchange sensitive information, we will probably enter into a cyber-arms race of sorts a race not only between private-sector competitors, but also foreign governments and agents (Al Qaeda) who would seek to collapse Freedom 2.0. We didnt choose this ground, but our banks, critical infrastructures, and government agencies now line the battlefield of an iGen Cold War. But unfortunately, pre- vention is simply not working well enough. We are losing the war. One approach towards solving the dilemma could be the usage of smarter security technologies that focus on the root of the issue, eradi- cating the ability to use stolen information. For example, AuthenWare is a software-based, strong security solution that protects against identi- ty theft, web fraud and other system intrusions. It incorporates a break- through, multi-dimensional approach towards validating user identity through a series of biometric security algorithms that record and measure how a person uniquely types their credentials. This means that AuthenWare can distinguish one person from another; ensuring that rightful users are granted access to the appropriate internal, remote or web application, while stopping thieves by rendering stolen cre- dentials completely useless. And it does so without the need for expensive hardware, tokens or certificates in fact the user doesnt even need to be aware that it is there at all. The security algorithms are intelligent so that it learns and adapts to nuances in the users typing behavior even those caused by physical injury, medication, stress or fatigue. We must face opponents as one united front with both private and public sectors aligned. The online universe is successfully tearing down the walls that have, until now, separated and confined vast populations of the globe. Yet in its openness, danger lies. Too much money, too much proprietary information, and indeed, too many freedoms hinge on too little security. The Internet is moving forward. Will we? Tom Helou President & COO Tom Helou is the president and Chief Operations Ofcer of Authenware Corporation, responsible for global feld ope- rations including corporate strategy, consulting, marke- ting, sales, alliances, and customer programs. Prior to joining Authenware, Mr. Helou was with Fuego, as VP of International Sales, and upon its acquisition by BEA Systems in 2006, was placed in charge of BEAs sales for the Business Interaction Division (BID), the fastest growing unit of BEA for 2007 and 2008. Prior to Fuego, Mr. Helou was the VP of Latin America for Business Objects, and in 2002, he and his team achieved the highest sales growth in the companys histo- ry. Mr. Helou also held managerial positions working for PeopleSoft and MRO So- ftware where he was responsible for the development of International Markets for each business. Mr. Helou began his professional career at Intersoft in Argentina, working close- ly with Felix Racca. Mr. Helou has a degree in marketing as well as in agronomical engineering, and he continues to participate in graduate courses in marketing, human resources, management and business administration, both as an atten- dee and speaker. You As a Password Your palm, your face, and your typing pattern are all unique charac- teristics that cannot be replicated, lost or stolen as more traditional methods of identification increasingly can. Instead, you become the key to your data. You become the password.