Thursday, September 22, 2011
Article: Stakes high for cloud contractors
With Salesforce.com, Amazon, Google, IBM, Microsoft, and CGI Federal all compete for a slice of cloud computing market in federal space. please see the following article.
Stakes high for cloud contractors
http://www.politico.com/news/stories/0911/63786.html
Stakes high for cloud contractors
http://www.politico.com/news/stories/0911/63786.html
Monday, September 19, 2011
Substituting cyber reporting with continuous monitoring carries risks
An Obama administration decision to relax agency reporting rules for complying with cybersecurity mandates by instead requiring automated data feeds about threats could relegate risk management to a back-office function and leave senior executives out of the loop, some auditors say.
This year's instructions for adhering to the 2002 Federal Information Security Management Act, to the delight of some information technology managers, say that continuous monitoring will replace the current costly, time-consuming process of reauthorizing systems after upgrades or at least every three years.
"Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate reauthorization process is not necessary," states a response in the frequently asked questions section of the Sept. 14 Office of Management and Budget guidance. The Homeland Security Department, which supervises federal cybersecurity operations, authored the memo's instructions and the FAQ, including the question, "Is a security reauthorization still required every three years?"
Traditionally, reauthorizations have involved several steps of human analysis, where first, agency IT managers write a cybersecurity plan, then an outside security professional certifies or evaluates the controls in the plan and briefs the authorizing official -- a secretary or other senior executive -- on the findings. That senior official, by approving the plan, assumes responsibility for risks associated with the system.
With continuous monitoring, software and sensors are checking in near real time the system's most important safeguards, such as antivirus scan reports and remote access logs.
By switching from reauthorizations to continuous monitoring, "there's a potential that accountability could be removed from the equation," said Rick Dakin, chief executive officer of Coalfire, an IT compliance firm that performs FISMA risk assessments. "I think it lets [agencies] substitute budgets in a tight budget climate, but I think it leaves the [department] secretary off the hook."
He said automated surveillance should augment a comprehensive security review but not supersede it. "This program is very beneficial and should continue," said Dakin, a past president of the Denver chapter of InfraGard, an FBI affiliate.
The nature of the monitoring is more technical, however, and does not focus as much on physical controls, staff training, process controls and other governance elements of a baseline cyber program, he said.
"Do not let our national cyber interest be relegated to a helpdesk function," Dakin said. At this period of growing risk, we need to get our senior executives more involved in cybersecurity and ongoing governance of those programs . . . not less."
But other IT security experts say the current procedure for reauthorizing systems demands excessive paperwork and meaningless examinations that prevent managers from acting on threats.
"It's sort of been proved that the analytical process is not nearly detailed enough to provide accuracy with regards to security," said John Gilligan, previously a chief information officer at the Air Force and Energy Department and now a private IT consultant.
The practice is more of a display that managers are going through the motions rather than a precise assessment of security posture, he added.
Gilligan, also a member of the Obama-Biden transition team that helped formulate the administration's IT policies, expects the new guidance will nudge agencies to quickly roll out continuous monitoring programs so that they do not have to endure reauthorization hassles. Most agencies have the technology to track indicators, but some have not established a means of tying together the machinery for a holistic view of security status departmentwide, he said.
Gilligan acknowledged, however, that he would be surprised if the administration does not also require an independent security team to assess the data output. "The tools are only so good," he said. "The human beings would still need to evaluate the results of tools. The guidance needs to also emphasize that it's also using the tools and providing actions based on what's happening."
The OMB memo states, "Agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs . . . In an effort to implement a more dynamic, risk-based security authorization process, agencies should follow the guidance in [National Institute of Standards and Technology] Special Publication 800-37, Revision 1."
That guidance, said NIST fellow Ron Ross, directs agency security and risk management professionals to analyze the incoming surveillance data in a way that senior leaders can understand.
"It doesn't mean that the authorization process is completely dead after the first time," he said on Friday. "The senior leaders are going to be involved more frequently. Ongoing authorization means ongoing acceptance of risk."
Continuous monitoring allows technicians and leaders to keep pace with the time and tempo of quickly evolving threats, Ross added. "It can make the authorization process a lot leaner and meaner," he said.
DHS officials on Friday said a well-planned continuous monitoring program will provide a window into the current state of systems and assets, enabling situational awareness within an IT enterprise. Automated data feeds will measure the effectiveness of security controls and help prioritize remedies better, they added. The information allows authorizing officials to make decisions based on live systems and networks, rather than merely on architectural diagrams.
09/16/2011 from Nextgov.com
Thursday, September 15, 2011
Key Findings from Damballa First Half 2011 Threat Report
The Damballa First Half 2011 Threat Report looks at Internet crime trends with a specific focus on criminal command-and-control (C&C) activity over the first six months of 2011.
Key Findings Include:
Mobile/Android Threats Growing
- The number of hijacked Android devices engaging in 'live' communications with criminal operators grew at a significant rate.
- Having mobile malware contact the criminal operator and establish two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices.
Top 10 Most Abused Top Level Domains Represent 90% of All Live C&C Activity
- Top Level Domains (TLD) .com, .info, .net, .org, and .biz are among the top ten most abused by criminals.
- The TLD ".in" (India) ranked as the fifth most popular TLD for C&C.
SpyEye-Powered Botnets Jump to Number One
- Only three of the top ten largest botnets for the first half of 2011 appeared in the "Damballa Top 10 Botnets for 2010 Threat Report."
- OneStreetTroop, the Damballa reference to a botnet operation reliant on crimeware generated by the popular SpyEye do-it-yourself (DIY) construction set, climbed from tenth position in 2010 to first position for the first half of 2011.
- Eight out of the top ten largest botnets utilize popular "off-the-shelf" DIY crimeware construction kits.
Monday, September 12, 2011
Top 5 Tools for Virtualization Security
In my last blog post, I listed a few security tools for the Cloud. I left out the virtualization security and has planned to have another post to list a few cool tools for the virtualization security. As the audience of this blog must know, the majority of Cloud environment leverages virtualization for the elasticity and dynamic scaling of the services although virtualization is not a precondition for the Cloud. This blog post lists 5 top tools for virtualization security.
1: VMware (http://www.vmware.com) offers a free tool and two packaged commercial products for the virtualization security.
- · The free tool is VMware's Compliance Checker Tool and it is a fully-functional product that provides detailed compliance checks (such as FISMA, and PCI/DSS etc) against the VMware vSphere Hardening Guidelines. You can print Compliance Checker reports and run compliance checks across multiple ESX and ESXi servers at once.
- · VMware also offers a suite of vShield App with bundled price of $300/per VM. Here is the summary of the functionalities:
o VMware vShield App: Protects applications in the virtual datacenter against network-based threats, essentially it is a virtual firewall and can filter the network traffic between VMs.
o VMware vShield App with Data Security: this is new feature in vShield 5.0 and it can discover sensitive data from VMs and isolate the VMs with sensitive data (such as PII information) into a isolated security zone. A nice enhancement in deed in the Trusted Cloud and nice add-on for Data Loss Prevention on the Cloud.
o VMware vShield Edge: Enhances protection for the virtual datacenter perimeter
o VMware vShield Endpoint: Improves performance by offloading key antivirus and anti-malware functions to a security virtual machine, eliminating the antivirus agent footprint (AV Storm) in virtual machines
o VMware vShield Manager: Security management framework included with all vShield products
o VMware vShield Bundle: Includes all vShield products vShield App with Data Security, vShield Edge, vShield Endpoint and vShield Manager, cost is $ 300/per VM
- · VMware vCenter Configuration Manager: provides auto compliance check and continuous compliance with out-of-the box templates and toolkits and thus provides enhanced security. Cost is $800/vm.
2: Catbird (http://www2.catbird.com/) offers vSecurity, vCompliance, vSecurity Cloud Edition and has win "10 Virtualization Vendors to Watch" in 2010 by ComputerWorld among other awards.
o Catbird vSecurity: vSecurity consist of two elements: A virtual appliance, deployed inside each VMware or Xen host (NOT on each virtual machine) and a Catbird Control Center typically deployed in the Security Operations Center (SOC). A Catbird appliance is the eyes and ears of the virtual network, delivering the security protection from inside the virtual host. This applicance reports back to the Control Center, where the management and expert system reside. The Catbird Control Center provides a single enterprise-wide view of the security and compliance state of the virtual infrastructure. The Control Center is responsible for policy-based analytics and compliance workflow and reporting.
o Catbird vCompliance: vCompliance monitors and audits controls required by the leading regulatory standards organizations and supports the widest array of common security frameworks. vCompliance includes default policies for SOX, HIPAA, DIACAP and PCI; each policy is built upon Catbird controls which map to the appropriate compliance framework.
o vSecurity Cloud Edition: Cloud Edition features Integrating Catbird's comprehensive suite of services, including vulnerability monitoring, IPS/IDS, firewalling via TrustZones, Network Access Control (NAC), policy enforcement and many other critical features managed via a multi-tenant portal and has the following features:
o 24x7 vulnerability management with a fully compliant scanner that is automatically correlated with other virtual machine attributes to provide an accurate assessment of known defects against a specific and customizable compliance framework.
o NAC-based enforcement for continuous monitoring of the virtual machine population, real-time inventory management, and the most accurate real-time VM catalog and virtual machine sprawl prevention
o A multi-tenant management portal that provides compliance intelligence aggregation, management and reporting across physical, virtual, private and public clouds from a single dashboard, while ensuring the privacy of customer or departmental data.
3: HyTrust (http://www.hytrust.com/) appliance provides access control, authentication and authorization, policy management, security configuration management and auditable log aggregation for virtualized environment. HyTrust is tightly integrated with VMware and can be managed through a vCenter tab.
4: CloudPassage (http://www.cloudpassage.com/): CloudPassage's Halo platform is offered as a security Software-as-a-Service. The major components of the Halo platform include:
o Halo Daemon: The Halo Daemon is a very lightweight (~2 Mb) and well-protected software component that runs as a service on each cloud server. The Halo Daemon monitors important server security factors, e.g. IP addressing, installed software, running processes and open network ports. The Halo Daemon provides information to the Halo Grid as needed, and responds to commands from the Halo Grid to take actions such as updating iptables firewall rules.
o Halo Grid: The Halo Grid is a powerful and sophisticated elastic compute cloud provides sophisticated analytics that evaluate data collected by the Halo Daemon, making decisions on exposures and compliance concerns to be reported and updates to security parameters such as iptables policies. The Halo Grid does the "heavy lifting" on behalf of the Halo Daemons, ensuring that customers' server resources and performance are preserved.
o Halo Portal: The Halo Portal is the single pane of glass used to manage all Halo product capabilities. Policy configuration, review of compliance status, evaluation of reported exposures and even generation of Halo Daemon installation scripts are all provided through the Halo Portal.
5: Trend Micro(http://us.trendmicro.com): Trend Micro's Deep Security 8 offers anti-malware protection, firewall capabilities, intrusion prevention, Web application protection, integrity monitoring and log inspection for virtualized environment.
It can be integrated with Trend Micro's SecureCloud 2, which provides encryption and data protection for cloud deployments. With this integration, it is possible for Deep Security to check the security profile of a system accessing encrypted content on SecureCloud and prevent access if the accessing system is lacking in security protections or has been infected by malware. Pricing for Deep Security 8 startes at $1,000 per server, with volume discounts available. Deep Security 8 is expected to ship by the end of the year 2011.
Friday, September 9, 2011
Sample Security tools for the Cloud Computing Environment
I listed the sample essential Security tools for the Cloud Computing Environment. I welcome any comments.
| Security Controls | Sample Tools |
| Identity and Access Management (IAM) | IAM is on the top of list due to its crucial importance to any organization’s IT asset. IAM is the lock to the front door of business data and assets. Poorly defined and implemented IAM can negatively impact productivity and overall security of organization. Centralized and Enterprise wide IAM with Identity Federation and Extension to the Cloud is the best industrial practice. Good tools including · Symplied suite of IAM products, · Ping Identity, · CA, Oracle, IBM and Microsoft IAM suite of Products, etc The most innovative products are from Symplified, not from big and old companies such as Oracle or IBM. |
| Security Event Management tools (SIEM) | Due to the requirements of continuous monitoring, SIEM knowledge become important. Sample tools including · Arc Sight, · Q1Labs, etc |
| Encryption | With the Cloud Computing become main stream, Encryption knowledge and experience is more relevant due to more data move to the cloud. Understanding of FIPS 140-2 requirements and some strong encryption such as AES, 3DES is necessary for the data security in the cloud. |
| Anti Virus, Network IDS/IPS, and other security monitoring tools | Organization will need to understand basic deployment model and configuration and administration of these tools. Sample tools including Sample Anti Virus tools including · McAfee, · Symantec, · Trend Micro, · Webroot, · Norton, · AVG etc. Sample network IDS/IPS tools including · Barracuda, · Checkpoint, · CISCO IPS, · eEye, · Juniper’s IDP, · McAfee’s NSM, · Radware’s IDS, · Sourcefire’s ETM, · IBM Proventia IPS, · Watchguard, · TippingPoint, · Corero, etc |
| Enterprise Forensics Tools | Forensics tool is needed for the Cloud Security professionals to aid in Forensics investigation and litigation process. The following are sample tools: |
| Logging and Auditing tools such as | Centralized log and event correlation with analytic capability is essential for fraud and vulnerability detection and investigation, sample tools including: · Sensage, · Splunk etc |
| Data Leakage Prevention tools | Proactive tools for preventing data loss is become important in the cloud, sample tools including · Vontu, · Orchestria , · Verdasys, etc |
| Vulnerability management and penetration testing program. | A good vulnerability management tool would include capabilities for asset management, vulnerability assessment, configuration management, patch management, remediation, reporting, and monitoring. In realty, the tool only provides part of the above functionality. Cloud Service Provider will need a combination/integration of those tools to get best results Sample tools including · McAfee's Foundstone Enterprise(www.mcafee.com), · StillSecure (www.stillsecure.com), · eEye Digital Security (www.eEye.com), · Symantec/Bindview (www.bindview.com), |
| Infrastructure and/or application vulnerability scanning toolsets. | The following are sample tools/vendors. Some tools can be installed in premises or used in the cloud. · Qualys, · Cenzic, · Fortify, · Nessus etc |
| Application Security Assessment | Sample tools includes · BurpeSuite, · Paros, · HP WebInspect, · IBM Rational AppScan, · Cenzic Hailstorm etc |
| DR tools | Sample tools including · VMWare SiteRecovery Manager, · SunGard, · Barracuda Backup Service, · Double-Take Software etc. |
Friday, September 2, 2011
Mobile Security Trends
On 6/22/2011, my co-worker Jim Hewitt and I spoken and facilitated an
Executive Forum for HDI, a professional associations for IT support
The audience of this forum are CEO or CIO of fortune 500 companies and
some middle sized companies. I was impressed by the knowledge and
exhibited interest from this group of CXO.
We have talked about different mobile technology including 3G, 4G
(mostly Wimax and LTE), WiFi, NFC(Near Field Communication),
bluetooth, etc. We talked about the security trends on these mobile
technology, we also talked about the mobile app trends and associated
app security trends. The audience seemly had particular interest in
NFC and Mobile Device Management. From Strategic point of view, the
audience are also interested in defining the policy and process of
leveraging mobile device in the work place. Overall, it was a great 3
hour session discussion. The time pass by so quickly that we still
feel that there are lots of topics worthy further discussion in the
future. If you are interested in mobile security trends and would like
a copy of presentation slides, please leave me comment and I will send
you the slides.
My Great Web page
Executive Forum for HDI, a professional associations for IT support
The audience of this forum are CEO or CIO of fortune 500 companies and
some middle sized companies. I was impressed by the knowledge and
exhibited interest from this group of CXO.
We have talked about different mobile technology including 3G, 4G
(mostly Wimax and LTE), WiFi, NFC(Near Field Communication),
bluetooth, etc. We talked about the security trends on these mobile
technology, we also talked about the mobile app trends and associated
app security trends. The audience seemly had particular interest in
NFC and Mobile Device Management. From Strategic point of view, the
audience are also interested in defining the policy and process of
leveraging mobile device in the work place. Overall, it was a great 3
hour session discussion. The time pass by so quickly that we still
feel that there are lots of topics worthy further discussion in the
future. If you are interested in mobile security trends and would like
a copy of presentation slides, please leave me comment and I will send
you the slides.
Global market for mobile security is expected to reach $14.4 billion by 2017
The tremendous popularity of mobile devices and their subsequent
appearance in the workplace means organizations have to worry about
data-stealing malware as well as the danger of lost and stolen
devices.
appearance in the workplace means organizations have to worry about
data-stealing malware as well as the danger of lost and stolen
devices.
The increased risk to personal and corporate data is an opportunity
for the mobile-security industry, and the global market for mobile
security is expected to reach $14.4 billion by 2017, market research
firm Global Industry Analysts said in an Aug. 24 report. Issues such
as data breaches, unauthorized access to and loss of personal
information stored within the mobile phone, malware and malicious
applications all highlight the need for comprehensive mobile security.
The report, "Mobile Security: A Global Strategic Business Report,"
reviewed trends for all major geographic markets, including the United
States, Canada, Japan, Europe, the Asia-Pacific, Latin America and
others. Analysts also examined trends in mobile-security client
software and in mobile-network-security appliances and software, which
includes integrated security appliances, content security gateways and
intrusion-detection/-prevention systems.
"Security issues have taken on extreme importance in recent years,"
Global Industry Analysts said in the report.
The "evolution" of smart mobile computer devices such as laptops,
personal digital assistants, smartphones and tablet PCs into tools
commonly used for both business and personal use presents a
"tremendous opportunity" for the global mobile-security market, the
firm said.
Mobile-application development is a relatively new field, and
technologies for securing mobile-application code are immature,
analyst Chenxi Wang wrote in a recent Forrester Research report.
Vulnerabilities in mobile code, flawed application architecture or
improper handling of credentials can lead to embarrassing data
breaches, network intrusions or hacker attacks, Wang said.
Mobile-security client software is currently the fastest-growing
market as security vendors roll out mobile antivirus, Web-filtering
and other applications for smartphones and tablets. Global Industry
Analysts estimated that the market would grow by more than 53 percent
between 2008 and 2017.
Mobile devices have been transformed into "a multi-faceted
multi-tasking, multimedia device," delivering tools for personal
expression, enterprise computing and entertainment, the firm said.
Mobile devices are now used for video conferencing, storing documents
and media, sending and receiving email messages, online banking and
shopping and other entertainment purposes.
While the productivity benefits are "undeniable," the new capabilities
and features "open up new apertures for risks," according to Global
Industry Analysts. The threat of malicious applications compromising
the mobile device and accessing key information stored within poses
significant risks to the organization and is "a perfect business case
for mobile security."
The biggest gains in mobile security will be in the Asia-Pacific
region, driven primarily by "robust demand" for mobile devices in
emerging countries, such as China and India, according to Global
Industry Analysts.
Mobile networks are also experiencing "exploding data traffic" as a
direct result of the "exponential rise" in the number of
Internet-connected mobile devices, the company said. Customer demand
has also forced mobile-network operators to stop restricting users to
a set of default services provided by the carrier and instead give
them access to all services and content on the World Wide Web. Mobile
operators have to balance the seamless integration of proprietary
networks and the entire Internet with security and privacy concerns
that inevitably would arise, according to the analysts.
"Mobile-network providers will therefore come under increased pressure
to invest in mobile-security appliances and software to protect both
their networks as well as network users," the analysts wrote.
Identity thieves increasingly target children
A recent investigation into illegal immigrants who were hired by a
Texas nursing home after they bought Social Security cards revealed
that seven of the identification numbers on the fake cards belonged to
children, a Social Security Administration special agent said
Thursday. Increasingly, identity thieves are hacking computers at
schools and pediatric centers to retrieve this lucrative personal
information, experts say.
Texas nursing home after they bought Social Security cards revealed
that seven of the identification numbers on the fake cards belonged to
children, a Social Security Administration special agent said
Thursday. Increasingly, identity thieves are hacking computers at
schools and pediatric centers to retrieve this lucrative personal
information, experts say.
"While this investigation involved a very small sample, we found that
of 28 misused SSNs identified, 25 percent belonged to children,"
Antonio Puente, special agent for the SSA Office of Inspector
General's Dallas field division, testified at an off-site
congressional hearing. The House Ways and Means Subcommittee on Social
Security held the session in Plano, Texas, to examine the growing
problem of child identity theft.
More than 140,000 American children each year become victims of
identity theft, experts said at a July child-centric fraud forum
sponsored by the Federal Trade Commission. That number includes kids
whose relatives, when in a financial bind, applied for new credit with
their young family member's name and Social Security number. Reports
of child identity theft increased nearly 200 percent between 2003 and
2009, when 19,000 cases were filed, according to FTC figures.
Robert Feldt, special agent in-charge at the same Texas division, said
child identity theft "allows for the potential long-term undetected
abuse of a genuine SSN -- and the potential long-term harm to a young
person's financial future." It usually isn't until about 18 years
later that the adult victim discovers a mysterious history of unpaid
bills or loan defaults.
All the suspects questioned during the nursing home incident were
Mexican nationals who currently are undergoing deportation and removal
proceedings, Puente said.
In one new form of identity fraud, corrupt vendors use dormant Social
Security numbers, particularly those assigned to children, to
establish bogus credit files for people with bad credit, Feldt said.
They advertise these offerings, called credit profile numbers or
credit protection numbers, on websites at prices between $40 and
$3,500.
"Despite what many of these credit repair websites imply, consumers
should know that CPNs are not legal," he testified.
The inspector general's office is pushing for legislation that would
limit the ability of local governments and companies to access and
display Social Security Numbers. Schools and social services agencies
often widely circulate sensitive personal data for kids in foster
care, leaving foster children especially vulnerable to identity theft,
panelists at the July summit said.
Source: http://www.nextgov.com/nextgov/ng_20110901_8644.php?oref=rss?zone=NGtoday
Subscribe to:
Posts (Atom)