The six most dangerous infosec attacks – Hackers – SC Magazine Australia – Secure Business Intelligence

The six most dangerous infosec attacks – Hackers – SC Magazine Australia – Secure Business Intelligence.

SC Magazine Autralia summarized Ed Skoudis’s and Joannes Ullrich’s RSA presentation on the six most dangerous IT Security threats of 2011 and what to expect in the year ahead. They are:

  1. DNS as command-and-control
  2. SSL slapped down
  3. Mobile malware as a network infection vector
  4. Hacktivism is back
  5. SCADA at home
  6. Cloud Security
Additional trends:
  • IPv6
  • Oldies
  • Social Networking
  • Malware
  • DNSSEC
The reference to the Malware item above is that blacklisting is a losing proposition and organizations need to move to whitelisting. IMHO, this especially true for establishing positive network control at the application level.

Provera 10mg

Cloud Provider security requirements

Grok Computer Security: I’ll tell you what I want, what I really, really want from a Cloud Provider.

Micheal Berman, the CTO of Catbird, summarizes his cloud provider requirements. For security, he is looking for:

  • Auditing: network and management
  • Control: policy and assurance
  • Metrics: continuous and interoperable
Are these capabilities to be provided by the cloud provider or should the enterprise adopt a solution it can use across multiple cloud providers? What about compatibility with private cloud deployments?

 

Abana 1 pc

The Top 10 Security Questions Your CEO Should Ask — CIOUpdate.com

The Top 10 Security Questions Your CEO Should Ask — CIOUpdate.com.

From PwC, here are the top 10 questions your CEO should be asking you:

  1. Who is accountable for protecting our critical information?
  2. How do we define our key security objectives to ensure they remain relevant?
  3. How do we evaluate the effectiveness of our security program?
  4. How do we monitor our systems and prevent breaches?
  5. What is our plan for responding to a security breach?
  6. How do we train employees to view security as their responsibility?
  7. How do we take advantage of cloud computing and still protect our information assets?
  8. Are we spending our money on the right things?
  9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?
  10. How do we meet expectations regarding data privacy?

This article provides a paragraph or two on each one of these questions.

How Will Technology Disrupt the Enterprise in 2011?

How Will Technology Disrupt the Enterprise in 2011?.

Constellation Group’s Ray Wang lists five core disruptive technologies: social, mobile, cloud, analytics, and unified communications.

What’s interesting to us at Cymbel is that each of them require rethinking compliance and security to mitigate the new risks their deployments create for the enterprise. In other words, inadequately addressing the security and compliance risks around these technologies will inhibit deployment.

What are the risks?

  • Social – The new threat vector – the “inside-out” attack, i.e. rather than having to penetrate the enterprise from the outside-in, all a cybercriminal has to do is lure the insider to an external malware-laden web page.
  • Mobile – All the types of attacks we’ve seen over the years against desktops and laptops are finding their way onto smart phones.
  • Cloud – Will you put trade secrets and PII out in a public cloud deployment without protecting them from third party access? How will you verify that no third parties, like the administrators at SaaS companies are not accessing your data?
  • Analytics – Good security technology has only recently taken hold for traditional relational databases that rely on the SQL access language. The new analytics are about new ways of storing and accessing data for analysis. How do you monitor and control access?
  • Unified Communications – Attempting to apply traditional IPSec VPN technology to converged data, voice, and video networks creates unacceptable latency issues and unstable session connections. And MPLS itself does not provide encryption.

Cymbel’s mission is to provide the information security and compliance solutions which enable these technologies. We help our clients rethink and re-implement defense-in-depth.

Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”

As an Information Security and Compliance Solution Provider, we are enablers of technology change.

From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability

From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability.

Security, and therefore Compliance, in the cloud is a shared responsibility. In other words, no IaaS or PaaS cloud vendor can provide complete compliance since the cloud providers’ responsibilities end at the hypervisor. You, the application provider, are responsible for securing the VM and the applications/data therein.

In the case of an IaaS cloud provider who may achieve compliance from the “concrete to the hypervisor,” (let’s use PCI again,) the customer in turn must have the contents of the virtual machine (OS, Applications, operations, controls, etc.) independently assessed and meet PCI compliance in order that the entire stack of in-scope elements can be described as compliant.

Thus security — and more specifically compliance — in IaaS (and PaaS) is a shared responsibility.

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading.

Last week Forrester Research began promoting a new term, “Zero Trust,” to define its new security model. The new model’s underlying principle is “trust no one.” In other words, you cannot trust the servers and the workstations inside your network any more than you could trust external third parties.

Given the nature of the changes we’ve seen during the last 3 to 5 years in technology and the threat landscape, we agree. We have seen a huge increase in what we call “inside-out” attacks where insiders are lured to malware-laden web pages on, for example, Facebook, Twitter, YouTube, and even the New York Times. The malware gets downloaded to the unsuspecting person’s workstation along with the normal content on the web page. From there, the malware steals the person’s credentials to access bank accounts, internal intellectual property, customer records, or whatever the attackers can readily convert to cash. This type of malware is not the traditional single-purpose virus or worm. Rather it’s an agent controlled by remote servers that can modify its functions. These “bots” have gone undetected for days, weeks, months, even years.

From a security perspective, this type of attack looks very similar to a malicious insider, and information security must protect against it along with the traditional “outside-in” attack method.

From my perspective, Forrester’s Zero Trust model and Cymbel’s next-generation defense in-depth architecture are the same when it comes to network security. Our Approach, based on the SANS 20 Critical Security Controls for Effective Cyber Defense, is broader.

However, there is one area where I disagree somewhat with John Kindervag, the Forrester analyst discussing the Zero Trust model, who is reported to have said:

It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function.

Gee, how did he leave out packet shaping? I have no doubt that there are vendors attempting to do all these functions in a single appliance, but it reminds me of Network Access Control in 2007. NAC was going to subsume all manner of security functions in a single appliance. The complexity was overwhelming. Furthermore, most organizations really don’t want all that functionality in one box. There is still the need for a defense-in-depth architecture, in our opinion.

Some level of function consolidation is surely reasonable and advantageous to organizations with limited resources, i.e. everyone!! However the expertise needed to develop and advance all of these different functions is virtually impossible to assemble in one company. For example, full packet capture is really about innovative data storage and retrieval. High performance, stream-based, application level, firewall/IPS is about innovative deep-packet inspection combined with clever hardware design. And data loss prevention requires proxies and semantics-based data classification algorithms.

While I am surely not saying that we can achieve nirvana now, the components of Cymbel’s next-generation defense-in-depth architecture can provide major improvements in network security today:

  • Next-Generation Firewall with application- and user-level, internal network segmentation, integrated intrusion prevention, and bandwidth management – Palo Alto Networks
  • 0-day threat and botnet command & control communications prevention – FireEye
  • Cloud-based web and email security – Zscaler
  • Device/software discovery and configuration change detection – Insightix, AccelOps
  • High Performance Full Packet Capture – Solera Networks
  • Layer 2, 3, 4 encryption – Certes Networks
  • User-based, behavioral anomaly detection using net flows and logs plus high-performance event correlation – Lancope

I look forward to learning more about Forrester’s Zero Trust model and working with partners who recognize the new landscape and respond with creative solutions for our clients.



“It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function