Research

We ve talked a bit about the need to “be careful what we wish for,” in terms of making security a higher profile issue with senior management. Well, it’s no longer just vendors throwing FUD balloons that can splat at any time. I was perusing the Seeking Alpha investor site over the weekend when I found an article called Pandemic Cyber Security Failures Open An Historic Opportunity For Investors. Yes, I threw up a bit in my mouth when I read that headline. The first sentence doesn’t help: Cyber Security failures in the Western World have reached a pandemic stage. Oy. Then the author goes on to quote lots of different sources designed to scare the crap out of the uneducated. It’s awesome. Then he talks a bit about the reality of current defenses: From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. Ugh. But it gets better. Of course when you throw this much FUD you need to have solutions, right? The partnership between VMWare and Cisco is going to integrate network defenses into the virtual computing used in cloud deployments, didn’t you know? That will definitely help address the pandemic. And get this beauty about HP’s innovation in the space: In addition, HP (HPQ) has developed software to link operational system logs with security event logging, enabling network operations and security to unite in common defense of corporate networks. Eliminating functional silos in network operations and security means more coordinated and efficient defenses against attackers. Hello! 2004 called and they want their functional silos back. This is when you really wish the uneducated wouldn’t do a few minutes of research and then think they understand security. I don’t feel bad that professional investors may see (and even act on) this kind of crap. But I do worry about unsuspecting individual investors who are most vulnerable to this drivel. Now please excuse me while I take some deep, cleansing breaths… Share:

Now that we have covered all the pesky background information, we can start delving into the best ways to actually protect data. Securing the Storage Infrastructure and Management Plane Your first step is to lock down the management plane and the infrastructure of your cloud storage. Encryption can compensate for many configuration errors and defend against many management plane attacks, but that doesn’t mean you can afford to skip the basics. Also, depending on which encryption architecture you select, a poorly-secured cloud deployment could obviate all those nice crypto benefits by giving away too much access to portions of your encryption implementation. We are focused on data protection so we don’t have space to cover all the ins and outs of management plane security, but here are some data-specific pieces to be aware of: Limit administrative access: Even if you trust all your developers and administrators completely, all it takes is one vulnerability on one workstation to compromise everything you have in the cloud. Use access controls and tiered accounts to limit administrative access, as you do for most other systems. For example, restrict snapshot privileges to a few designated accounts, and then restrict those accounts from otherwise managing instances. Integrate all this into your privileged user management. Compartmentalize: You know where flat networks get you, and the same goes for flat clouds. Except that here we aren’t talking about having everything on one network, but about segregation at the management plane level. Group systems and servers, and limit cloud-level access to those resources. So an admin account for development systems shouldn’t also be able to spin up or terminate instances in the production accounting systems. Lock down the storage architecture: Remember, all clouds still run on physical systems. If you are running a private cloud, make sure you keep everything up to date and configured securely. Audit: Keep audit logs, if your platform or provider supports them, of management-plane activities including starting instances, creating snapshots, and altering security groups. Secure snapshot repositories: Snapshots normally end up in object storage, so follow all the object storage rules we will offer later to keep them safe. In private clouds, snapshot storage should be separate from the object storage used to support users and applications. Alerts: For highly sensitive applications, and depending on your cloud platform, you may be able to generate alerts when snapshots are created, new instances are launched from particular instances, etc. This isn’t typically available out of the box but shouldn’t be hard to script, and may be provided by an intermediary cloud broker service or platform if you use one. There is a whole lot more to locking down a management plane, but focusing on limiting admin access, segregating your environment at the cloud level with groups and good account privileges, and locking down the back-end storage architecture, together make a great start. Encrypting Volumes As a reminder, volume encryption protects from the following risks: Protects volumes from snapshot cloning/exposure Protects volumes from being explored by the cloud provider, including cloud administrators Protects volumes from being exposed by physical drive loss (more for compliance than a real-world security issue) IaaS volumes can be encrypted three ways: Instance-managed encryption: The encryption engine runs within the instance and the key is stored in the volume but protected by a passphrase or keypair. Externally managed encryption: The encryption engine runs in the instance but keys are managed externally and issued to instances on request. Proxy encryption: In this model you connect the volume to a special instance or appliance/software, and then connect the application instance to the encryption instance. The proxy handles all crypto operations and may keep keys either onboard or external. We will dig into these scenarios next week. Share:

Hi folks, Dave Lewis here, and it is my turn to pull the summary together this week. I’m glad for the opportunity. So, a random thought: I have made a lot of mistakes in my career and will more than likely make many more. I frequently refer to this as my well-honed ability to fall on spears. The point? Simple. This is a learning opportunity that people seldom appreciate. Much like toddlers, we learn to walk by mastering the fine art of the faceplant. We learn in rather short order that we really don’t care for the experience of falling on our faces, and soon that behavior is corrected (for most, at least). So why, pray tell, do we continue to suffer massive data breaches? Not a week goes by without some major corporation or government body announcing that they have lost a USB drive or had a laptop stolen. Have we not learned yet that “face + floor = pain” is not an equation worthy of an infinite loop? Just my musing for this week. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted by The Macalope. Adrian’s DR paper: Security Implications Of Big Data. Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Mike’s DR post: You’re A Piece Of Conference Meat. snort Favorite Securosis Posts Rich: 1 in 6 Amazon Web Services users can’t read. This seriously tweaked me. And don’t give me guff for picking my own post – no one else posted this week. You’d think with 3 full timers and 6 contributors, someone else… Adrian Lane: Proposed California Data Law Will Affect Security… but it will take quite a while before companies take it seriously. David Mortman: Flash! And it’s gone… Dave Lewis: Defending Cloud Data: How IaaS Storage Works. Other Securosis Posts Cybersh** just got real. Proposed California Data Law Will Affect Security. Brian Krebs outs possible Flashback malware author. Appetite for Destruction. Get Ready for Phone Security and Regulations. IaaS Encryption: Understanding Encryption Systems. An article so bad, I have to trash it. Favorite Outside Posts Rich: Activists on Front Lines Bringing Computer Security to Oppressed People. Lives really are at stake for these people. Mike Mimoso is doing a great job with this coverage. Adrian Lane: IT for Oppression. And I just thought this was IT culture. Dave Lewis: Googlers exultant over launch of Blink browser engine. Google rolls their own browser engine. This should be interesting. Dave Mortman: Building Technical Literacy in Business Teams. James Arlen: Delivering message w/ impact && Announing our ‘Reverse Job Fair’. This should be a brilliant workshop. Top News and Posts New PoS malware. That’s “point of sale”, not the other thing. Sometimes. How to Dress Like a Cyber Warrior OR Looking Like a Tier-Zero Hero. This amused me far more than it should have. Bill would allow bosses to seek Facebook passwords. …and then Amendment aimed at workers’ passwords pulled. Apple’s iMessage encryption trips up feds’ surveillance. Because encrytion is haaaard. (h/t James Arlen). Aaron Swartz’s Prosecutors Were Threatened and Hacked, DOJ Says. I’ll just bite my tongue Honeypot Stings Attackers With Counterattacks. Top 10 Web Hacks 2012. FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013 Attempted child abduction thwarted when girl asks stranger for code word. This article caught my eye for the brilliant simplicity for keeping your kids safe. Blog Comment of the Week This week’s best comment goes to Nate, in response to 1 in 6 Amazon Web Services Users Can’t Read. I’d go out on a limb and wager a good portion of those open buckets were setup by non-IT groups who used Amazon as an end around governance and process. I’d also wager a fair number just used one of the available tools to manage their S3 because they don’t really understand the technology and that tool set the bucket to public unbeknownst to them. That means even if they received and read the email above, they probably didn’t understand it. Is that Amazon’s fault? Absolutely not. It does highlight the issue of kicking governance down the road to IT rather than dealing with it at a business level so it can be easily avoided, or focusing governance only on dollars so small opex spends fly under the radar. Unless business leaders start caring about governance and process a whole awful lot, nothing is going to get better, it’s not. Sorry, the kids have been watching the Lorax movie non stop lately. Share:

Huawei not expecting growth in US this year due to national security concerns (The Verge). U.S. to scrutinize IT system purchases with ties to China (PC World): U.S. authorities will vet all IT system purchases made from the Commerce and Justice Departments, NASA, and the National Science Foundation, for possible security risks, according to section 516 of the new law. “Cyber-espionage or sabotage” risks will be taken into account, along with the IT system being “produced, manufactured, or assembled” by companies that are owned, directed or funded by the Chinese government. This is how you fight asymmetric espionage. Expect the consequences to continue until the attacks taper off to an acceptable level (yes, there is an acceptable level). Share:

Threatpost reports that California is considering a law requiring companies to show consumers what data is collected on them. Known as the “Right to Know Act of 2013,” AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. If passed, it would require any business that retains customer data to give a copy of that information, including who it has been shared with, for the past year upon request. It applies to companies that are both on – and offline. The claim is that it doesn’t add data protection requirements, but it does. Here is how: You will need mechanisms to securely share the data with customers. This will likely be the same as what healthcare and financial institutions do today (generally email encryption). You will need better auditing of who data is shared with. Depending on interpretation of the law, you might need better auditing of how it is used internally. Right now this doesn’t seem to be a requirement – I am just paranoid from experience. What to do? For now? Nothing. Remember the Compliance Lifecycle. Laws are proposed, then passed, then responsibility is assigned to an enforcement body, then they interpret the law, then they start enforcement, then we play the compensating controls game, then the courts weigh in, and life goes on. Vendors will likely throw AB 1291 into every presentation deck they can find, but there is plenty of time to see how this will play out. But if this goes through, there will definitely be implications for security practitioners. Share:

Brian Krebs thinks he may have identified the author of the Flashback Mac malware that caused so much trouble last year. Brian is careful with accusations but displays his full investigative reporting chops as he lays out the case: Mavook asks the other member to get him an invitation to Darkode, and Mavook is instructed to come up with a brief bio stating his accomplishments, and to select a nickname to use on the forum if he’s invited. Mavook replies that the Darkode nick should be not be easily tied back to his BlackSEO persona, and suggests the nickname “Macbook.” He also states that he is the “Creator of Flashback botnet for Macs,” and that he specializes in “finding exploits and creating bots.” Brian has started to expose more detailed information from his access to parts of the cybercrime underground, and it’s damn compelling to read. Share:

We (Rich and Gal) were chatting last week about the destructive malware attacks in South Korea. One popular theory is that patch management systems were compromised and used to spread malware to affected targets, which deleted Master Boot Records and started wiping drives (including network connected drives), even on Linux. There was a lot of justfied hubbub over the source of the attacks, but what really interested us is their nature, and the implications for our defenses. Think about it for a moment. For at least the past 10 years our security has skewed towards preventing data breaches. Before that, going back to Code Red and Melissa, our security was oriented toward preventing mass destructive attacks. (Before that it was all Orange Book, all the time, and we won’t go there). Clearly these attacks have different implications. Preventing mass destruction focuses on firewalls (and other networking gear, for segmentation, not that everyone does a great job with it), anti-malware, and patching (yes, we recognize the irony of patch management being the vector). Preventing breaches is about detection, response, encryption, and egress filtering. The South Korean attack? Targeted destruction. And it wasn’t the first. We believe Stratfor had a ton of data destroyed. Stuxnet (yes, Stuxnet) was a fire and forget munition. But, for the most part, even Anonymous limits their destructive activities to DDoS and the occasional opportunistic target. Targeted destruction isn’t a new game but it’s one we haven’t played much. Take Rich’s Data Breach Triangle concept, or Lockheed’s Cyber Kill Chain. You have three components to a successful attack – a way in, a way out, and something to steal. But for targeted destruction all you need is a way in and something to wreck. Technically, if you use some fire and forget malware (single-use or worm), you don’t even need to interact with anything behind the target’s walls. No one was sitting at a Metasploit console on the other side of the Witty Worm. So what can we do? We definitely don’t have all the answers on this one – targeted destructive attacks, especially of the fire and forget variety, are hard as hell to stop. But a few things come to mind. We cannot rely on response after the malware is triggered, so we need better segregation and containment. Note that we are skipping traditional defense advice because at this point we assume something will get past your perimeter blocking. Rich has started using the term “hypersegregation” to reflect the increasingly granular isolation we can perform, even down to the application level in some cases, without material management overhead increasing (read more). As you move more into cloud and disk-based backups, you might want to ensure you still keep some offline backups of the really important stuff. We don’t care whether it’s disk or tape, but at some point the really critical stuff needs to be offline somewhere. Once again, incident response is huge. But in this case you need to emphasize the containment side of response more than investigation. On the upside these attacks are rarely quiet once they trigger. On the downside they can be quite stealthy, even if they ping the outside world for commands. But there is one point in your favor. Targeted destruction as an endgame is relatively self-limiting. There’s a reason it isn’t the dominant attack type, and while we expect to see more of it moving forward but it isn’t about to be something most of us face on a daily basis. Also, because malware is the main mechanism, all our anti-exploitation work will continue to pay off, making these attacks more and more expensive for attackers. Well, assuming you get the hell off Windows XP. Share:

Emergency services providers and others are being hit with telephone-based denial of service attacks. Nasty stuff, powered by IP-based phone systems. This relates to SWATing (what hit Brian Krebs). It has become trivial to use computers to make and spoof phone calls. This is the sort of thing that could lead to new regulations. It is already against the law, but these incidents may lead to rules tightening how companies connect to the phone system. Which probably isn’t great for innovation, and might not work anyway. Share:

Now that we have covered the basics of how IaaS platforms store data, we need to spend a moment reviewing the parts of an encryption system that are relevant for protecting cloud data. Encryption isn’t our only security tool, as we mentioned in our last post, but it is one of the only practical data-specific tools at our disposal in cloud computing. The three components of a data encryption system Cryptographic algorithms and implementation specifics are important at the micro level, but when designing encryption for cloud computing or anything else, the overall structure of the cryptographic system is just as important. There are many resources on which algorithm to select and how to use it, but far less on how to piece together an overall system. When encrypting data in the cloud, knowing how and where to place these pieces is incredibly important, and one of the most common causes of failure. In a multi-tenant environment – even in a private cloud – with almost zero barriers to portability, we need to pay particular attention to where we manage keys. Three major components define the overall structure of an encryption system are: The data: The object or objects to encrypt. It might seem silly to break this out, but the security and complexity of the system are influenced by the nature of the payload, as well as where it is located or collected. The encryption engine: The component that handles the actual encryption (and decryption) operations. The key manager: The component that handles key and passes them to the encryption engine. In a basic encryption system all three components are likely to be located on the same system. As an example take personal full disk encryption (the built-in tools you might use on your home Windows PC or Mac): the encryption key, data, and engine are all stored and used on the same hardware. Lose that hardware and you lose the key and data – and the engine, but that is’t normally relevant. (Neither is the key, usually, because it is protected with another key that is not stored on the system – but if the system is lost while running, with the key is in memory, that becomes a problem). In a traditional application we would more likely break out the components – with the encryption engine in an application server, the data in a database, and key management in an external service or appliance. In cloud computing some interesting limitations force certain architectural models: As of this writing, we cannot typically encrypt boot instances the way we can encrypt the full disk of a server or workstation. So we have fewer options for where to put and how to secure our data. One risk to protect against is a rogue cloud administrator, or anyone with administrative access to the infrastructure, seeing your data. So we have fewer options for where to securely manage keys. Data is much more portable than in traditional infrastructure, thanks to native storage redundancy and data management tools such as snapshots. Encryption engines may run on shared resources with other tenants. So your engine may need special techniques to protect keys in live memory, or you may need to alter your architecture to reduce risk. Automation dramatically impacts your architecture, because you might have 20 instances of a server spin up at the same time, then go away. Provisioning of storage and keys must be as dynamic and elastic as the underlying cloud application itself. Automation also means you may manage many more keys than in a more static, traditional application environment. As you will see in the next sections when we get into details, we will leverage the separation of these components in a few different ways to compensate for many of the different security risks in the cloud. Honestly, the end result is likely to be more secure than what you use in your traditional infrastructure and application architectures. Share:

I almost didn’t write this post since it’s about iOS, and I about defending iOS security too much. Not that I think I’m biased, but I worry about being misinterpreted as an apologetic defender (I’m not – Apple still has security issues they need to work on, but iOS is in really good shape these days). That said, this piece by Erika Morphy over at Forbes is so horribly written, poorly researched, and miscast, that I cannot help myself. It could have been written about other platforms and I would have the same reaction. I know hammering ill-informed press is like tilting at windmills, but every now and then a guy just needs to let loose. The press likes to sensationalize security, and sometimes with good reason. But articles like this juxtapose incorrect information and cherry-picked quotes to scare users needlessly. They are the local news of the Internet, and we shouldn’t give them a pass. This piece is an excellent example of poor writing, and the analysis of why it’s garbage is just as relevant for any sensationalistic piece, whatever the subject, that lands in front of us. First some factual corrections: Kaspersky Labs reports that the first malware to specifically target Google’s Android mobile operating system has been discovered. No. It’s the first targeted attack using Android they’ve seen, not the first to target Android. Big difference. iOS was found to be the most vulnerable in a report by SourceFire. Wrong. Those are historical vulnerabilities, not current vulnerabilities. Big difference. That’s like lumping all Windows vulnerabilities since Windows 1.0 together to say Windows 8 is the most vulnerable platform out there. And vulnerabilities don’t equate to exploits. Raw, historical vulnerability counts are effectively meaningless for evaluating security on any platform. It is the rate of zero-day exploits, not vulnerabilities, that has everyone’s panties in a bunch. These two worlds-smugly complacent Apple users and an iOS apparently riddled with vulnerabilities-will surely collide sooner or later, probably sooner. Do I need to address this? Really? A factually incorrect ad hominem attack? Look at the rise of adware aimed specifically at Macs, which has been rising since the beginning of the year Damn. My Ford Escape was recalled, so I had better assume my Ford Explorer is dangerous. Movie trailer! Media player! I would have thought Mac users to be smarter than that, being one of them myself. Well, I do suppose this helps prove a point, but probably not the one you were trying to make. Share: