Monday, June 28, 2010

Cloud computing - White, Fluffy and Safe or a Hazy, Mysterious step into the Unknown? PART I

Cloud 101: The Basics

Cloud computing is clearly one of today’s most enticing technology areas and is currently one of the top buzzwords in the Hi-Tech industry. Cloud computing is not a new concept; most of us already use this technology on a daily basis through services like Hotmail, Gmail and Facebook. In the simplest of terms, cloud computing is IT-as-a-Service; rather than an organization building its own IT infrastructure to host databases or applications, this is done by a third party with large server farms. The organization then accesses its data and applications over the internet. In other words, under this new procurement model, IT becomes a utility, consumed like water or electricity.

Cloud computing is growing fast, according to Gartner the market is currently worth about $2.4bn, but is predicted to grow to $8.1bn by 2013. Several large companies have already partially adopted the ‘Cloud’ approach including all of the top five software companies. More recently business services provider Rentokil Initial has rolled out a cloud email solution to its 30,000 employees.

It’s not difficult to see the benefits of cloud computing and enthusiasts are quick to point out its key benefits:

Scalability: Organizations that have grown rapidly, perhaps through acquisitions, often struggle with the complexities required to develop a single coherent enterprise infrastructure. Furthermore, cloud systems are built to cope with sharp increases in workload and seasonal fluctuations. Take for example a tour operator who has to cope with a huge surge in demand during the summer months or a disaster recovery team that requires additional computing power to respond to a large scale emergency.

Cost Effective: As IT providers host services for multiple companies; sharing complex infrastructure can cut costs and allows organizations to only pay for what they actually use.

Speed: Simple cloud services can be deployed rapidly and work ‘out of the box’. This is a great advantage for small emerging businesses that may need to establish a secure e-commerce website quickly. Equally, for more complex software and data base solutions, cloud computing allows organizations to skip the hardware procurement and capital expenditure phase.

Mobility: Many companies today operate a geographically diverse workforce. Cloud services are designed to be used anywhere in the world, so organizations with globally dispersed and mobile employees can access their systems on the move.

However, despite the trumpeted business and technical advantages of cloud computing, many businesses have been relatively slow on the take up. Major corporations that are cloud users are for the most part putting only their less sensitive data in the cloud. There appear to be significant concerns over certain aspects of cloud computing, including: reduced control & governance, regulatory requirements, excessive standardization, usability and fears over issues of connectivity.

However, without a shadow of a doubt the biggest area of concern is the impact on information security. Will corporate and customer data be safe? What about data protection and legal compliance requirements? What are the corporate risks involved in entrusting a single entity with the data of an entire organization.

To be continued...

Tuesday, June 15, 2010

The Social Networking Corporate Threat

Security Alert

As part of ongoing Comsec R&D, we have published an in-depth study on the effect of social networking on a corporate level.

Until now, studies have primarily focused on individual's privacy and security when using social media channels. The threats that social media networks pose on a corporate level have largely been overlooked, and are growing rapidly.

In this study, Comsec will demonstrate the relative ease of exploiting these networks to compromise a company's proprietary data and corporate assets.

To download "The Social Networking Corporate Threat" click here.

Sunday, June 13, 2010

Keep one eye on the ball and the other on the NET!

Cybercrime skyrockets in build up to FIFA World Cup as soccer fans fall victim to bogus websites, on-line fraud, Phishing and spam attacks.

With the FIFA World Cup due to kick-off in just a few weeks time, football fever is beginning to spread across the 32 nations involved in this year’s tournament. With more than 1 billion football fans around the world expected to tune in to cheer on their favorite teams, and tens of thousands of travelling fans, the football World Cup is undisputedly one of the greatest events on the sporting calendar.

This year the tournament will take place in South Africa, the first African nation ever to host the World Cup. In preparation, South Africa has made a number of large investments, including building five new stadiums, improving the public transport infrastructure and implementing special measures to ensure all aspects of safety and security are planned for.

Unfortunately, as with all global sporting events, cybercriminals have been targeting fans in order to gain large profits. With today's ease of purchasing entrance tickets, organized trips or merchandise online, cybercriminals do not have to exert too much effort in reaching their targets. A well-disguised link or website can lead unsuspecting victims to the predator. Filling out contact or credit-card details on bogus websites can easily result in the loss of money or even to identity theft.

As eager football fans desperately scour the internet to secure tickets to their dream match or to book that last hotel room, a plethora of fake websites have sprung up, all of which are more than happy to collect money from unwary fans. To date, FIFA has identified approximately 100 websites in violation globally, with the majority, approximately 32% based in the US, 15% in the UK and 15% in South Africa.

Typically, attackers on the internet have tried and tested methods to defraud victims. These include attempting to compromise legitimate websites to gain sensitive information or sending spam emails or SMS’ to users with the aim of persuading them to follow links to illegitimate websites where personal information is then harvested. Historically, Phishing attacks have skyrocketed around major sporting events; prior to the pervious FIFA World Cup in Germany, related spam increased by around 40% and over 4000 Phishing hosts were discovered every month during the tournament build up.

These shocking statistics are likely to be further exacerbated this year in South Africa as the country launches an expanded broadband network via two new undersea fibre-optic cables. In the past, threat reports have demonstrated that launching these services causes an immediate increased threat level, as cybercriminals take advantage of breaches and vulnerabilities that arise from inadequate security. This has been seen in countries such as Brazil, Turkey, Egypt and Poland, and South Africa is likely to follow this trend once the new infrastructure is in place providing cheaper, faster and widely available broadband services.

Comsec Consulting has experience working with large sporting organizations and those responsible for the organization of major international events to help assess and counter the risks associated with attacks from cybercriminals. With long-standing experience in this area, Comsec believes that three basic types of information attributes need to be protected around global events: Availability, Integrity and Confidentiality.

The availability of information can be compromised through denial-of-service attacks where users are prevented from accessing legitimate websites. These types of attacks are very common around large-scale sporting events, resulting in lost orders for businesses offering goods and services online. These types of attacks are likely to focus on FIFA and World Cup-related websites and may be politically motivated or kudos related. In more extreme circumstances, cybercriminals may attempt to disrupt the broader World Cup infrastructure by targeting physical security systems/CCTV, mobile applications, transportation networks or ticket terminals.

Organizations also need to secure the integrity of their information, particularly confidential information provided by users accessing websites offering services and products relating to the event. Hackers will attempt to gain access to valuable information through compromising user accounts, and they may also be able to reach customer information held in the databases supporting these websites. These types of attacks are likely to be motivated by financial gain as bank and credit card details can be stolen and sold for large sums of money. Organizations must also take measures to protect themselves from the insider threat, as statistically the majority of fraud related incidents can be traced back to an employee.

The information security threats that global sporting events now attract can’t be ignored. Information security consultancy companies, such as Comsec are often drafted in at the early planning stages to ensure that all aspects relating to information security are properly assessed, mapped and tested in preparation for a major event. As any national football coach will tell you, good preparation and planning is the key to success.

Wednesday, June 9, 2010

A Flash in the Pan?

By: Avi Bashan, Information Security Consultant

Just as we thought that the last aftershocks of the recent Flash debate between Apple and Adobe were yesterday's news, the Flash headlines endure. Last Friday Adobe announced a new critical vulnerability in the Flash Players, 9.0.262, and earlier versions 10.0.x and 9.0.x. The vulnerability can potentially cause the Flash Player to crash and allow an attacker to take control of an affected system.

The vulnerability affects Adobe Reader and Acrobat 9.3.2 and the earlier 9.x versions as well. Adobe reported that the vulnerability is currently being exploited across the web. The security update for the Flash Players is scheduled to be released on June 10th, as for the security update for Adobe Reader, we will have to wait until June 29th!

This brings us to the unavoidable question, was Steve Jobs right in his adamant anti-Flash stance? As we can recall, Jobs made several pointed remarks about Flash Player's security and stability. And as of now, Apple still refuses to incorporate Flash into their technology, notedly the iPad and iPhone products.

On the other hand Google approaches the subject quite differently, just recently Google announced and even released a new beta version for their popular mobile operating system Android (version 2.2) named Froyo. The system supports Flash 10.1, furthermore Google's last version of their popular browser Chrome, adds Flash as a built-in feature.

The question still remains open, since as of today there is no real substitute for the Web 2.0 experience that Flash provides. That said, anyone who uses Flash, should probably stop using it for now, or browse knowing full well about the potential repercussions. If you can't forgo the Flash experience, it would be prudent to follow these mitigations for continued use of Flash until the patch is released. As for the Acrobat Reader? It may be high time to start using alternate free PDF viewers readily available on the web, for now at least.

Tuesday, June 1, 2010

The OWASP ASVS and SAMM Standards

By: Shay Zalalichin, CTO


Catch Shay's presentation on June 7th at InfoSec Israel 2010 - where he will be discussing "Privacy in the Modern Age - On Regulations, Challenges and Technology"!

Both the ASVS and SAMM standards are considered relatively less commonly integrated initiatives in the information security industry that have now received official OWASP project status.

The ASVS stands for Application Security Verification Standard and was created to define a standard terminology in the industry to measure the security level for applications/products. Once everybody is synchronized with the terminology, organizations can buy software and know that it is compliant with a specific pre-defined security level; and it can be sure that it is compliant with this level because it was verified according to common / standard requirements, and in the event that this is performed by an external vendor, seeing as this is a well-defined standard - benchmarking between different vendors' performance will be quite easy to evaluate.

As can be seen from the picture below, the verification level starts from a very basic level of just using an automated tool for verification (e.g. WebInspect scan) to a higher level of manual Design Review and Security Code Review (such as CODEFEND™).

SAMM stands for Software Assurance Maturity Model and is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks the organization faces. The resources provided by SAMM can aid in:

• Evaluating an organization’s existing software security practices
• Building a balanced software security program in well-defined iterations
• Demonstrating concrete improvements for a security assurance program
• Defining and measuring security-related activities within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

The picture below exhibits the different activities within the SAMM. Each activity can be performed with a different maturity level allowing the flexibility to be adapted by organizations of different security requirements, budget, maturity etc.

The ASVS is generally a new initiative as most organizations have not yet started implementing it, but can be an excellent business driver for them as it aims to set a higher security level pan-organizationally, which will help organizations communicate in a uniform manner (across departments and divisions), and with similar external bodies.

In addition, the ASVS requires Security Code Review starting from a fully automated (basic level) to the combination of automated and manual which will help ensure the security posture of software - an important initiative - and one Comsec has been tackling with CODEFEND™.

As for the SAMM, from our initial review it seems to be an excellent model that can assist organizations in integrating security within their development lifecycle, and in essence, is very similar to the Comsec in-house developed model. This is especially relevant for SMEs or organizations that are lacking maturity for the adoption of a large-scale and comprehensive model such as the MS-SDL

It’s important to understand that several similar initiatives / standards exists (e.g. MS-SDL, OWASP CLASP) but none of them have acquired enough industry adoption - which hopefully these two standards will begin changing, as the OWASP Top 10 has done.

Ask us about our services towards compliance with these initiatives:
CODEFEND™ Security Code Review • ASVS Gap Analyses • ASVS Product/System Reviews and Security Assessments (ASVS Certification)• ASVS Integration within SDL Policy • SAMM SDL Strategic Planning/Roadmaps • SDL SAMM Assessments • SDL SAMM Compliance