Search This Blog

Wednesday, 29 October 2014

Eliminate HTTP Man-In-The-Middle attacks with HSTS

The most prolific Internet Protocol (ok, maybe aside from mail) is HTTP, or common Web traffic, between end user browsers and web servers.  However, it is also one of the most insecure. Setting up a man-in-the-middle attack has been proven quite trivial, and leaves both the end user and the web service vulnerable to attack.


What this means in layman's terms, is that an attacker could set up a computer system in such a way that they pretend to be the website you are hoping to visit. Everything *looks* legitimate, and they pass your traffic back and forth to the real site, keeping copies of everything, including sensitive information.  They could potentially even alter information on your behalf. 

HTTPS, was born out of the need to secure Web transactions.  Basically it wraps standard HTTP traffic in an SSL/TLS tunnel, thus preventing  eavesdropping and tampering.

The problem is, that most web servers will initially establish an HTTP session, and if secure communications is required (ie: Banking, medical, personal information, etc..) then the web server will re-direct your browser to the HTTPS version. 

But even here, a cunning hacker could set up an SSL proxy using a  "self signed SSL certificate" and pretend to be the official site. You would connect to the HTTP version, the attacker would redirect you to THEIR SSL service, and then connect you with the official site. 

Many of you are now screaming at me:
"Modern browsers WARN the user that they do not trust Self Signed Certificates" 

The sad news is that most people ignore these warnings, do not read them fully and click through to accept the certificate.

HSTS: HTTP Strict-Transport-Security was developed to remediate this issue. It basically sends information from a web server to the users browser that FORCES an HTTPS secure connection the next and subsequent times that the user goes to that site.   Even if the user types HTTP:// and the site name, they are forced to the HTTPS variant.  ALSO, if the certificate is self signed, revoked, or expired, HSTS will terminate the session. 

A Web server configured for HSTS would supply a header over an HTTPS connection to the browser.  Current browsers are designed to understand and keep this header for future use. When the site is revisited, it will force a HTTPS redirection from the browser.  Also, if the certificate is untrusted, aconnection WILL NOT be established.

This HSTS Policy helps protect web traffic against eavesdropping and most man-in-the-middle attacks.

I highly recommend that you adopt HSTS for both your External as well as your Internal web servers to further reduce your threat landscape.


EITF: RFC6797 - HTTP Strict Transport Security (HSTS)
Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx 
Hack Like a Pro: How to Conduct a Simple Man-in-the-Middle Attack
US CERT: Understanding Web Site Certificates
How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

Wednesday, 22 October 2014

CyberArk positioned to lead Industry in SSH key management practice

CyberArk, best known for it's Privileged Password Vault, and recent IPO success story has just announced a new product set.  At the 2014 CyberArk Customer Event held in Boston this week, they announced their new SSH key manager. (October 21st 2014)

"The CyberArk SSH Key Manager is designed to securely store, rotate and control access to SSH keys to prevent unauthorized access to privileged accounts."
Extending their already successful Enterprise Vault Infrastructure, CyberArk protects SSH keys with the highest level of security and granular control. Keys in the vault are encrypted, and managed in a fashion not unlike their Password Management Infrastructure.  Integrating SSH keys into this platform creates a one-stop-shop for Privileged Access Management on both Windows and UNIX/Linux platforms.

In January of 2013, CyberArk added Privileged Session Management for UNIX and Linux systems to their growing arsenal of Privileged Management tools. This led me to blog about the requirement to Treat Your Key Pairs Like Passwords!  It looks like they were listening...

Up until this week, there was only SSH.COM, with their Universal SSH Key Manager, and Venafi, with their Trust Authority SSH manager. 

 With the announcement of CyberArk's new SSH key manager, we now have an Enterprise holistic approach to Privileged User Account Management across the network.

CyberArk: SSH Key Manager
Infosec Musings: Treat Your Key Pairs Like Passwords!
IDC: A Gaping Hole in Your Identity and Access Management Strategy: Secure Shell Access Controls 
Networkworld: SSH key mismanagement and how to solve it 

Saturday, 18 October 2014

Know Your Threat Landscape - Standardized Security Threat Information (STIX & TAXII)

Over the years, many managed security service providers have been publishing variants of an external Threat Analysis in one form or another. Annual, Quarterly, Weekly, Daily, and live feeds are regular deliverables now from anyone who is anyone in the Security Industry.

Great news, right?  Well... sort of...

The fact is, that each of these service providers had their own proprietary naming conventions and threat report formats. This made it difficult for the consumer of these reports and feeds to understand what information was redundant, and what was really important.

Recently, however, many of these providers have banded together at the influence of the U.S. Department of Homeland Security (DHS) and Mitre Corporation. A community has formed, intent on standardizing not only the language used to to represent structured cyber threat information - Structured Threat Information Expression (STIX™) - but the transport mechanism used to distribute this cyber threat information as well, called Trusted Automated Exchange of Indicator Information (TAXII™).

By standardizing on the language and delivery of cyber threat information, clear and expeditious remediation can be put in place without wasting time wading through multiple vendor notifications. 

Links to the various Managed Security Service Providers Threat Intelligence.

IBM has X-Force 
  • IBM X-Force security professionals monitor and analyze security issues from a variety of sources, including its database of more than 76,000 computer security vulnerabilities, its global web crawler and its international spam collectors.

Symantec has DeepSight
  • Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of approximately 69 million attack sensors which record thousands of events per second.

CheckPoint has Threatcloud
  • ThreatCloud, the first collaborative security infrastructure to fight cybercrime. ThreatCloud dynamically reinforces Check Point Threat Prevention Software Blades with real-time threat intelligence derived from Check Point research, global sensors data, industry feeds and specialized intelligence feeds from the ThreatCloud IntelliStore.

Paolo Alto has Wildfire
  • WildFire offers a completely new approach to Cybersecurity, through native integration with Palo Alto Networks Enterprise Security Platform, the service brings advanced threat detection and prevention to every security platform deployed throughout the network, automatically sharing protections with all WildFire subscribers in about 15 minutes.

McAffee has GTI (Global Threat Intelligence)
  • McAfee Global Threat Intelligence (GTI) notices the anomalous behavior and predictively adjusts the website’s reputation so McAfee web security products can block access and protect customers. Then McAfee GTI looks out across its broad network of sensors and connects the dots between the website and associated malware, email messages, IP addresses, and other associations, adjusting the reputation of each related entity
Radware has Lancope StealthWatch
  • Lancope Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. 

F5 has IP Intelligence
  • F5® IP Intelligence incorporates external, intelligent services to enhance automated
    application delivery with better IP intelligence and stronger, context-based security. By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the F5 BIG-IP® platform, adding context to policy decisions. IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic.

Cisco-Sourcefire has Talos
  • The Cisco Talos Security Intelligence and Research Group (Talos) is a group of elite cyber security experts whose threat intelligence detects, analyzes and protects against both known and emerging threats by aggregating and analyzing Cisco’s unrivaled telemetry data of billions of web requests and emails, millions of malware samples, open source data sets and millions of network intrusions. More than just a traditional response organization, Talos is a proactive member of your security ecosystem, working around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities with new rules, signatures, file analysis and security tools to better protect your organization.
Trend Micro - Security Intelligence
  • With Trend Micro at your side, you can safely navigate the changing cyber security landscape. We defend tens of millions of customers around the clock through a worldwide network of 1000+ threat researchers and support engineers committed to 24x7 threat surveillance and analysis, attack prevention and remediation, and educational tools to help you secure your data against cyber crime in this ever-changing digital world.

Kaspersky Labs -Threat Intelligence
  • Kaspersky Lab’s Security Intelligence Services constantly monitor the threat landscape, identifying emerging dangers and taking steps to defend and eradicate. Combining our world-leading knowledge of malware and cybercrime with a detailed understanding of our clients’ operations, we create bespoke reports that provide actionable intelligence for an enterprise’s specific needs.  Our intelligence services range from subscriptions to our global network insights, monthly threat analysis specific to your organisation, through to bespoke training and education programmes.

Arcsight has Reputation Security Monitor
  • Actively enforce and manage reputation-based security policies to help focus on those threats with most risk. By using frequently scheduled updates of reputation data, vetted by a global cadre of experts, HP RepSM detects communication with sites known to have bad reputations-preventing exfiltration of intellectual property and reducing business risk. In addition, you can proactively monitor and protect the reputation of your own enterprise by making sure company and partner web sites and assets are not found on the bad reputation list.

Microsoft is soon announcing  Interflow
  •  The new Interflow platform, based on Microsoft's Azure cloud service, is geared for incident responders and security researchers. "We needed a better and more automated way to exchange information with incident responders. That's how we started on a path developing this platform," says Jerry Bryant, lead senior security strategist with Microsoft Trustworthy Computing. "This allows for automated knowledge exchange."

Note:  Apologies if I've missed your favorite Internet Threat Analysis feed or report.  
Add a quick comment below, and I'll update this list if appropriate.

NetworkWorld: The International Security Community Should Embrace the STIX and TAXII Standards 
Networkworld: Symantec rolls out threat-intelligence sharing with Cisco, Check Point, Palo Alto Networks 
US-CERT: Information Sharing Specifications for Cybersecurity 
IBM X-Force Threat Intelligence
Infosec Institute: Reinventing Threat Intelligence
Large Organizations Need Open Security Intelligence Standards and Technologies Developing Cyber Threat Intelligence... 
Threat intelligence lifecycle maturation in the enterprise market 

Friday, 10 October 2014

Toronto based PCI Compliance upstart brings single solution to Voice-Web-POS

As published in

The standard Information Security mantra is to Protect Sensitive Data Where It Resides, but I posit that with the number of Security Breaches being publicized these days, we should quickly move to Remove Sensitive Data Where Not Required.

I know that I'm not new to this train-of-thought, but the cost of non-compliance is growing exponentially.  Financial Damage can be insured against... Reputational damage cannot.

In a previous article, I spoke about the need for complementing industry standard Encryption with a process called Tokenization. While encryption is intended to hide the actual data in a manner that is reversible, tokenization replaces the sensitive data with a tag or token, preserving only the format or schema of the data.

The Payment Card Industry has clearly stated that any piece of infrastructure that is accessible by network to those systems that either process or store PCI (Credit Card) Data are "in scope" for PCI compliance. This means that the scope an an annual compliance audit could essentially include every device on your network....

Many software companies have taken on portions of the tokenization challenge.  Originally, they provided API's and libraries for developers to embed tokenization into applications, or bootstrap tokenization onto existing applications.  These did little though to reduce the scope of your PCI compliance, and in many cases raised the complexity of the environment.

Next came the tokenization broker appliances, which were housed in your data center to communicate with your Point Of Sale and payment processing systems. Although this reduces scope and complexity of your PCI environment, it still leaves a large amount of your environment "in scope" for PCI, and the "crown jewels" were still onsite, albeit in a very robust data vault.

With a tokenization solution outsourced via a SaaS model, sensitive data such as credit card numbers are not stored in your system. There is nothing to obtain during a breach.  Full stop. Let someone else take on the burden of PCI compliance.

Toronto's own Blueline Data has taken on the challenge, by creating a novel tokenization gateway solution that not only covers your Web and Point Of Sale transaction systems, but your Telephony and Unified Communications Infrastructure as well. In fact, you can define any type of digital data sequence to be protected for SOX / HIPAA / OSFI  or any other regulatory requirement and tokenize it as well.  They call their strategy "Assurance through Deterrence". By removing the sensitive data from your environment, they deter would-be attackers from investing in Advanced Persistent Attacks to breach your environment.

The PCI-DSS covers 6 areas of protection with 12 Specific Requirements.  Blueline's unique offering covers 7 of these requirements, across 5 areas!

The Blueline environment itself, subject to PCI audit, complies with the DSS 3.0 requirements. It offers a unique and low-risk approach to protect your IT assets, such as financial records, intellectual property, employee details and data entrusted to you by customers or third parties. The combined benefit is the highest security and the lowest cost.

Their approach to format preserving and diskless tokenization at the perimeter, essentially creates a Zero Vector of Attack™ computing environment, which is easy to operate but not feasible to exploit.

I believe that their forward thinking initiative of providing tokenization services to non-traditional channels of data flow sets them aside from the competitors in this market.  I'm anxious to watch this company flourish amid the weekly disclosures of Sensitive Data Breaches.

From the Blueline Data Website:
Blueline Data Products and Services
  • Strategic Assessment – a review with your team to determine what Blueline Solutions would be most impactful with your business requirements and technology investments
  • Solution Services compliance delivery guidance and market insight (call center, financial services, healthcare, retail, etc.) 
  • Voice Gateway - encompasses security encryption around voice channels that send and receive sensitive data, to eliminate fraud by capturing, masking and encrypting confidential signaling information on the  path. The encrypted sensitive datagrams are securely rendered to allow fully protected  processing, eliminating the possibility of a call to get compromised.
  • Retail Gateway - offers integration with any point-of-sale (POS) device in a secure and compliant manner, and allows point-to-point encryption of client's personal information from any payment media. This applies to any transaction or function where a client is required to use a payment terminal for credit or debit card processing expected to integrate with the backend data repository. There is no need for manual card data entry for proof of identity, payment guarantee or other purposes.
  • Data Gateway - provides organizations with a single access point-of-presence to transaction services, such as secure banking and financial networks, mobile application payment delivery, or secure web bill presentment. It allows you centrally and uniformly govern all traffic of financial interest, whether it is exchanged between your partner organizations or with your clientele involved in the transaction flow.  Sensitive data transfer is fully protected to meet the highest security and privacy standards.
  • Data Vault - presents a conversion engine that takes any sensitive data element – whether it is SSN or SIN number, driver's license, credit or debit card, or patient record – and encrypts such information in a format-preserving manner.  The data is tokenized and optionally stored in a secure "digital vault" that you can access as you need, provided that sufficient privileges are presented.  It fully removes sensitive payment and personal information from your computing systems and digital media.

PCI Security Standards: Information Supplement: PCI DSS Tokenization Guidelines 
SANS: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data
Blueline Services: Data Tokenization 
Securosis: Understanding and Selecting a Tokenization Solution
Shift4: A detailed look at tokenization and it's Advantages over Encryption
TokenEX: Outsourcing Tokenization vs. On-Premise Data Security
Payment Card Industry (PCI) Data Security Standard
Protegrity Tokenization Securing Sensitive Data for PCI, HIPAA and Other Data Security Initiatives
Protegrity: Vaultless Tokenization
Protegrity: Vaultless Tokenization Fact Sheet.
Cybersource: Reducing PCI Compliance Scope: Take the Data Out
Intel: PCI DSS Tokenization Buyer’s Guide 

Saturday, 4 October 2014

The Demise of Excess Access - A eulogy for traditional VPN

(as published in
Once upon a time, in a world where mobile meant "laptop" or "remote home PC", Corporate network connectivity came in two flavours:  1) Dial-up modem, with it's clunky protocols and achingly slow speeds, and  2) Corporate VPN client over Internet. 

Internet VPN seemed like a godsend in comparison to Dial-up. Basically it's purpose was to provide a secure network connection between your remote PC/Laptop (the entire device) and your Corporate network. Whether old-school IPSec or the more recent SSL encapulation, the transport was secured. Username/password, and optionally a One Time password or Security Token would be used to provide Two Factor Authentication (2fa). 

Seems secure? Right?  I mean, authentication and transport security are covered.. what else is there?

Dynamic Access Policies were then created to define a set of rules, similar to firewall rules, that describe what applications (port/protocol) on the remote  users PC could talk to what servers/services in the data center.  

In general, this worked fine if there were less than a hundred employees in the company, you had no third party users, no application was ever upgraded, and nobody changed roles.

In practice, policies are defined loosely to allow for Convenience rather than Security. Realistically, large numbers of PC's have unfettered access to the corporate network, as if they were sitting at their desk.  (We'll get into THAT issue in a future blog.)
Well then we started worrying about Viruses, worms, trojans... basically Malware residing on the remote PC. What stops them from propagating into the corporate network? How do we know the end user has applied all the appropriate patches, and is running the most current AntiMalware (And that it's signatures are up to date!)?

Network Access Control was added to the VPN client to assess the endpoint (laptop or PC) and determine it's "security posture" based on patch status and running AntiMalware applications.

But this wasn't enough to satisfy the Audit or Risk departments, so you had to install Intrusion prevention appliances and network anti-malware inside the network to remediate anything that was missed on the endpoint... 

AND... we still have all those remote endpoints, with pretty much open access to our entire corporate network...

In the meantime...

As a result of the explosion of Tablets and smart phones, alternate solutions arose for many of the very services we require daily as part of our VPN dependency.  An entire industry arose to service BYOD or Bring Your Own Device. Tablets and Smart phones are managed through various means, but typically now applications running on those devices are segregated or "sandboxed" from one another to reduce the risk of eavesdropping and data capture.


The Future of Enterprise Remote Connectivity:

Today, there is absolutely NO REASON to use VPN for your Corporate Email service. All enterprise grade email clients utilize strong local authentication, integrate with industry standard Single Sign On, and use strong transport encryption.  Whether you are an Exchange/Outlook or Domino/Notes user, for this use case, VPN is merely a hindrance to productivity, and a complexity that costs your company both in Capex and Opex.

Similarly, there is absolutely NO REASON to use VPN for your Corporate VOIP or Instant messaging.  These services also integrate cleanly into Enterprise Single Sign On, and provide for secured, encrypted transport.

If you NEED, and I stress NEED, a corporate desktop, then there are many highly secure NON VPN solutions available, such as Microsoft's Remote Desktop GatewayCitrix Access Gateway, or VDI via VMWare's Horizon View.   Some Legacy Applications may still require this model for a few years to come. 

Are you using Cloud Services through VPN?   If you are using VPN to get to your corporate Cloud applications like SalesForce, SAP, Concur,ServiceNow, Microsoft Office 365, or Taleo, you are simply adding an extra network loop to an already secured connection. These services already use Enterprise Single Sign On, and provide for secured, encrypted transport.

Containerization technologies like Bromium will transform application development for the laptop environment, and allow Laptops to join the realm of Managed Devices in a Mobile Device Strategy.  Soon your Enterprise Mobile Application Management suite will package and manage apps for Windows and OSX as well as iOS, Blackberry and Android.  

Write Once, Run Anywhere has been a mantra used by vendors such as Oracle for well over a decade.  It is finally approaching a maturity level that will see it in action everywhere.  Most large applications today are being developed using frameworks that abstract the presentation layer, and allow the designers to write various "front ends" specific to the device, while the rest of the application is identical across platforms.

So aren't you just replacing one remote access solution with several niche appliances?
In a quick answer, sort of... Service specific appliances, such as SIP gateways provide a much more robust and secure means on managing this specific traffic, and many companies already have them in place for internal branch to branch connectivity.

I'm not suggesting that the future of remote connectivity is free and unfettered access to your Corporate Network.  Quite the opposite in fact.  I'm suggesting that 2/3 of what employees access today via traditional VPN, already has  BETTER and MORE SECURE means of connectivity through their native infrastructure, and that the remaining 1/3 is on track to be replaced with  technologies that will allow the remote applications to be secured on any device from phone to tablet to laptop.

In today's world of high profile Data Breaches, Zero Day Attacks, and  Significant Operating System vulnerabilities, we cannot allow the Excess Access that traditional VPN affords.

References: Death of VPN
VPN Clients are Dead in the Cloud 
The Evolution …. and Death of the VPN 
The Death of the VPN 

Microsoft Technet: Overview of Remote Desktop Gateway 
App Wrapping is A Form of Containerization 
Forrester: Containerization Vs. App Wrapping - The Tale Of The Tape