tag:blogger.com,1999:blog-69542360938269662512024-03-17T11:19:46.617-04:00InfoSec Musingssecurity-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.comBlogger52125tag:blogger.com,1999:blog-6954236093826966251.post-68692765591632218602017-09-12T13:43:00.000-04:002017-09-20T11:04:38.485-04:00Cloud Access Security Broker (CASB) - The purpose of a forward proxy<span style="font-size: small;">First of several short articles on the feature sets of a typical Cloud Access Security Broker (CASB)</span><br />
<h2>
</h2>
<h2>
<b>The Forward Proxy:</b></h2>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">In a <a href="http://security-musings.blogspot.ca/2015/04/comparing-cloud-access-security-broker.html" target="_blank">Cloud Access Security Broker (CASB)</a> A </span><span style="font-size: small;"><a href="https://en.wikipedia.org/wiki/Proxy_server#Forward_proxies" target="_blank"><b style="color: #333333; font-family: "q_serif","georgia","times","times new roman",serif;">forward proxy</b></a><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"> is an <a href="http://security-musings.blogspot.ca/2013/07/security-appliances-in-band-or-out-of.html" target="_blank">in-line</a> real time protection gateway service configured to handle network requests for a group of known clients (users and devices) to any external website and/or cloud service. These users and devices can be connecting </span></span><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;">from anywhere, either on the corporate network, or across the Internet. The destination services are typically cloud based.</span><br />
<br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">The CASB forward proxy is primarily a policy control, and in it's most basic un-authenticated form, would simply apply policy enforcement to allow or deny access to specific sites and services on the internet. This form of the service could be used to police the corporate "<a href="https://en.wikipedia.org/wiki/Content-control_software" target="_blank">Code of Conduct</a>" ie: "No corporate device is allowed to browse Pornography, Violence/Hate, Drugs, Gambling, etc... " or to block access to Cloud Storage sites to reduce risk of Data Loss.</span><br />
<br />
<div style="text-align: center;">
<b><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">This however, is a very limited use case, and easily subverted. </span></b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">Typically, you would configure the Forward proxy to authenticate the endpoint (Either User, or Device, or both) to your corporate directory. This can be done through Microsoft's <a href="https://technet.microsoft.com/en-us/library/cc733115(v=ws.11).aspx" target="_blank">ADFS (Active Directory Federation Service)</a> <b>or better</b> through a Cloud Identity Provider such as <a href="http://www.okta.com/" target="_blank">Okta</a>, <a href="https://pingidentity.com/" target="_blank">Ping</a>, <a href="https://www.onelogin.com/" target="_blank">OneLogin,</a> or <a href="https://centrify.com/" target="_blank">Centrify.</a> </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL0GHcTNb2zKj-RWOM4szoOEz58ecDpu9BKdnCwIzivQSBJK3a8esC5YqZjWOrIZ_KB0QzZCnWRPKd0G6Y-qTBGwWDabpZaBZVr4Xy73XIT0A1x_xkdMOxuR4_nA8GGoK3e1_6_5f8PFsi/s1600/CASB+Forward+Proxy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="613" data-original-width="960" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL0GHcTNb2zKj-RWOM4szoOEz58ecDpu9BKdnCwIzivQSBJK3a8esC5YqZjWOrIZ_KB0QzZCnWRPKd0G6Y-qTBGwWDabpZaBZVr4Xy73XIT0A1x_xkdMOxuR4_nA8GGoK3e1_6_5f8PFsi/s400/CASB+Forward+Proxy.jpg" width="400" /></a></span></div>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><br /></span>
<br />
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"></span>For sites that are Corporately Sanctioned, you can manage/report/alert on the context of Who visited the website or service, from where, on what device, and at what time. Any or all of these attributes can be used to modify access. IE: If going to a specific service from an unknown device over public WIFI, you may want to enforce <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication" target="_blank">Two Factor Authentication</a>, and restrict file transfer. </span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">For sites and services that are unknown or not Corporately Sanctioned (<a href="https://en.wikipedia.org/wiki/Shadow_IT" target="_blank">Shadow IT</a>), you may want to validate the type of service through URL</span><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">/Content filtering, and then allow access, while logging verbosely. </span></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><b>Scenario: With authenticated forward proxy, you can say: </b></span></span><br />
<br />
<ul>
<li>This user is from accounting - these are the apps they should potentially be able to access.</li>
<li>This user is on a corporate laptop from within the corporate network, allow full access.</li>
<li>This user is on a corporate laptop on a public network. (Starbucks or Hotel)</li>
<ul>
<li>Enforce two factor auth to these apps, and deny access to these apps.</li>
</ul>
<li>This user is on a personal device on a public network. </li>
<ul>
<li>Enforce two factor auth to these apps, and deny access to these apps</li>
<li>Deny file transfer. </li>
</ul>
<li>etc...</li>
</ul>
<br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">And of course the Cloud Identity Provider would manage credentials on the end service, therefore direct connection would be prohibited. </span></span><br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
<br />
<h2>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">Typical Forward Proxy use cases:</span></span></h2>
<br />
<ol>
<li>Inspect content between Endpoint device (user) and Website/Service for Malicious Activity.</li>
<li>Inspect content between Endpoint device (user) and Website/Service for Data Leakage.</li>
<li>Enforce Corporate "Code of Conduct" via URL filtering.</li>
<li>Provide granular access control based on "context" of user's source device/network/time.</li>
<li>Provide list of "<a href="https://en.wikipedia.org/wiki/Shadow_IT" target="_blank">un-sanctioned apps</a>" for security review.</li>
<li>Encrypt Field level/table level data on the fly. </li>
<li><a href="http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html" target="_blank">Tokenize</a> Field level/table level data on the fly. </li>
</ol>
<br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">As an inline implementation, the forward proxy requires a method to direct/enforce traffic from the endpoint device through the proxy, to the destination service. For legacy on-premise proxy, we had a few options for redirecting traffic to the proxy:</span></span><br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"></span></span><br />
<ul style="font-family: q_serif, georgia, times, "times new roman", serif;">
<li>Typically, <a href="https://en.wikipedia.org/wiki/Proxy_auto-config" target="_blank">PAC (Proxy Auto Config) files</a> would be used<span style="color: #333333;">. This was an intrusive configuration of the endpoint, that could be easily bypassed by the user. </span></li>
<li><span style="color: #333333;">DNS "URL redirect" was also a good choice for redirecting "sanctioned applications" through the proxy to control/monitor that traffic.</span></li>
<li><span style="color: #333333;">Finally, an endpoint agent on the device could be used to control/redirect traffic. (Do not do this! Please!) </span></li>
</ul>
<div>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif;"><br /></span></div>
<div>
Most CASB providers today rely on the <a href="https://en.wikipedia.org/wiki/Single_sign-on" target="_blank">Single Sign On</a> <a href="https://en.wikipedia.org/wiki/Identity_provider" target="_blank">Identity Provider (IdP)</a> that authenticated the end user to provide a <a href="https://en.wikipedia.org/wiki/SAML_2.0" target="_blank">SAML</a> redirect to the CASB forward proxy service. This also allows the Identity provider to add "context" to the interaction. "Michael is authenticating after standard work hours with his corporate credentials, on a valid certificated corporate device, from what appears to be a home network".</div>
<div>
<br /></div>
<br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><b>Next up: Cloud Access Security Broker (CASB) - The purpose of a reverse proxy </b></span></span><br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></span>
</div>
<h2 style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;">References:</span></h2>
<div style="text-align: left;">
<span style="font-size: small;"><a href="http://security-musings.blogspot.ca/2015/04/comparing-cloud-access-security-broker.html" target="_blank"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;">Security Musings: Comparing Cloud Access Security Brokers</span></a></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><a href="http://security-musings.blogspot.ca/2013/07/security-appliances-in-band-or-out-of.html" target="_blank">Security Musings: Security Appliances, In-band or Out of Band?</a> </span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><a href="https://en.wikipedia.org/wiki/Proxy_server#Forward_proxies" target="_blank">Wikipedia: Forward Proxy</a> </span></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy" target="_blank">JScape: Forward Proxy</a></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="https://docs.microsoft.com/en-us/iis/extensions/configuring-application-request-routing-arr/creating-a-forward-proxy-using-application-request-routing" target="_blank">Microsoft: Creating a Forward Proxy Using Application Request Routing</a></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="http://www.unixhops.com/apache-reverse-proxy-forward-proxy/" target="_blank">Unixhops: Apache Reverse Proxy & Forward Proxy</a> </span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="https://en.wikipedia.org/wiki/Active_Directory_Federation_Services" target="_blank">Wikipedia: Active Directory Federation Services</a></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="https://www.agileit.com/news/okta-vs-ad-fs-cloud-identity-solutions/" target="_blank">Okta Vs. AD FS: Evaluating Both Cloud Identity Solutions</a> </span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span>
<br />
<h2>
<span style="font-size: small;">CASB Providers:</span></h2>
<a href="http://bitglass.com/" target="_blank">Bitglass</a><br />
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><a href="http://netskope.com/" target="_blank">Netskope</a></span><br />
<a href="http://skyhighnetworks.com/" target="_blank">Skyhigh</a><br />
<a href="http://cyphercloud.com/" target="_blank">Cyphercloud</a><br />
<a href="http://cloudlock.com/" target="_blank">Cisco Cloudlock</a><br />
<a href="http://forcepoint.com/" target="_blank">Websense Forcepoint</a><br />
<a href="http://vaultive.com/" target="_blank">Vaultive</a><br />
<a href="https://www.microsoft.com/en-ca/cloud-platform/cloud-app-security" target="_blank">Microsoft Adallom</a><br />
<a href="https://www.microsoft.com/en-ca/cloud-platform/cloud-app-security" target="_blank">Symantec (Perspecsys / Elastica)</a><br />
<a href="http://zscalar.com/" target="_blank">Zscalar</a><br />
<a href="https://www.paloaltonetworks.com/products/secure-the-cloud/aperture" target="_blank">Paloalto</a><br />
<br /></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: small;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"><br /></span></div>
<span style="color: #333333; font-family: "q_serif" , "georgia" , "times" , "times new roman" , serif; font-size: 14px;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-34879703712014624812017-08-24T13:58:00.006-04:002017-08-24T13:58:53.509-04:00Can our Managed SIEM providers please get their heads out of the 90's?<br />
<br />
<h2>
<b>rant mode on </b><span style="font-size: x-small;"> </span></h2>
<span style="font-size: x-small;">(I had tried standard <> tags, and the CMS tried to process them! LOL)</span><br />
<b> </b><br />
I've been a customer of <a href="https://en.wikipedia.org/wiki/Security_information_and_event_management" target="_blank">SIEM </a>
(Security Incident and Event Monitoring) for about 30 years (cough), and
have never had a <b>"good"</b> customer experience. <br />
<br />
SIEM
are complex (and expensive) systems that closely integrate with every
server/appliance/network device on the floor, and try to make sense of
the data flowing through to identify security concerns. This data is
typically formatted proprietary to the vendor of the source product. <br />
<br />
When
a vendor wants to implement SIEM in your infrastructure, for each
server they enroll, the vendor asks about "<a href="http://blogs.gartner.com/anton-chuvakin/2015/10/27/siem-use-cases-and-other-security-monitoring-use-cases-too/" target="_blank">use cases</a>", or the set of rules that define what types of security events you should care about. <br />
<blockquote class="tr_bq">
<b>"Mr
Customer, how many failed login attempts to you want to capture before
we alert you?" </b></blockquote>
<br />
As a customer, how the hell should I know? What's the industry norm? You're the SIEM expert, tell me what your other customers are doing! This approach has stiffled progress/uptake in the industry. SIEM is typically implemented grudgingly as an audit checkbox. <br />
<blockquote class="tr_bq">
<b>"Ok, yes, we have SIEM, and things are reporting to it... CHECK... Next..."</b></blockquote>
This is a very expensive and time consuming effort to acquire a check box, but this is also how the vendors are selling it. Compliance sells products.<br />
<br />
There is so much more that SIEM can and should do, like correlating firewall sessions with <a href="https://en.wikipedia.org/wiki/Endpoint_security" target="_blank">EndPoint Protection</a> alerts. Identifying patterns (anomalies) in VPN users activities, alerting on movement of data between rogue cloud applications (<a href="https://en.wikipedia.org/wiki/Shadow_IT" target="_blank">shadow IT</a>)... but those tasks take planning and scripting skills. Time and budget that an average Information Security team does not have. So the tools get put in to fill the checkbox, and all of the capabilities they have sits idle. (I hear you out there... prove me wrong, tell me YOUR good news story!)<br />
<br />
Another typical issue with implementing SIEM is scaling/sizing of the SIEM infrastructure itself. The vendors usually define the size of your SIEM based on incoming "<a href="https://qradarinsights.com/2013/12/04/qradar-sizing-determining-eps/" target="_blank">events per second</a>". There are <a href="http://www.buzzcircuit.com/guessing-game-planning-sizing-siem-based-on-eps/" target="_blank">many calculators</a> out there to help you determine size, but they don't tell you that a) this is a best case scenario, or b) EPS depends entirely on <a href="https://www.alienvault.com/blogs/security-essentials/what-kind-of-logs-for-effective-siem-implementation" target="_blank">what you CHOSE TO LOG</a>!<br />
<br />
It's a rare event that you buy too much SIEM for your requirements. SIEM is expensive, and most of us will err on the side of budget.... and then find out we spec'ed 3-4 times smaller than required.<br />
<br />
<h2>
<b>rant mode off</b></h2>
<b><br /></b>
<br />
<br />
<b>So let me tell you a little story now of my most recent experience that turned all this on it's head:</b><br />
<br />
There's a little "<a href="https://www.gartner.com/doc/3314023/market-guide-managed-detection-response" target="_blank">Managed Detection and Response</a>" company, <a href="http://www.esentire.com/" target="_blank">eSentire</a> out of <a href="https://www.google.ca/maps/place/eSentire+Inc./@43.4132851,-80.3118051,14z/data=!4m5!3m4!1s0x882b885e80a04e29:0x9a958501fbfffa4e!8m2!3d43.4141268!4d-80.3026498?hl=en" target="_blank">Cambridge Ontario</a>, that I had seen at several trade shows. Fatigued by vendors proclaiming that their product/service was better than the next coming of Christ, I had watched them warily. But heard good news from all sources.<br />
<br />
I had an opportunity at one of my clients to replace an very non-functional implementation of <a href="https://saas.hpe.com/en-us/software/siem-security-information-event-management" target="_blank">Arcsight</a> that one of Toronto's finest managed security providers had failed to deliver appropriately. (I'll just leave that there)<br />
<br />
We looked at possible opportunities for bringing SIEM back in-house, as well as talked to about a dozen Managed Security Service Providers, and the daunting conversation of use cases kept coming up time after time. Vendor would ask us what we wanted to monitor, how many, how long, what's the alerting criteria, blah blah blah... (insert Charlie Brown adults talking here)<br />
<br />
In the mix, we had eSentire come in and present. I had prepared my VP of IT and director of Security Operations as to the types of questions we would encounter, and typical responses regarding EPS per logging device, and use cases based upon product.<br />
<br />
<b>eSentire took the conversation in a completely new direction:</b><br />
<br />
<blockquote class="tr_bq">
<b>Us: </b> "Ok, tell us what we need to provide for use cases, and possibly some guidance on what makes sense...."<br />
<br />
<b>eSentire: </b> "We looked at your company, it's size, and market space. We have dozens of similar customers as you. Do you think your use cases might differ much from theirs?"<br />
<br />
<b>Us:</b> "Ummm... no... probably not."<br />
<br />
<b>eSentire:</b> "Good, we can start there as a baseline, and monitor, next?"<br />
<br />
<b>Us:</b> "Ok, what about Events Per Second, and storage?" <br />
<br />
<b>eSentire:</b> "Based on existing customers, and the list of systems you want to integrate, we'll put a log collector in your infrastructure and monitor and manage it's capacity. "<br />
<br />
</blockquote>
That was nine months ago. We signed up almost immediately, and the full implementation was a few weeks (not the typical 12-18 months I'm used to with those other systems). We were getting reports daily, weekly, monthly, that made sense, and had executive presentations that I could actually take to my management.<br />
<br />
We've also signed up for and are very happy with their <a href="https://www.esentire.com/what-we-do/managed-detection-and-response/esnetwork/" target="_blank">Network Interceptor</a> (Managed Intrusion Prevention) and <a href="https://www.esentire.com/what-we-do/managed-detection-and-response/esrecon/" target="_blank">Continuous Vulnerability Assessment</a> services.<br />
<br />
<br />
<br />
<br />
<b>Resources:</b><br />
<br />
<a href="http://blogs.gartner.com/anton-chuvakin/2015/10/27/siem-use-cases-and-other-security-monitoring-use-cases-too/" target="_blank">Gartner: SIEM Use Cases</a><br />
<br />
<a href="http://www.esecurityplanet.com/products/top-siem-products.html" target="_blank">http://www.esecurityplanet.com/products/top-siem-products.html</a><br />
<br />
<a href="https://www.alienvault.com/blogs/security-essentials/what-kind-of-logs-for-effective-siem-implementation" target="_blank">Alienvault: What kind of logs do you need for an effective SIEM?</a><br />
<br />
<a href="https://www.gartner.com/doc/3314023/market-guide-managed-detection-response" target="_blank">Gartner: Managed Detection and Response Companies</a><br />
<a href="https://www.esentire.com/what-we-do/managed-detection-and-response/" target="_blank">eSentire: Managed Detection and Response</a><br />
<br />
<a href="https://www.sans.org/reading-room/whitepapers/analyst/benchmarking-security-information-event-management-siem-34755" target="_blank">SANS: Benchmarking SIEM</a> <br />
<a href="http://eromang.zataz.com/2011/04/12/why-and-howto-calculate-your-events-per-second/" target="_blank">Why and How to calulate Events per Second</a><br />
<a href="http://content.solarwinds.com/creative/pdf/Whitepapers/estimating_log_generation_white_paper.pdf" target="_blank">Solarwinds: Estimating Log Generation</a><br />
<a href="https://qradarinsights.com/2013/12/04/qradar-sizing-determining-eps/" target="_blank">Qradar: Sizing, Determining Events Per Second</a><br />
<a href="http://www.buzzcircuit.com/guessing-game-planning-sizing-siem-based-on-eps/" target="_blank">A good EPS sizing chart and writeup from Buzzcircuit</a><br />
<a href="https://www.emc.com/collateral/guide/11020-rsa-siem.pdf" target="_blank">https://www.emc.com/collateral/guide/11020-rsa-siem.pdf</a><br />
<br />
<a href="https://saas.hpe.com/en-us/software/siem-security-information-event-management" target="_blank">Arcsight: Enterprise Security Manager</a><br />
<br />
<br />security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-62021050375275270612017-06-29T09:47:00.003-04:002017-06-29T09:47:49.050-04:00Canada 150, and Canadian Innovation.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjltGWsVaBBGBhpwy9Zy0XdTjFlA1wf70oKf0oBh0ud2haNiNq_ytJbgA4jy4_aTtgcrSCnm0ruIbvKkPNci4k-bvrp7YyWAPJ72xaFp2_mub-GaA27c-0R6WpY4lkdNFwr2pRNdoEVUED2/s1600/canadaflag.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1063" data-original-width="1600" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjltGWsVaBBGBhpwy9Zy0XdTjFlA1wf70oKf0oBh0ud2haNiNq_ytJbgA4jy4_aTtgcrSCnm0ruIbvKkPNci4k-bvrp7YyWAPJ72xaFp2_mub-GaA27c-0R6WpY4lkdNFwr2pRNdoEVUED2/s320/canadaflag.jpg" width="320" /></a></div>
<div class="MsoNormal">
Canada has a long legacy of innovation and prosperity. We
have blazed technology trails in every aspect of life, from agriculture to
medicine and health care, communications to manufacturing, transportation to
space travel, finance to renewable energy.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
I started my career as an electronics technician under the
Industrial Research Assistance Program at the <a href="http://www.nrc-cnrc.gc.ca/eng/irap/index.html" target="_blank">Canadian National ResearchCouncil</a>. My role was to go in to young startup
companies, and provide technical assistance getting their technology dreams
built, tested, and ready for market. <o:p></o:p></div>
<div class="MsoNormal">
Today, this program actively helps Canadian entrepreneurs
innovate through grants, advisory services, networking, youth employment, staff
augmentation, while providing technical assistance in various fields. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Looking backwards to see forward, Canada has great
opportunity remain a global leader in innovation and technology. There is a wealth
of diverse companies, both entrenched and new, taking on the challenge of
automating, managing, and accommodating all aspects of our lives. I’ll outline just a few of those technologies
here.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Healthcare:<o:p></o:p></b></div>
<div class="MsoNormal">
The Canadian Healthcare System is respected worldwide, both
for its ability to efficiently and effectively care for individuals as well as
its history of innovations. Leveraging
the rapid advances in “Internet of Things (IoT)” technology and infrastructure,
Canadian health research facilities have become world leaders in the innovation
of wearable devices to help track and monitor patient outcomes. With these devices monitoring vital aspects
of a patient’s health and recovery, a physician can both be better informed
upon arrival of the patient, reducing wait and visitation times, as well as
analyzing appropriate remediation strategies.
Canadian made wearable devices will become a normal part of our standard
healthcare regime. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As well as the wearable monitoring devices, IoT technology
has spurred a number of Canadian Innovators to launch “assistive device”
products. These range from smart
technology for wheelchairs, to adaptive prosthetics, to GPS tracking and
guidance for the blind. The Canadian
imagination is boundless, and as our population ages, these devices will become
more prevalent.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Finance:<o:p></o:p></b></div>
<div class="MsoNormal">
Blockchain Technology may be new to most of us, but is revolutionizing
the way the banking industry works. In
fact ANY industry that relies on transactional integrity could find benefit in
Blockchain’s ledger based technology. Many
of us are familiar with, or at least have heard of “bitcoin”, which is the
grandfather of blockchain currencies. Ethereum is another blockchain
up-and-coming currency taking international interest. Recently, the <span style="background: white;">Enterprise Ethereum Alliance included the National Bank
of Canada as one of 86 new members that will work together to develop business
applications on the Ethereum blockchain. </span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="MsoNormal">
<b>Renewable Energy:<o:p></o:p></b></div>
<div class="MsoNormal">
There are more than a thousand Canadian companies currently
innovating in the Clean or Renewable Energy Market, employing more than 50,000
people across the country. From the
staples of Solar and Wind, to deep water stores of compressed air, geothermal
heating and electricity, and the manufacture of Lithium Ion batteries, we are
making our mark on the global stage.
Much of this is thanks to “<span style="background: white;"><a href="https://www.sdtc.ca/" target="_blank">Sustainable Technology Development Canada</a>” , which is the largest
single clean-tech fund in the world. It has seeded more than 200 clean-tech
projects through grant funding of more than $600-million. Renewable Energy is a
cultural shift that is well under way within Canadian homes and businesses, and
we are going to continue to be at the forefront for decades to come.</span><o:p></o:p></div>
<div class="MsoNormal">
<span style="background: white;"><br /></span></div>
<div class="MsoNormal">
<b>Agriculture:<o:p></o:p></b></div>
<div class="MsoNormal">
Over the past two decades, Canada has taken a strong lead in
Modernizing and Automating Agriculture. With the prevalence and low cost of
Industrial sensors for things like moisture level, sunlight, ph level, soil
nutrients, etc.. Canadian researchers have been able to greatly increase crop
yields across the industry. This technology has been transferred down to the
hands of local farmers who are able to automate aspects of their farm such that
they not only increase yield, but can direct and reduce water consumption and
cost. Crops are able to be grown in
areas previously unmanageable through monitoring and automation. Canada is also setting examples of how to use
industrial sensors to monitor and manage Livestock health and food consumption.
This is an area in which we will continue to be world leaders. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Smart Cities:<o:p></o:p></b></div>
<div class="MsoNormal">
Continuing on the Industrial Internet of Things theme,
Canada is also a leader in Innovation in monitoring and managing all aspects of
transportation and buildings in today’s Smart Cities. Cities across Canada are
collaborating on means to provide cleaner more efficient home and work spaces
for their inhabitants. We are
researching ways to use Industrial sensors to monitor and more efficiently
manage heating and cooling within residential and commercial buildings. We are also developing ways to monitor and
reduce emissions from these buildings. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Through the use of sensors under the pavement, on lamp
posts, and cameras at intersections, we are researching ways to better identify
traffic patterns across the city, and adjust intersection lights for more
efficient travel times and greater safety for both vehicles and
pedestrians. <o:p></o:p></div>
<div class="MsoNormal">
There are also Canadian innovations being developed in
street lighting to greatly reduce power consumption, and reduce environmental
impact on wildlife. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Space Exploration:<o:p></o:p></b></div>
<div class="MsoNormal">
We are all too familiar with the Canada Arm that had
assisted the NASA space shuttle program for two decades, and now currently
works diligently on the International Space Station. Did you know that Canada
has a burgeoning Space program too? In
2016, the Canadian Government committed to extend Canada’s participation in the
ISS program, and provide opportunities to develop leading-edge space
technologies. Up to $379 million will be earmarked for this program over the
next eight years.<o:p></o:p></div>
<div class="MsoNormal">
Six Canadian Astronauts have served eight missions aboard
the International Space Station, and in 2018, David Saint-Jacques will become
the next Canadian astronaut to take part in a long-duration mission aboard the
ISS.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The University of Guelph’s Mike Dixon and his team are
working on “biological life support” systems. Research that will help sustain
long-term human exploration to distant planets by finding ways to grow plants
inside greenhouses with techniques that could one day allow us to grow crops on
the moon or Mars.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Canada had long partnered with the US on development of
Satellite Communications technology. Our
first Canadian Satellite, Alouette 1,
was launched by Nasa on September 29 1962. Companies such as DeHavilland,
Spar Aerospace, and Telesat Canada spurred on the innovation across the past
several decades. Now, the torch has been picked up by several Canadian startups
that are developing very small format satellites for such purposes as
monitoring forestation and environmental changes, or providing imaging services
for commercial planning.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: center;">
<b><span style="font-size: large;">We Canadians are a country of dreamers, and we dream big. The
future of Canadian Innovation will not dull.<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
<br /></div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-91258577982792527312016-09-27T10:22:00.001-04:002016-09-28T08:24:32.412-04:006 steps to protect yourself from the Yahoo email breach!<br />
<br />
<br />
<div style="border-image: none; margin: 0cm 0cm 0pt;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-U1lraddx8k39LXU4b29sglEswbRZEEBVt8YElHCXG5ik2qOfpq-MbJVNCCIVmrs6ZOOLAZ4oRd2DQnOVbS5KMOowmFkyzzUZY5jzKwCAFv_T6A188xUtyhfYsXWrHqFLADoKPe7II044/s1600/password-meme.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-U1lraddx8k39LXU4b29sglEswbRZEEBVt8YElHCXG5ik2qOfpq-MbJVNCCIVmrs6ZOOLAZ4oRd2DQnOVbS5KMOowmFkyzzUZY5jzKwCAFv_T6A188xUtyhfYsXWrHqFLADoKPe7II044/s320/password-meme.jpg" width="320" /></a><span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";">Last Thursday (09'22'16), <a href="http://yahoo.com/" target="_blank">Yahoo</a> admitted to the largest email
provider breach in history. The breach, which happened in 2014, consisted
of the account information of at least 500 million users and included names,
email addresses, encrypted password and even security questions. </span></span></div>
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";"> </span></span><span style="font-family: "calibri";"><b><span lang="EN" style="color: #404040; font-size: 14pt;">According to reports, as many as 2.1 million <a href="http://rogers.ca/" target="_blank">Rogers Communications</a> customers could be affected</span></b><span lang="EN" style="color: #404040; font-size: 14pt;">, as Rogers uses
Yahoo as their underlying email provider.</span></span></div>
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";"> </span></span></div>
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";">Even though the breach itself happened in 2014, We urge
you to take the time to protect yourself from this event. Since 2013, <a href="https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/" target="_blank">360million MySpace accounts</a>, <a href="http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html" target="_blank">167 million LinkedIn accounts</a>, And <a href="http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/#5d0270b13c15" target="_blank">145 million eBayaccounts</a> have also been compromised. </span></span></div>
<br />
<br />
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";">Human nature has us using the same or similar passwords
across all of our various online sites, whether they be social media, retail,
email, or banking. Much as this is convenient, it opens us up to fraud
and theft by these hackers. </span></span></div>
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";"> </span></span></div>
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<b><span lang="EN" style="color: #404040; font-size: 20pt;"><span style="font-family: "calibri";">Take these six simple steps to protect yourself now: </span></span></b></div>
<br />
<br />
<div style="margin: 0cm 0cm 0pt;">
<span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";"> </span></span><b><span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";">Change your online
passwords now! </span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: #404040; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span lang="EN" style="color: #404040; font-size: 14pt;">Remember that length and complexity are the
easiest protection. Use at least 8 characters, and mix numbers and
letters. </span></div>
</li>
</ul>
<b><span lang="EN" style="color: #404040; font-size: 14pt;"><span style="font-family: "calibri";">Use different passwords
for your banking, email, and social media sites. </span></span></b><br />
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: #404040; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span lang="EN" style="color: #404040; font-size: 14pt;">Hackers use automated tools to see if your
stolen credentials work in thousands of other sites. </span></div>
</li>
</ul>
<b><span style="font-size: 14pt;"><span style="font-family: "calibri";">Enable
2-step verification.</span></span></b><br />
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span style="font-size: 14pt;">Most online
email, banking, and social media sites provide 2-step verification. Ie:
when you log onto a new device or from a new location, they will send you an
SMS text message with a validation code before you can enter. This
protects you from having others logging in pretending to be you.</span></div>
</li>
</ul>
<b><span style="font-size: 14pt;"><span style="font-family: "calibri";">Enable
transaction notification on your banking!</span></span></b><br />
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span style="font-size: 14pt;">Online Banking
sites have the option of sending you a text or email every time a transaction
passes through your account. Turn this on! </span></div>
</li>
</ul>
<b><span style="font-size: 14pt;"><span style="font-family: "calibri";">Beware
phishing attacks related to this breach.</span></span></b><br />
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span style="font-size: 14pt;">Do not respond
to, click on, or open emails and attachments that say they are going to help
you with this breach. A number of malicious attacks have already begun to
lure innocent people into providing credentials based on the fear and
uncertainty around this breach. Your banks and email providers will
NOT be sending messages related to this.</span></div>
</li>
</ul>
<b><span style="font-size: 14pt;"><span style="font-family: "calibri";">Finally,
use a password management app to protect your online credentials.</span></span></b><br />
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span style="font-size: 14pt;">Whether your
preferred device is Windows, Mac, Linux, iOS, or Android, there are free apps
out there that can help you organize and protect your online passwords. </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 14pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo1;">
<span style="font-size: 14pt;"><a href="http://lastpass.com/" target="_blank">Lastpass</a>,
<a href="http://1password.com/" target="_blank">1password</a>, and <a href="http://keepass.info/" target="_blank">keepass</a> are the most popular and cover a range of devices.
</span></div>
</li>
</ul>
<br />
<br />
<div style="margin: 0cm 0cm 0pt 36pt;">
<span style="font-size: 14pt;"><span style="font-family: "calibri";"> </span></span></div>
<br />
<br />
<strong><span style="font-size: large;">References:</span></strong><br />
<br />
<br />
<a href="http://www.pcmag.com/article2/0,2817,2475964,00.asp">http://www.pcmag.com/article2/0,2817,2475964,00.asp</a><br />
<a href="http://www.cnbc.com/2016/09/22/yahoo-data-breach-is-among-the-biggest-in-history.html">http://www.cnbc.com/2016/09/22/yahoo-data-breach-is-among-the-biggest-in-history.html</a><br />
<a href="https://www.thestar.com/business/2016/09/23/rogers-email-users-warned-in-massive-yahoo-data-hack.html">https://www.thestar.com/business/2016/09/23/rogers-email-users-warned-in-massive-yahoo-data-hack.html</a><br />
<a href="http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html">http://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.html</a><br />
<a href="https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/#5d0270b13c15">https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/</a><u><a href="https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/"></a><span style="color: navy;"><a href="https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/">http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/#5d0270b13c15</a></span></u><br />
<br />
<br />
<br />
<br />
<br />security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com1Toronto, ON, Canada43.653226 -79.38318429999998243.285985499999995 -80.028631299999986 44.0204665 -78.737737299999978tag:blogger.com,1999:blog-6954236093826966251.post-35983505255513584122016-07-12T11:25:00.000-04:002016-08-18T12:28:22.542-04:00Turmoil in the CASB market - 2016 the year of Big Business Acceptance<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9qtq4UZrkv85Wv_-uxf-58IR9wb1gBlpQfoHMe6rghAS1D8Hq7H9So-feD6hqDAgbEWCvBf-gpjxyYoPvSNo8RnzQ3SZS0PXLzTym_9SRMCoo5LwdESbFBuB7prHzWBHM1ONs2PlMZx-M/s1600/cloud.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9qtq4UZrkv85Wv_-uxf-58IR9wb1gBlpQfoHMe6rghAS1D8Hq7H9So-feD6hqDAgbEWCvBf-gpjxyYoPvSNo8RnzQ3SZS0PXLzTym_9SRMCoo5LwdESbFBuB7prHzWBHM1ONs2PlMZx-M/s1600/cloud.jpg" width="200" /></a><b>In April of last year,</b> <a href="http://security-musings.blogspot.ca/2015/04/comparing-cloud-access-security-broker.html" target="_blank">I wrote a technical comparison of the various players in the CASB (Cloud Access Security Broker) space</a>, and had such incredible response and discussion, that I felt I had to provide an update this year. Should be easy, right? <span style="clear: right; margin-bottom: 1em; margin-left: 1em;"></span> <b>WRONG!</b><br />
<br />
<span style="font-size: xx-small;"><b><a href="http://security-musings.blogspot.ca/2015/04/comparing-cloud-access-security-broker.html" target="_blank">(Read the above article if you are new to CASB and want an understanding of the space)</a></b></span><br />
<b><br /></b>
<b><br /></b>
<b>The CASB market has seen a lot of turmoil over the past year</b>, in the form of mergers and acquisitions. Early on we all thought <a href="https://cloud-computing-today.com/2015/11/05/1073978/" target="_blank">Cisco was going to acquire Elastica</a> as they had become quite cozy, but in a screeching left turn, <a href="http://bluecoat.com/" target="_blank">BlueCoat</a> came from the sidelines, <a href="https://www.bluecoat.com/company/news/blue-coat-acquires-elastica-280-million-casb-deal" target="_blank">and snapped Elastica up.</a> The surprise here is that earlier in June of 2015, <a href="https://www.bluecoat.com/company/press-releases/blue-coat-acquires-perspecsys-effectively-make-public-cloud-applications" target="_blank">BlueCoat had just acquired CASB player Perspecsys.</a> Fast forward to June of this year, when <a href="http://fortune.com/2016/06/02/bain-blue-coat-ipo/" target="_blank">BlueCoat announced their intent to IPO</a>, then only days later <a href="http://fortune.com/2016/06/12/blue-coat-abandons-ipo-plans-sells-to-symantec-for-4-65-billion/" target="_blank">agrees to be acquired by Symantec for $4.65B</a>. Whew...<br />
<br />
<b>In a similar roller coaster</b>, <a href="http://www.businesscloudnews.com/2015/04/15/adallom-secures-30m-in-series-c-led-by-hp/" target="_blank">Adallom cozies up with HP</a> in April 2015, only <a href="http://blogs.microsoft.com/blog/2015/09/08/microsoft-acquires-adallom-to-advance-identity-and-security-in-the-cloud" target="_blank">to get bought by Microsoft in September.</a> Then just last week, <a href="http://cisco.com/" target="_blank">Cisco</a>, not to be left out of the CASB market <a href="https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1775941" target="_blank">announced their intent to acquire Cloudlock</a> for $293Million.<br />
<br />
<b>Also in recent news,</b> <a href="http://searchcloudsecurity.techtarget.com/answer/How-can-a-reverse-proxy-mode-improve-cloud-security" target="_blank">Skyhigh Networks obtained a patent to use reverse proxies</a> for cloud access security broker services, and <a href="http://searchcloudsecurity.techtarget.com/news/4500279646/Netskope-awarded-patent-for-cloud-visibility-governance" target="_blank">Netskope obtains a patent for routing client traffic securely to Cloud Services</a>. I'm not sure how this is going to change how the others model their business.<br />
<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9FxWq38stYK4gHJMM3wFdXwbkYgOK9nTxzYNLpdlitUB6f02EUztwelaNAVF9_KhvQsFEtZlGe6bAKLYK7gQxCm2gz8KX29kNqa3BTL-i_b9IrkdZO4F7We06_uORtqbowOF3SMJJ5FNe/s1600/CASB.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9FxWq38stYK4gHJMM3wFdXwbkYgOK9nTxzYNLpdlitUB6f02EUztwelaNAVF9_KhvQsFEtZlGe6bAKLYK7gQxCm2gz8KX29kNqa3BTL-i_b9IrkdZO4F7We06_uORtqbowOF3SMJJ5FNe/s320/CASB.jpg" width="320" /></a><b></b><br />
<b><b><br /></b></b>
<b><b>So to recap...</b></b><br />
<br />
<br />
<b>Last year, in the CASB space, we had: </b><br />
<a href="http://adallom.com/" target="_blank">Adallom</a>, <a href="http://bitglass.com/" target="_blank">BitGlass</a>, <a href="http://ciphercloud.com/" target="_blank">Ciphercloud</a>, <a href="http://cloudlock.com/" target="_blank">Cloudlock</a>, <a href="http://elastica.com/" target="_blank">Elastica</a>, <a href="http://imperva.com/skyfence" target="_blank">Imperva</a>, <a href="http://netskope.com/" target="_blank">Netskope</a>, <a href="http://perspecsys.com/" target="_blank">Perspecsys</a>, and <a href="http://skyhigh.com/" target="_blank">SkyHigh</a><br />
<br />
<b>This year, the landscape looks to be:</b> <br />
<a href="http://bitglass.com/" target="_blank">Bitglass</a>, <a href="https://www.bluecoat.com/products-and-solutions/casb-cloud-access-security-broker" target="_blank">Symantec/BlueCoat</a>, <a href="http://cloudlock.com/" target="_blank">Cisco/Cloudlock</a>, <a href="http://ciphercloud.com/" target="_blank">Ciphercloud</a>, <a href="http://imperva.com/skyfence" target="_blank">Imperva</a>, <a href="https://blogs.microsoft.com/cybertrust/2016/04/06/microsoft-cloud-app-security-is-generally-available/" target="_blank">Microsoft/Adallom</a>, <a href="http://netskope.com/" target="_blank">Netskope</a>, and <a href="http://skyhigh.com/" target="_blank">SkyHigh</a>.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>I closed last year's report with the statement:</b><br />
<blockquote class="tr_bq">
<span style="color: blue; font-size: x-small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>"Although the CASB market space</b> is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. </span><span style="font-family: "trebuchet ms" , sans-serif;">I'm interested to see what happens to this space over the next three years. My money is on convergence of CASB, SSO, and Mobile Security providers."</span></span></blockquote>
<b>I still hold to this:</b> Cloud SSO is what gives CASB the ability to understand context, and Mobile Security (<a href="https://en.wikipedia.org/wiki/Mobile_device_management" target="_blank">Device Security</a>, <a href="https://en.wikipedia.org/wiki/Mobile_application_management" target="_blank">Application Security</a>, <a href="https://gcn.com/Articles/2015/11/30/Future-mobile-device-management.aspx" target="_blank">Data Security</a>) is required to manage endpoints outside of the corporate perimeter. Yet I'm not seeing those acquisitions as yet.<br />
<br />
<br />
<div style="text-align: center;">
<b>I think it's going to be an interesting challenge to to update last year's report. Stay tuned. </b></div>
<br />
<span style="color: red;"><b>NOTE: </b></span><br />
<span style="color: red;"><b><br /></b></span>
<b><span style="color: red;">I am currently in the process of evaluating the technical controls published by the current players in this space and will be re-publishing this report in the near future. </span></b><br />
<span style="color: red;"><br /></span>
<b><span style="color: red;">If you are a current CASB provider that I have missed here, and want to be included in the upcoming report, please comment below or email me at unix_guru at hotmail dot com, and I will contact you for validation.</span></b><br />
<b><br /></b>
<br />
<div class="post-body entry-content" id="post-body-5334518811991800737" itemprop="description articleBody">
<br />
<span style="font-size: small;"><b>CASB References:</b></span><br />
<span style="font-size: xx-small;"><br /></span> <span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.gartner.com/doc/2032015/growing-importance-cloud-access-security" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Gartner: The Growing Importance of Cloud Access Security Brokers</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.computerweekly.com/news/2240223323/Cloud-access-brokers-top-security-technology-says-Gartner" target="_blank"><span style="color: #3778cd; font-size: xx-small;">http://www.computerweekly.com/news/2240223323/Cloud-access-brokers-top-security-technology-says-Gartner</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.gartner.com/doc/2856117?srcId=1-2819006590&pcp=itg" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Gartner: Emerging Technology Analysis: Cloud Access Security Brokers</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.ciphercloud.com/2014/09/30/public-cloud-security-demands-cloud-access-security-broker-casb/"><span style="color: #3778cd; font-size: xx-small;">http://www.ciphercloud.com/2014/09/30/public-cloud-security-demands-cloud-access-security-broker-casb/</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><span style="color: #3778cd; font-size: xx-small;"><a href="https://www.netskope.com/">https://www.netskope.com</a></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.elastica.net/" target="_blank">https://www.elastica.net/</a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://blog.bitglass.com/the-definitive-guide-to-cloud-access-security-brokers" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Bitglass: The Definitive Guide to Cloud Access Security Brokers</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://pages.ciphercloud.com/rs/ciphercloud/images/CipherCloud-%20Impact%20Report-%2011%20Dec%202014.pdf" target="_blank"><span style="color: #3778cd; font-size: xx-small;">CipherCloud looks to stay at the head of the cloud security class </span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://pages.ciphercloud.com/The10-MinuteGuidetoCloudEncryptionGateways.html" target="_blank"><span style="color: #3778cd;">Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways</span></a><br /><a href="http://pages.ciphercloud.com/Cloud-Adoption-and-Risk-Report-landing-page.html" target="_blank"><span style="color: #3778cd;">Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.networkworld.com/article/2691104/security0/how-the-cloud-is-changing-the-security-game.html" target="_blank"><span style="color: #3778cd; font-size: xx-small;">NetworkWorld: How the cloud is changing the security game </span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.adallom.com/wp-content/uploads/2014/12/TheCaseForACASB.pdf" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Adallom: The Case For A Cloud Access Security Broker</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://learn.adallom.com/rs/adallom/images/Adallom_Cloud_Risk_Report-Nov14.pdf" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Adallom: Cloud Risk Report Nov 2014</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.adallom.com/wp-content/uploads/2015/02/Check-Point-Brief-File.pdf" target="_blank"><span style="color: #3778cd;">Check Point Capsule and Adallom Integration</span></a> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www8.hp.com/us/en/software-solutions/cloud-data-security-governance/" target="_blank"><span style="color: #3778cd;">HP - Adallom: Proven Cloud Access Security Protection Platform</span></a> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.4-traders.com/news/Adallom--to-Offer-Comprehensive-Cloud-Security-Solution-for-Businesses-With-HP--20227632/" target="_blank"><span style="color: #3778cd;">Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP</span></a> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="https://www.pingidentity.com/content/dam/pic/downloads/resources/Misc/skyhigh_partner_solutions_brief.pdf" target="_blank"><span style="color: #3778cd; font-size: xx-small;">PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://managedmethods.com/solutions/role-enterprise-cloud-access-security-broker/" target="_blank"><span style="color: #3778cd; font-size: xx-small;">ManagedMethods: Role of Enterprise Cloud Access Security Broker</span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://security-musings.blogspot.ca/2013/01/standing-at-crossroads-employee-use-of.html" target="_blank"><span style="color: #3778cd; font-size: xx-small;">Standing at the Crossroads: Employee Use of Cloud Storage. </span></a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.ijarse.com/images/fullpdf/1427897972_32_Research_Paper.pdf" target="_blank"><span style="color: #3778cd;">Cloud Computing: Security Threats and Tools</span></a> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.scmagazineuk.com/most-cloud-applications-in-use-are-not-sanctioned/article/396549/" target="_blank"><span style="color: #3778cd;">SC Magazine: Most cloud applications in use are not sanctioned </span></a> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: xx-small;"><a href="http://www.businesscloudnews.com/2015/04/22/cisco-elastica-join-forces-on-cloud-security-monitoring/" target="_blank">http://www.businesscloudnews.com/2015/04/22/cisco-elastica-join-forces-on-cloud-security-monitoring/</a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="https://www.elastica.net/2015/04/cisco-to-offer-elastica-shadow-it-and-casb-solution-to-enterprises/" target="_blank">https://www.elastica.net/2015/04/cisco-to-offer-elastica-shadow-it-and-casb-solution-to-enterprises/</a></span><br />
<span style="font-size: xx-small;"><a href="https://cloud-computing-today.com/2015/11/05/1073978/" target="_blank">Elastica And Cisco Move To Product Integration Of Cloud Web Security And Elastica CloudSOC</a></span><br />
<span style="font-size: xx-small;"><a href="https://www.bluecoat.com/company/press-releases/blue-coat-acquires-perspecsys-effectively-make-public-cloud-applications" target="_blank">Blue Coat Acquires Perspecsys to Effectively Make Public Cloud Applications Private</a></span><br />
<span style="font-size: xx-small;"><a href="https://www.bluecoat.com/company/news/blue-coat-acquires-elastica-280-million-casb-deal" target="_blank">Blue Coat acquires Elastica in $280 million CASB deal</a></span><br />
<span style="font-size: xx-small;"><a href="http://fortune.com/2016/06/02/bain-blue-coat-ipo/" target="_blank">Fortune: Bain Wants To Take Cybersecurity Firm Public Despite Weak IPO Market</a></span><br />
<span style="font-size: xx-small;"><a href="http://fortune.com/2016/06/12/blue-coat-abandons-ipo-plans-sells-to-symantec-for-4-65-billion/" target="_blank">Fortune: Blue Coat Abandons IPO Plans, Sells To Symantec for $4.65 Billion</a></span><br />
<span style="font-size: xx-small;"><br /></span>
<span style="font-size: xx-small;"><a href="http://www.businesscloudnews.com/2015/04/15/adallom-secures-30m-in-series-c-led-by-hp/" target="_blank">Cloud security vendor Adallom secures $30m from HP, Rembrandt Venture Partners</a></span><br />
<span style="font-size: xx-small;"><a href="http://hewlettpackardventures.com/hewlett-packard-ventures-and-adallom-partnering-to-protect-the-enterprise-cloud/" target="_blank">Hewlett Packard Ventures and Adallom: Partnering to Protect the Enterprise Cloud</a></span><br />
<span style="font-size: xx-small;"><a href="http://blogs.microsoft.com/blog/2015/09/08/microsoft-acquires-adallom-to-advance-identity-and-security-in-the-cloud/" target="_blank">Microsoft acquires Adallom to advance identity and security in the cloud</a></span><br />
<span style="font-size: xx-small;"><br /></span>
<span style="font-size: xx-small;"><a href="https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1775941" target="_blank">Cisco Announces Intent to Acquire CloudLock for $293M</a></span><br />
<span style="font-size: xx-small;"><br /></span>
<span style="font-size: xx-small;"><a href="https://www.stratokey.com/solutions/cloud-access-security-brokers" target="_blank">Stratokey: Cloud Access Security Broker (CASB)</a></span><br />
<span style="font-size: xx-small;"><br /></span>
<a href="http://searchcloudsecurity.techtarget.com/news/4500279646/Netskope-awarded-patent-for-cloud-visibility-governance" target="_blank"><span style="font-size: xx-small;">Netskope awarded patent for cloud visibility, governance</span></a><br />
<span style="font-size: xx-small;"><br /></span>
<a href="http://www.esg-global.com/blogs/big-teche28099s-entry-into-the-casb-market-is-evolutionary/" target="_blank"><span style="font-size: xx-small;">Big Tech’s Entry into the CASB Market Is Evolutionary</span></a><br />
<a href="http://blogs.microsoft.com/blog/2015/09/08/microsoft-acquires-adallom-to-advance-identity-and-security-in-the-cloud/" target="_blank"><span style="font-size: xx-small;">Microsoft acquires Adallom to advance identity and security in the cloud</span></a><br />
<span style="font-size: xx-small;"><br /></span>
<a href="http://searchcloudsecurity.techtarget.com/news/4500253289/CASB-roundup-Microsoft-confirms-Adallom-buy-Netskope-raises-75M" target="_blank"><span style="font-size: xx-small;">http://searchcloudsecurity.techtarget.com/news/4500253289/CASB-roundup-Microsoft-confirms-Adallom-buy-Netskope-raises-75M</span></a><br />
<a href="https://www.skyhighnetworks.com/cloud-security-blog/what-the-adallom-acquisition-means-for-the-casb-market/" target="_blank"><span style="font-size: xx-small;">https://www.skyhighnetworks.com/cloud-security-blog/what-the-adallom-acquisition-means-for-the-casb-market/</span></a><br />
<span style="font-size: xx-small;"><br /></span>
<a href="http://searchcloudsecurity.techtarget.com/answer/How-can-a-reverse-proxy-mode-improve-cloud-security" target="_blank"><span style="font-size: xx-small;">http://searchcloudsecurity.techtarget.com/answer/How-can-a-reverse-proxy-mode-improve-cloud-security</span></a><br />
<span style="font-size: xx-small;"><br /></span>
<a href="https://www.gartner.com/doc/3155127/market-guide-cloud-access-security" target="_blank"><span style="font-size: xx-small;">Gartner: Market Guide for Cloud Access Security Brokers</span></a><br />
<a href="https://www.gartner.com/doc/3176323/evaluate-operate-cloud-access-security" target="_blank"><span style="font-size: xx-small;">Gartner: How to Evaluate and Operate a Cloud Access Security Broker</span></a><br />
<span style="font-size: xx-small;"><br /></span>
<span style="font-size: xx-small;"><br /></span>
</div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Toronto, ON, Canada43.653226 -79.38318429999998243.285985499999995 -80.028631299999986 44.0204665 -78.737737299999978tag:blogger.com,1999:blog-6954236093826966251.post-51058533543905856592016-06-21T15:52:00.000-04:002016-06-21T15:52:11.296-04:00Threat Modeling a Mobile Application <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT0YjHeIZhTf-K02cXKmMD_WW16DgtpnxWQ77BGh0THPW8iy8irTj4Ganb1kiPIKMS4cHQJDevz1_M82aiuRqACxav_rEavfrxI2ENwiDuplA14uO3FKiiWNGsvmnV0-yHA3V2g4eHSkXz/s1600/mobiledevices.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT0YjHeIZhTf-K02cXKmMD_WW16DgtpnxWQ77BGh0THPW8iy8irTj4Ganb1kiPIKMS4cHQJDevz1_M82aiuRqACxav_rEavfrxI2ENwiDuplA14uO3FKiiWNGsvmnV0-yHA3V2g4eHSkXz/s200/mobiledevices.jpg" width="200" /></a><span style="font-family: "trebuchet ms" , sans-serif;"><b>The purpose of this article </b>is to provide security guidance in the development of mobile applications. The following <a href="https://www.owasp.org/index.php/Application_Threat_Modeling" target="_blank">application threat-model (ATM)</a> is an example, created to help developers identify potential threats that a malicious attacker could use to exploit a custom developed Mobile Application. <br /><b><br />This threat model</b> <b>example</b> is based on Industry Best Practices and observations across the Mobile Application Development space, and is not based upon any one particular mobile application. The scenario presented here assumes an application in the Banking and Finance space, but could be any industry.<br /><br /><br /><b>From a Security and Privacy perspective</b>, a mobile application must:</span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Prevent the un-authorized use of web service API associated to the related application</span></li>
<li><span style="font-size: x-small;">Prevent the accessibility of information or operational control of a user’s account</span></li>
<li><span style="font-size: x-small;">Prevent the ability for a third party to gain identification and authentication details</span></li>
<li><span style="font-size: x-small;">Reduce the opportunity or intention of a malicious user from accessing confidential information</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">
</span>
</span><br />
<h2>
</h2>
<h2>
<span style="font-family: "trebuchet ms", sans-serif;"><span style="font-size: large;">Threat Profile:</span></span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>A "Threat Profile"</b> is the </span><span style="background-color: white; color: #222222; font-size: 16px; line-height: 19.2px;">concept of identifying the complete set of security </span><span style="background-color: white; color: #222222; font-size: 16px; line-height: 19.2px;">threats that could be used to compromise</span><span style="background-color: white; color: #222222; font-size: 16px; line-height: 19.2px;"> a given application or system.</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="background-color: white; color: #222222; font-size: 16px; line-height: 19.2px;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>The following Business Criteria</b> and assumptions were used when assessing the threat profile for this example Mobile Application:</span><br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Industry Categorization </b> Financial Institution </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Organizational Audience </b> Business Users </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Level of Potential Threat to Audience</b> Moderate-threat Audience </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Degree of Confidential Data </b> Moderate </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Likelihood of Exploitation</b> Low to Moderate </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><b>Delivery Platform </b> Mobile devices with Secured Sandboxes </span></li>
<li><span style="font-size: x-small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Level of User Interaction </b> Minimal </span></span></li>
</ul>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOZErqaN1hEJW-p5g-5VxOewxl6sTD5ryY8-G3cC1_Iew9_mZeLuoZHnehQopR8m2_Kpf16VKgQXOYtcy8iKJNkT12pWI-fmnegRpKi0XU1k7yJ5xpHwiJUo6uXv2USUVYMdPyv0h4C6gZ/s1600/threat-profile.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOZErqaN1hEJW-p5g-5VxOewxl6sTD5ryY8-G3cC1_Iew9_mZeLuoZHnehQopR8m2_Kpf16VKgQXOYtcy8iKJNkT12pWI-fmnegRpKi0XU1k7yJ5xpHwiJUo6uXv2USUVYMdPyv0h4C6gZ/s320/threat-profile.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492" target="_blank">SANS: Threat Profiling</a></td></tr>
</tbody></table>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: small;"><br /></span></h2>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;">Threat Agents:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>A threat agent</b> categorizes the types of intentional and unintentional users associated to the system. This can include, but does not require, the intended roles of the application. <br /><br /><b><br /></b></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b><br /></b></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Stolen Device User:</b> A user who obtained unauthorized access to the device aiming to get hold of the memory related sensitive information belonging to the owner of the device.</span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Access to account information to perform unauthorized transactions </span></li>
<li><span style="font-size: x-small;">Access to account information to perform transactions from a different account </span></li>
<li><span style="font-size: x-small;">Attempt to garner information about the banks overall security structure </span></li>
<li><span style="font-size: x-small;">Denial of service attack against back-end systems based on gathered information</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>Owner of the Device:</b> A user who has unwittingly installed a malicious application on their phone which gains access to the device application memory. </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Capturing of credentials associated to the account for use by third party</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>Common WiFi Network User:</b> This agent is aimed at any adversary intentionally or unintentionally sniffing the WiFi network used by a victim. This agent stumbles upon all the data transmitted by the victim device and may re-use it to launch further attacks. </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Capturing of credentials associated to the account for use by third party </span></li>
<li><span style="font-size: x-small;">Ability to perform unauthorized transactions</span></li>
</span></ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIW0h-flP1pso1rgSrrcJHxzWVxE4K4JREqkQtsHueR_OwKiF34I6cnqo9De_TD9cM7vMXkzUxt-xTOK8mA_llvA_AUsCuzZDM1KV2Y7DqxEr8_8VeyY2mn4o8y-fDTKlL0BeQ5KZG3Efs/s1600/Picture1.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIW0h-flP1pso1rgSrrcJHxzWVxE4K4JREqkQtsHueR_OwKiF34I6cnqo9De_TD9cM7vMXkzUxt-xTOK8mA_llvA_AUsCuzZDM1KV2Y7DqxEr8_8VeyY2mn4o8y-fDTKlL0BeQ5KZG3Efs/s400/Picture1.png" width="400" /></span></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">
</span>
</span><br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;">Key Scenarios:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><br />The following scenarios or activities have been identified as key to the success of the application's security profile:<br /><br /><b>User Authentication</b> - to gain access to post-sign-on functionality and content on the Mobile application.<br /><br /><b>Get Portfolio and Rates, and Execute Trades</b> </span><span style="font-family: "trebuchet ms" , sans-serif;">- User being presented with the list of transactions associated with specific Rates (Wire Payments, Cross-currency Account Transfers). The User could retrieve, view and accept the rate presented for selected payment. </span><span style="font-family: "trebuchet ms" , sans-serif;">The User could view Beneficiary Details and the Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.<br /><br /><br /><b>Payment Approvals</b> - User being presented with the list of payments (Wires, Account Transfers, EFT, Bill Payments) that qualify to be approved/released by the user. The User could view payment details and approve/reject selected payment. The User must be re-authenticated as a part of each payment approval operation. The User could view Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.<br /><br /> <br /><b>Accounts Module</b> - User being presented with the list of accounts he is entitled to. The User could add/delete/change order of Favourites Accounts in the list. The User could query and view account balances and transaction history information.</span><br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: small;"><br /></span></h2>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;">Mobile Application Architectural Elements:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>The following items are associated</b> to the application architecture specific to mobile devices. This listing mechanism is intended to provide additional input and consideration into the overall threat model.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<table align="left" border="1" cellpadding="1" cellspacing="1" style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); width: 100%;" valign="top">
<tbody>
<tr valign="top">
<td><span style="font-size: x-small;"><strong>1.Carrier Elements</strong>
</span><br />
<ol style="margin-left: 40px;">
<li><span style="font-size: x-small;">
Data</span></li>
<li><span style="font-size: x-small;">
SMS</span></li>
</ol>
</td>
<td><span style="font-size: x-small;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">5.</span><span class="font5" style="font-family: "trebuchet ms" , sans-serif;">Device</span></strong>
</span><br />
<ol style="margin-left: 40px;">
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">iOS</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Android</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Blackberry</span></li>
</ol>
</td>
</tr>
<tr valign="top">
<td><strong><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">2. Web Services using RESTFUL agents over SOAP</span></strong></td>
<td><span style="font-size: x-small;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">6.</span><span class="font5" style="font-family: "trebuchet ms" , sans-serif;">Common applicable hardware components</span></strong>
</span><br />
<ol>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Wireless Interfaces</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">USB Ports</span></li>
</ol>
</td>
</tr>
<tr valign="top">
<td><span style="font-size: x-small;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">3. App Store</span></strong>
</span><br />
<ol style="margin-left: 40px;">
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Apple App Store</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Android Play Store</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Blackberry World </span></li>
</ol>
</td>
<td><span style="font-size: x-small;"><strong>7. Authentication</strong>
</span><br />
<ol>
<li><span style="font-size: x-small;">
Token Based</span></li>
<li><span style="font-size: x-small;">
Certificate Based</span></li>
<li><span style="font-size: x-small;">
Keyboard Based</span></li>
<li><span style="font-size: x-small;">
Touchscreen Based</span></li>
<li><span style="font-size: x-small;">
Biometric Based</span></li>
</ol>
</td>
</tr>
<tr valign="top">
<td><span style="font-size: x-small;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">4.</span><span class="font5" style="font-family: "trebuchet ms" , sans-serif;">Wireless Interfaces</span></strong>
</span><br />
<ol>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">802.11</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Bluetooth</span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">NFC</span></li>
</ol>
</td>
<td></td>
</tr>
</tbody>
</table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><br />
<br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Planned Application Security Mechanisms:</span></h2>
</div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Planned application security mechanisms are technologies and threat-management measures that are included in part of application architecture and design. The model ignores these when defining the potential threats associated to the system but references them as solutions to identified problems. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>The following application security mechanisms</b> have been identified as part of application security design: </span><br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">HTTPS secure transportation protocol using TLS 1.2 or above </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Two-phase authentication </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Input and data validation </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Exception handling </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Auditing and logging </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Minimization of operations</span></li>
</ul>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Trust Boundaries:</span></h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWJow1eJWpepOBKXvcLZo2-u2CnTuqEFORF06-QzdEb8f0lqGNnL2YCzWrD2r-aj2iVrd8tBdSNVTgp438LynXWFOU_RSqN_W-a0MoL0xB7vVm4R8IwRldXOUawXX8a-_n2qI4UsMC8Tp1/s1600/Picture2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWJow1eJWpepOBKXvcLZo2-u2CnTuqEFORF06-QzdEb8f0lqGNnL2YCzWrD2r-aj2iVrd8tBdSNVTgp438LynXWFOU_RSqN_W-a0MoL0xB7vVm4R8IwRldXOUawXX8a-_n2qI4UsMC8Tp1/s400/Picture2.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>An organization and its application</b> define a series of perimeter that define different levels of security-oriented trust. The following information defines the trust boundaries associated with systems, sub-systems, and identities.<br /><br /><br /><b><br />App Container Boundary</b> within secure devices including iPhone and BlackBerry <br />Internet Trust Boundary is the connector between the device and internal banking systems <br />DMZ Trust Boundary including perimeter firewall where core services are located<br />Data Center Trust Boundary in which direct hosted systems and services are located.<br />Data Flows:<br /><br /><b>Data flow diagrams help </b>document the flow of information across trust boundaries. <br /><br />Understanding how data is communicated across boundaries help identify potential issues within communication protocols and mechanisms. <br /><br /><b> The following diagram represents</b> the data flow of the application under investigation<br /><br />
</span><br />
<center>
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAjHoI15UF3MoWsFhi-RBwIKrSA4lMt_PNq4-H4u9NcrSLoCm4YYZj3TjN41Z__Y3mLLY8LNVhE7cqBanXNFdh5-0LIA_S0k2D-cAAn2v970GUA1b8TpZ8fgkLpYMsT3O2cSHer9Pz7345/s1600/Picture3.png" imageanchor="1" style="font-family: "Times New Roman"; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAjHoI15UF3MoWsFhi-RBwIKrSA4lMt_PNq4-H4u9NcrSLoCm4YYZj3TjN41Z__Y3mLLY8LNVhE7cqBanXNFdh5-0LIA_S0k2D-cAAn2v970GUA1b8TpZ8fgkLpYMsT3O2cSHer9Pz7345/s320/Picture3.png" width="320" /></a></span></center>
<br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Entry and Exit Points:</span></h2>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Entry Points</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Entry points</b> define the positions in your application where a user, cross-component communication or external application supply data and call operations associated to the back-end systems.</span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Mobile Application access to back-end API through JSON services.</span></li>
<li><span style="font-size: x-small;">Unintentional direct access to back-end API through JSON services. </span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
</span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Exit Points</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Exit points</b> are relationships to entry points and define the positions in which data is sent to the client. Exit points are prioritized to identify where information is transmitted in a trusted manner but the source is untrusted.</span><br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Potential Attack Tree:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>An attack tree is a hierarchal diagram </b>(or outline) that represents the attacks a malicious individual might perform against the application. This information is based on the development of an attack profile organized around the industry and type of threats associated to your application and end users</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: x-small;"><br /></span></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: x-small;"><br /></span></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Gain authentication information</b> to be used in other applications, systems or services </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Authentication and access control attacks to determine applied security measure </span></li>
<li><span style="font-size: x-small;">Determine the depth of breach and fraud preventive controls </span></li>
<li><span style="font-size: x-small;">Access account to be used on other systems</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>Monitoring of transactions </b>to record communication patterns </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Obtain confidential information about the system </span></li>
<li><span style="font-size: x-small;">Gain details on how transactions are processed in the system </span></li>
<li><span style="font-size: x-small;">Discovery of weaknesses associated to the back-end system</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>General financial fraud </b></span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Perform unauthorized financial transactions to correct associated bank accounts </span></li>
<li><span style="font-size: x-small;">Determine clients and size of transactions for social engineering attempts</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>Data Collection by running application</b> in a non-trusted environment (jail-broken) </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Ability to access the application in a jail-broken device or development platform </span></li>
<li><span style="font-size: x-small;">Ability to apply memory forensics on the application at runtime to gain confidential information </span></li>
<li><span style="font-size: x-small;">Ability to apply memory forensics on the application to determine run-time details</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
<br /><b>Unmanaged JSON attacks</b> over encrypted or unencrypted channels </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li><span style="font-size: x-small;">Ability to perform data theft through cross-site references </span></li>
<li><span style="font-size: x-small;">Ability to perform a denial of service attack using cross-site references</span></li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
</span><br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Threat Tree:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>A Threat Tree describes</b> specific threats that can be applied to the application. Information in this section is defined in a threat-based tree for reference and specific descriptive afterwards. Please note that a single threat can be related to one or more common or uncommon vulnerabilities. </span><br />
<ul><span style="font-family: "trebuchet ms" , sans-serif;">
<li>Authentication / Authorization </li>
<li>Input and Data Validation </li>
<li>Relying exclusively on client-side validation </li>
<li>Writing data you did not validate out to trusted source </li>
<li>Using input you did not validate to generate SQL queries </li>
<li>Configuration Management </li>
<li>Sensitive Data </li>
<li>Basic Man-in-the-Middle Attack </li>
<li>Request Forgery </li>
<li>Session Management / Cryptography </li>
<li>Parameter Manipulation </li>
<li>Failing to validate all input parameters. </li>
<li>Exception Management </li>
<li>Failing to validate all input parameters </li>
<li>Audit and Logging </li>
<li>Missing Security Auditing Features </li>
<li>Unsecured Audit Logs </li>
<li>Mobile Specific Threats </li>
<li>Method aimed to read the local application memory </li>
<li>Malware on the device </li>
<li>Transactions performed from non-localized location</li>
</span></ul>
<span style="font-family: "trebuchet ms" , sans-serif;">
</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
</span><br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Rating Potential Threats:</span></h2>
</div>
<div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Relying Exclusively on Client Side Validation:</span></h3>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 100%;">
<tbody>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); white-space: nowrap; width: 25%;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">By relying on client-side validation the system allows for exposure of the back-end services through compromised client systems as well as communication protocols. This issue includes common assaults results including “Writing data you did not validate out to trusted source” and “Using input you did not validate to generate SQL queries”</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Input and Data Validation</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Capturing of credentials associated to the account for use by third party.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Ability to perform unauthorized transactions.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Denial of service attack against back-end systems</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Attempt to garner information about the banks overall security structure</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Access to account information to perform unauthorized transactions</span></li>
</ol>
</td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">High</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">A malicious attacker compromises the mobile application by installing it on a jail-broken device or reviews data communication though a proxy service. Unintended information (pre or post authentication) is sent through the communication protocol to the back end server containing injection data or unintentional information.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Use of SSL with trusted certificates to encrypt communication.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Validation of data at all trust boundaries to manage tampered data.</span></li>
</ol>
</td>
</tr>
</tbody>
</table>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">
Basic Man-In-The-Middle Attack:</span></h3>
<div class="separator" style="clear: both; text-align: left;">
</div>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 100%;">
<tbody>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); white-space: nowrap; width: 25%;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">User is able to monitor the data being communicated from the mobile application to the associated server in order to determine the URL, formats and identity of back-end services for direct access to the service.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Sensitive Data</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Capturing of credentials associated to the account for use by third party.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Attempt to garner information about the banks overall security structure</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Access to account information to perform unauthorized transactions</span></li>
</ol>
</td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Medium</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Use of SSL with trusted certificates to encrypt communication.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Validation of data at all trust boundaries to manage tampered data.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Source checking of communication using CSRF-token based concepts</span></li>
</ol>
</td>
</tr>
</tbody>
</table>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">
Request Forgery:</span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 100%;">
<tbody>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); white-space: nowrap; width: 25%;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">An unauthenticated user sends requests through HTTP protocols in an attempt to (1)subvert authentication mechanisms, (2) perform destructive activities against a system, (3) gain information around exception handling mechanisms, or to (4) garner information about the system and its transactions</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Sensitive Data</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Capturing of credentials associated to the account for use by third party.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Ability to perform unauthorized transactions.</span></li>
</ol>
</td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Medium</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><div>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Use of a secure token (similar to a CSRF token) to acknowledge authorized transactions to the system and to take appropriate measures including alerts and logging when un-authorized transactions are performed. The same mechanism used in a CSRF token can be used in this circumstance.</span></div>
</td>
</tr>
</tbody>
</table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">
Missing Security Audit Features:</span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 100%;">
<tbody>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); white-space: nowrap; width: 25%;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Attacks by an unauthorized user is not properly documented by the system reducing the opportunity for breach attempts to be discovered, hindered or prevented. From a security practice audits and logs should be applied across application layers and servers.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Auditing and Logging</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Denial of service attack against back-end systems</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Ability to perform unauthorized transactions</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Anti-forensic measures</span></li>
</ol>
</td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Low</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">This threat does not have a direct attack; it represents an inability to detect and manage the assault in the case of a breach.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Log all security oriented transactions to a “security log file”</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Recognize unusual number of requests to any series of accounts</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Critical transaction attempts are logged for fraud controls</span></li>
</ol>
</td>
</tr>
</tbody>
</table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">
Unsecured Audit Logs:</span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 100%;">
<tbody>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); white-space: nowrap; width: 25%;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Once a breach has occurred, a malicious attack will attempt to alter or remove log files that demonstrate their attempts. This is a common step for an attacker in a breach to reduce the chance of success for a forensic investigation.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Auditing and Logging</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Denial of service attack against back-end systems</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Ability to perform unauthorized transactions</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Anti-forensic measures</span></li>
</ol>
</td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Low</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td>
<td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Upon a system breach the attacker will modify or delete the associated log files so evidence of their activities are removed.</span></td>
</tr>
<tr>
<td style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td>
<td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Audit files are located in a protected directory for with access controls</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Modification, viewing and back-up of log files have specific user controls</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">
Use of frequent back-ups for security files to single-direction systems</span></li>
</ol>
</td>
</tr>
</tbody>
</table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both;">
<span style="font-family: "trebuchet ms" , sans-serif; text-align: center;">Method to Read Local Application Memory:</span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 651px;"><tbody>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255); white-space: nowrap; width: 158px;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">In this attack methodology, the data targeted is application specific memory and the method used is memory based analysis. The attacker steals sensitive data like passwords, userid, user account information which is stored in the application memory by reading the device memory.</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Mobile Specific Threats</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td><td style="background-color: #ebebeb; border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Access to account information to perform unauthorized transactions </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Attempt to garner information about the banks overall security structure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Capturing of credentials associated to the account for use by third party</span></li>
</ol>
</td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Medium</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td><td style="background-color: #ebebeb; border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Through development or forensic tools on the device or using a developer workstation, the system and application memory is reviewed while the application is running to determine how information is stored, communicated and its residual nature.</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td><td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">General memory management techniques for the individual platform </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Nullifying variables with confidential data as soon as they are used </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Minimal storage of confidential data while in memory </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">The storage of confidential data in memory in an encrypted format</span></li>
</ol>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-align: center; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
</div>
<h3 style="clear: both;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="text-align: center;">Malware on the Device</span><span style="text-align: center;">:</span></span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 651px;"><tbody>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255); white-space: nowrap; width: 158px;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Any program / mobile application which performs suspicious or unauthorized activity. It can be an application, which is copying real-time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history. On a Jail-broken phone this can include access to the applications memory, buffer overflow threats</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Mobile Specific Threats</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td><td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Access to account information to perform unauthorized transactions </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Attempt to garner information about the banks overall security structure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Capturing of credentials associated to the account for use by third party</span></li>
</ol>
</td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Low</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td><td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Often malware is installed on a device through unintentional means where the malware itself is a Trojan or worm that is embedded in a useful application. Once installed the application slowly consumes and analyzes other applications in the device. Malware is most often found on Jail-broken phones in which non-App store related applications have been installed. Malware is often not a targeted attack but attack by drawing.</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td><td style="border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">The use of managed devices with a white-listed applications</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Encrypt Data at Rest on the device</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Encrypt Data in Transit </span></li>
</ol>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3 style="clear: both;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="text-align: center;">Transaction Performed from Non-Localized Location</span><span style="text-align: center;">:</span></span></h3>
<table align="left" border="1" cellpadding="1" cellspacing="1" style="width: 651px;"><tbody>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255); white-space: nowrap; width: 158px;"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Description</span></strong></td><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">An unauthorized user attempts to perform a transaction from a distributed location with the goal of applying a fraudulent action. This may include a single or multiple financial transactions </span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Category</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Mobile Specific Threats</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Threat Target</span></strong></td><td style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Access to account information to perform unauthorized transactions </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Attempt to garner information about the banks overall security structure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Denial of service attack against back-end systems</span></li>
</ol>
</td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Risk</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">High</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Attack Techniques</span></strong></td><td style="border-color: rgb(255, 255, 255);"><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">An individual using a stolen device or perform a transaction from a distributed location (uncharacteristic of the user) is able to perform multiple transactions</span></td></tr>
<tr><td style="background-color: #bbbbbb; border-color: rgb(255, 255, 255);"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Countermeasures</span></strong></td><td style="background-color: #ebebeb; border-color: rgb(255, 255, 255);"><ol>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Use of geo-location to monitor the location of transactions for a user </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">The mapping of geo-location to potential fraudulent locations </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">The validation of transactions when listed geo-locations are not used</span></li>
</ol>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Threat Risk Rating:</span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Threats are rated into three categories (Low, Medium and High) based on their DREAD rating. The individual elements associated to this rating are as follows:</span><br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><b>Damage potential</b>: How great is the damage if the vulnerability is exploited?</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><b>Reproducibility</b>: How easy is it to reproduce the attack?</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><b>Exploitability</b>: How easy is it to launch an attack?</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><b>Affected users</b>: As a rough percentage, how many users are affected?</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><b>Discoverability</b>: How easy is it to find the vulnerability?</span></li>
</ul>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table border="0" cellpadding="1" cellspacing="1" style="width: 100%;">
<colgroup>
<col></col>
<col></col>
<col></col>
<col></col>
<col></col>
<col></col>
<col></col>
<col></col>
</colgroup>
<tbody>
<tr style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255); text-align: center;">
<td style="width: 40%;"><div style="text-align: left;">
<strong><span style="font-size: x-small;">Threat</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">D</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">R</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">E</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">A</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">D</span></strong></div>
</td>
<td style="width: 75px;"><div style="text-align: center;">
<strong><span style="font-size: x-small;">Total</span></strong></div>
</td>
<td style="width: 71px;"><div style="text-align: right;">
<strong><span style="font-size: x-small;">Rating</span></strong></div>
</td>
</tr>
<tr>
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Basic Man-in-the-Middle Attack</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">11</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Medium</span></div>
</td>
</tr>
<tr style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);">
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Request Forgery</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">11</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Medium</span></div>
</td>
</tr>
<tr>
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Relying exclusively on client-side validation</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">13</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">High</span></div>
</td>
</tr>
<tr style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);">
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Missing Security Audit Function</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">5</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Low</span></div>
</td>
</tr>
<tr>
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Unsecured Audit Log</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">5</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Low</span></div>
</td>
</tr>
<tr style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);">
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Method aimed to read the local memory</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">8</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Medium</span></div>
</td>
</tr>
<tr>
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Malware on the Device</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">5</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Low</span></div>
</td>
</tr>
<tr style="background-color: rgb(235 , 235 , 235); border-color: rgb(255 , 255 , 255);">
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Malicious App</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">5</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">Low</span></div>
</td>
</tr>
<tr>
<td style="background-color: #bbbbbb;"><strong><span style="font-size: x-small;">Transactions from non-localized location</span></strong></td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">3</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">1</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">2</span></div>
</td>
<td><div style="text-align: center;">
<span style="font-size: x-small;">12</span></div>
</td>
<td><div style="text-align: right;">
<span style="font-size: x-small;">High</span></div>
</td>
</tr>
<tr style="background-color: rgb(187 , 187 , 187); border-color: rgb(255 , 255 , 255);">
<td><strong><span style="font-size: x-small;">Threat</span></strong></td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">D</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">R</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">E</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">A</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">D</span></strong></div>
</td>
<td><div style="text-align: center;">
<strong><span style="font-size: x-small;">Total</span></strong></div>
</td>
<td><div style="text-align: right;">
<strong><span style="font-size: x-small;">Rating</span></strong></div>
</td>
</tr>
</tbody>
</table>
<br />
<h2>
References:</h2>
<div>
<a href="https://www.owasp.org/index.php/Application_Threat_Modeling" target="_blank">OWASP: Application threat modeling</a></div>
<div>
<a href="https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492" target="_blank">SANS: Creating a Threat Profile for Your Organization</a><br />
<a href="https://blogs.msdn.microsoft.com/threatmodeling/2007/06/19/threat-profile-and-composite-threat/" target="_blank">Microsoft: Threat Profile and Composite Threat</a><br />
<a href="http://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/Threat-Driven%20Approach%20whitepaper.pdf" target="_blank">LockheedMartin: A Threat-Driven Approach to Cyber Security</a><br />
<br />
<br /></div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-33742275368808157712016-06-13T12:31:00.001-04:002016-06-13T12:38:44.605-04:00Securing the Internet of Things - Developer's Guidance<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: large;"><strong>The "Internet of Things"</strong></span> or "IoT" as it's affectionately known, has become one of the most prevalent buzzwords of 2016. Almost everything you touch today is somehow associated with it. Everything from smart thermostats, security systems, refrigerators and baby monitors in your home, to fitness bracelets and watches on your wrist, are connected to the Internet now. From clothing that use coloured LEDs to reflect your mood, to children's educational toys, all have connectivity to "enhance your life experiences".</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>With the race to bring new products</strong> to this evolving market, issues of both Security and Privacy are raised for consumers. At the low end of the spectrum, an attached<a href="https://nakedsecurity.sophos.com/2016/01/27/iot-doorbell-gave-up-wi-fi-passwords-to-anybody-with-a-screwdriver/" target="_blank"> IoT device could expose your WiFi configuration.</a> On the high end of the spectrum, your personal banking, and health information could be exposed. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>Depending on who you listen to</strong>, the analysts are saying that there will be between 25-30 BILLION Internet connected devices by the year 2020... <strong>just a short 4 years from now</strong>. <span style="font-size: x-small;">(</span><a href="http://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html" target="_blank"><span style="font-size: x-small;">Cisco says 50 Billion!)</span></a></span><br />
<div>
</div>
<div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitv4Kb-tLLCINteiBO7hIG9Ann8_9FvlWr0-uYkmDAPmbjxyefdvQzz3awJdSwDxAZw8BWxj2TzCk4K7dzgAOiNjv5jSn4Qo_XnrJKcAbJHqWHsHPSidvpezkAV2M86ovIIvdZCn1rTS94/s1600/1300x473_HPE_IoT_Chart_02-1024x373.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "trebuchet ms" , sans-serif;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitv4Kb-tLLCINteiBO7hIG9Ann8_9FvlWr0-uYkmDAPmbjxyefdvQzz3awJdSwDxAZw8BWxj2TzCk4K7dzgAOiNjv5jSn4Qo_XnrJKcAbJHqWHsHPSidvpezkAV2M86ovIIvdZCn1rTS94/s400/1300x473_HPE_IoT_Chart_02-1024x373.jpg" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://hpe-enterpriseforward.com/eiu-securing-iot/"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">http://hpe-enterpriseforward.com/eiu-securing-iot/</span></a></td></tr>
</tbody></table>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<strong><span style="color: red; font-family: "trebuchet ms" , sans-serif; font-size: large;">Each one of these devices is a potential </span></strong></div>
<div style="text-align: center;">
<strong><span style="color: red; font-family: "trebuchet ms" , sans-serif; font-size: large;">Security or Privacy liability.</span></strong></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><strong><span style="font-size: large;"></span></strong><br /></span>
<br />
<div>
</div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;"><span style="font-size: small;"><a href="https://www.capgemini-consulting.com/resource-file-access/resource/pdf/securing_the_internet_of_things.pdf" target="_blank"><strong>Management consultant Capgemini</strong></a><strong> </strong></span><span style="font-size: small;"><strong>found</strong>:</span></span></div>
<ul>
<li><div style="text-align: left;">
<span style="font-size: large;"><span style="font-family: "trebuchet ms" , sans-serif; font-size: small;"><b>only 33% of organizations</b> believe their IoT products are “highly resilient” against any future cyber security threats, </span></span></div>
</li>
<li><div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;"><span style="font-size: small;"><b>48% of companies</b> </span><a href="http://searchcio.techtarget.com/photostory/4500253975/Top-Internet-of-Things-privacy-and-security-concerns/1/The-IoT-security-and-privacy-debate"><span style="font-size: small;">focus on securing their IoT products</span></a><span style="font-size: small;"> from the beginning of the product development phase.</span></span></div>
</li>
</ul>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"> <a href="http://hpe-enterpriseforward.com/eiu-securing-iot/" target="_blank"><strong>Hewlett Packard Enterprise Security goes even further:</strong></a></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ9SE5yt_IH3gMSmrXnzfWRSTvdmcE3Kkd-n6VjGJNQlxOdTt4izjVZ6Na4_tDFwFmrJTb6IIeYmJzH99xyszXrxOFqoJCHa6VTf8NBnaB-y0aZencgjNa949uTwoqq4TP_XOZGNVLQRoJ/s1600/1300x510_HPE_IoT_Chart_03-1024x402.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "trebuchet ms" , sans-serif;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ9SE5yt_IH3gMSmrXnzfWRSTvdmcE3Kkd-n6VjGJNQlxOdTt4izjVZ6Na4_tDFwFmrJTb6IIeYmJzH99xyszXrxOFqoJCHa6VTf8NBnaB-y0aZencgjNa949uTwoqq4TP_XOZGNVLQRoJ/s400/1300x510_HPE_IoT_Chart_03-1024x402.jpg" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://hpe-enterpriseforward.com/eiu-securing-iot/"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">http://hpe-enterpriseforward.com/eiu-securing-iot/</span></a></td></tr>
</tbody></table>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: left;">
<div>
</div>
<div>
</div>
<h2 style="border-image: none;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijaYOcEEdio7Vv-36mm5ptK40owimZR_JqYY8v0Hsfkinu9idlwr1of0JjgHWl6H_CaYOHdcIH9G3YteTyrqWfXOI6DQ4AY73RV-ljZcNhfazjE0WjQMvyZ5_bUjtoEcn7P3epeqlhe6UV/s1600/barbie.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="color: black; font-family: "trebuchet ms" , sans-serif;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijaYOcEEdio7Vv-36mm5ptK40owimZR_JqYY8v0Hsfkinu9idlwr1of0JjgHWl6H_CaYOHdcIH9G3YteTyrqWfXOI6DQ4AY73RV-ljZcNhfazjE0WjQMvyZ5_bUjtoEcn7P3epeqlhe6UV/s200/barbie.png" width="200" /></span></a><span style="font-family: "trebuchet ms" , sans-serif;">In the past year, we have seen:</span></h2>
<ul style="border-image: none;">
<li><a href="http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Baby Monitors that share their video publicly over the Internet</span></a></li>
<li><a href="http://arstechnica.co.uk/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Police Body Cameras that come preinstalled with Conficker malware</span></a></li>
<li><a href="https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Interactive Barbie Dolls that can be used to spy on children</span></a></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;"><a href="http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html" target="_blank">Smart Thermostat that can be hacked for surveillance in just 15 seconds</a> </span></li>
<li><a href="http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">IoT doorbell can reveal your Wi-Fi key</span></a></li>
<li><div style="border-image: none;">
<a href="https://www.wired.com/2014/04/hospital-equipment-vulnerable/" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">How insanely easy it is to exploit hospital equipment</span></a></div>
</li>
<li><div style="border-image: none;">
<a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">The hack of the Ukraine Power Grid</span></a></div>
</li>
<li><div style="border-image: none;">
<a href="https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/" target="_blank"><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">A Jeep remotely disabled on the highway</span></a></div>
</li>
</ul>
<div>
</div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXDpcmjuUZCPgHNucMRiQkHfb8e_WKXWlvMHZmr8jWQbNs20OEOxi0wfNtI3kyaWTuouU1BvD0D5kqQXySAR77K_ukiVAPuoVxNzj07PZRlV7_Hcoc_PLYlr975SrFsJkg7igkH4rLY9FU/s1600/iot-timeline.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "trebuchet ms" , sans-serif;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXDpcmjuUZCPgHNucMRiQkHfb8e_WKXWlvMHZmr8jWQbNs20OEOxi0wfNtI3kyaWTuouU1BvD0D5kqQXySAR77K_ukiVAPuoVxNzj07PZRlV7_Hcoc_PLYlr975SrFsJkg7igkH4rLY9FU/s400/iot-timeline.PNG" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/C11-735871.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">Cisco: IoT Security Timeline</span></a></td></tr>
</tbody></table>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Who are these "Malicious People" and why do they want to wreak havoc with our Inventions?</span></h2>
<h2>
</h2>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /><b>IoT devices and systems</b> are typically remote sensors or controls involved in managing a process of some sort. Whether it be collecting weather information for crop management, to sensor data for proper maintenance of an automobile, temperature and humidity information for building climate control, or bio sensors for monitoring a patients health, IoT devices manage a large amount of critical information. Critical information that could potentially be considered Private and/or Confidential in nature. </span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUjOgwRy0iAgGCpLfzRV1hPUsylgtpwj0ts4i0qBswqA7ptvPcQMP_8lC7uoSgPMIpwek-VTsN4PW_ZA2Hq0I06c4Oqj-kRY02d19ERIimOeQkawyqRw9JmHarOY9jb6tXQOjp6kxgSuqB/s1600/IMG_20140427_090932.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "trebuchet ms" , sans-serif;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUjOgwRy0iAgGCpLfzRV1hPUsylgtpwj0ts4i0qBswqA7ptvPcQMP_8lC7uoSgPMIpwek-VTsN4PW_ZA2Hq0I06c4Oqj-kRY02d19ERIimOeQkawyqRw9JmHarOY9jb6tXQOjp6kxgSuqB/s320/IMG_20140427_090932.jpg" width="217" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://arduino-pi.blogspot.ca/2014/04/penguinbot-self-defence-or-how-to-arm.html" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">IoT PenguinBot</span></a></td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>By the remote nature of these devices</b>, they are also typically designed to be "low cost" and "low energy" battery operated systems. Function and performance are the critical design success factors, while Security has not played a significant development role to date. <b><a href="https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable" target="_blank">MOST current IoT devices are readily exploitable through several means. </a></b></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Oh, and did I mention</b> that most IoT devices are connected (and trusted) in some way to logging, monitoring, and analysis tools deep within the corporate infrastructure? Find a kink in this light armour, and you can sail right past the corporate security systems in place.<br /><br /><b>What type of attacker</b> is interested in exploiting IoT devices? We are finding that the IoT Threat Landscape is quite varied. Everyone from cybercriminals to government entities, hacktivists, and even insiders have shown up to the game. It's apparently hard to resist the low hanging fruit of an easily exploitable system, that could lead directly into the corporate infrastructure. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b>From stealing sensitive data</b> by hacking IoT devices, to facilitating denial of service against a third-party entity, there are plenty of reasons and opportunities to exploit a connected Internet of Things device.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /> </span></div>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">
So, as developers, what are we to do? </span></h2>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>How can we ensure</strong> that our products are secure from the beginning? What aids do we have to guide us in creating a more secure, more private consumer product? </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>I'm glad you asked!</strong> There are many initiatives currently to define the obstacles and opportunities to creating a secure Internet of Things ecosystem, but there ARE some guideline that you can follow.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div>
</div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>First, from Cyber Security company</strong> <a href="https://www.iamthecavalry.org/" target="_blank">I am the Cavalry</a>, here is a snippet of sage advice:</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="color: blue; font-family: "trebuchet ms" , sans-serif; font-size: large;"><b>Security:</b></span><br />
<br />
<ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;"><b>Secure by Default</b></span></li>
<ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">No default passwords shared between devices, or weak out of the box passwords.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">All passwords should be randomly created using a high quality random password generator.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Advanced features used by small percentage of users should be turned off by default(VPN,Remote Administration, etc...)</span></li>
</ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;"><b>Secure by Design</b></span></li>
<ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Firmware should be locked down so serial access is not available.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Secure Ethernet (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.</span></li>
<li><span style="color: blue;"><span style="font-family: "trebuchet ms" , sans-serif;">NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removedand dumped), or other methods to prevent physical attack.</span><span style="font-family: "trebuchet ms" , sans-serif;"> </span></span></li>
</ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;"><b>Self Contained Security</b></span></li>
<ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised, and still maintain protection methods. This can be done with prompts to the user to accept handshakes between devices trying to access other devices on their networks.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Communication between devices should be encrypted to prevent MiTM attacks and sniffing/snooping.</span></li>
</ol>
</ol>
<div>
<span style="color: blue; font-family: "trebuchet ms" , sans-serif; font-size: large;"><b>Privacy:</b></span></div>
<div>
<ol>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Consumer PII not shared with manufacturers or partners.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Usage data on individual consumer is never shared with partners or advertisers.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to no be traceable back to an individual consumer.</span></li>
<li><span style="color: blue; font-family: "trebuchet ms" , sans-serif;">Data collection policy, type of data collected and usage of data is clearly documented on site.</span></li>
</ol>
</div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>As well, I am the Cavalry has published </b>the </span><span style="font-family: "trebuchet ms" , sans-serif; font-size: small; line-height: 20.8px;"><a href="https://www.iamthecavalry.org/domains/automotive/5star/" style="line-height: 20.8px;" target="_blank">Five Star Automotive Cyber Safety Program</a>, with the purpose of bringing the industry together to standardize on a security framework for connected devices.</span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="line-height: 20.8px;"><br /></span></span>
<br />
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>At the same time</strong>, an organization called <a href="http://owasp.org/" target="_blank">OWASP, or </a><a href="http://owasp.org/" target="_blank">The Open Web Application Security Project</a>, has created a <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project" target="_blank">project specifically around Security for the Internet of Things</a>.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>According to their website:</strong> </span></div>
<blockquote class="tr_bq">
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">The OWASP Internet of Things Project provides information on: </span></div>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/IoT_Attack_Surface_Areas" target="_blank"> IoT Attack Surface Areas </a></span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">IoT Vulnerabilities </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Firmware Analysis </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">ICS/SCADA Software Weaknesses </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Community Information </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/IoT_Testing_Guides">IoT Testing Guides</a> </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/IoT_Security_Guidance">IoT Security Guidance</a> </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/Principles_of_IoT_Security">Principles of IoT Security</a> </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/IoT_Framework_Assessment">IoT Framework Assessment</a> </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Developer, Consumer and Manufacturer Guidance </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Design Principles</span></li>
</ul>
</blockquote>
<div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong><br /></strong></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><strong>Of interest in this discussion</strong> is the topic of "IoT Attack Surface Areas". Each one of these boxes identifies specific threat vectors to IoT product development, as well as guidance and recommendations on remediating these concerns early in the development cycle.</span></div>
<div>
</div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"></span><span style="font-family: "trebuchet ms" , sans-serif; text-align: center;"></span></div>
<div style="text-align: center;">
<a href="https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: large;">IoT Attack Surface Areas</span></a></div>
<div style="text-align: center;">
<center>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; text-align: center; width: 503px;">
<colgroup><col style="mso-width-alt: 4278; mso-width-source: userset; width: 88pt;" width="117"></col>
<col style="mso-width-alt: 4827; mso-width-source: userset; width: 99pt;" width="132"></col>
<col span="2" style="mso-width-alt: 4644; mso-width-source: userset; width: 95pt;" width="127"></col>
</colgroup><tbody>
<tr height="64" style="height: 48pt; mso-height-source: userset;">
<td height="64" style="background-color: #2f75b5; border-image: none; border: 0px black; height: 48pt; width: 88pt;" width="117"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Ecosystem Access Control</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 99pt;" width="132"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Device<br />
Memory</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Device Physical<br />
Interfaces</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Device Web<br />
Interface</span></strong></td>
</tr>
<tr height="64" style="height: 48pt; mso-height-source: userset;">
<td height="64" style="background-color: #2f75b5; border-image: none; border: 0px black; height: 48pt; width: 88pt;" width="117"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Device<br />
Firmware</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 99pt;" width="132"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Device Network<br />
Services</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Administrative<br />
Interface</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Local<br />
Data Store</span></strong></td>
</tr>
<tr height="64" style="height: 48pt; mso-height-source: userset;">
<td height="64" style="background-color: #2f75b5; border-image: none; border: 0px black; height: 48pt; width: 88pt;" width="117"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Cloud
Web<br />
Interface</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 99pt;" width="132"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Ecosystem<br />
Communications</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Vendor Backend<br />
APIs</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Third Party<br />
Backend API's</span></strong></td>
</tr>
<tr height="64" style="height: 48pt; mso-height-source: userset;">
<td height="64" style="background-color: #2f75b5; border-image: none; border: 0px black; height: 48pt; width: 88pt;" width="117"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Update<br />
Mechanism</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 99pt;" width="132"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Mobile<br />
Application</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black; width: 95pt;" width="127"><strong><span style="font-family: "trebuchet ms" , sans-serif;">Network<br />
Traffic</span></strong></td>
<td style="background-color: #2f75b5; border-image: none; border: 0px black;"></td>
</tr>
</tbody></table>
</center>
</div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span><span style="font-family: "trebuchet ms" , sans-serif; text-align: center;"> </span><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-large; text-align: center;"><span style="font-family: "helvetica";">IoT Security !=</span><span style="color: #c92606; font-family: "helvetica";"><span style="color: #c92606; font-family: "helvetica";"><span style="color: #c92606; font-family: "helvetica";"> </span></span></span><span style="font-family: "helvetica";"><span style="font-family: "helvetica";">Device Security</span></span></span></div>
</div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b></b><br /></span>
<br />
<div>
</div>
<div>
<a href="https://www.owasp.org/index.php/IoT_Attack_Surface_Areas" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">The OWASP IoT Attack Surface Areas are as follows:</span></a></div>
<div>
<table border="1" class="wikitable" style="text-align: left;"><tbody>
<tr><th><span style="font-family: "trebuchet ms" , sans-serif;">Attack Surface </span></th><th><span style="font-family: "trebuchet ms" , sans-serif;">Vulnerability </span></th></tr>
<tr><td><b><span style="font-family: "trebuchet ms" , sans-serif;">Ecosystem Access Control</span></b></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Implicit trust between components </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Enrollment security </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Decommissioning system </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Lost access procedures </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Device Memory</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cleartext usernames </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cleartext passwords </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Third-party credentials </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Encryption keys </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Device Physical Interfaces</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Firmware extraction </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> User CLI </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Admin CLI </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Privilege escalation </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Reset to insecure state </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Removal of storage media </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Device Web Interface</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> SQL injection </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site scripting </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site Request Forgery </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Username enumeration </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak passwords </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Account lockout </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Known default credentials </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Device Firmware</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Hardcoded credentials </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Sensitive information disclosure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Sensitive URL disclosure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Encryption keys </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Firmware version display and/or last update date </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Device Network Services</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Information disclosure </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> User CLI </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Administrative CLI </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Injection </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Denial of Service </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Unencrypted Services </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Poorly implemented encryption </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Test/Development Services </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Buffer Overflow </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> UPnP </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Vulnerable UDP Services </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> DoS </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Administrative Interface</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> SQL injection </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site scripting </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site Request Forgery </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Username enumeration </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak passwords </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Account lockout </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Known default credentials </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Security/encryption options </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Logging options </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Two-factor authentication </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Inability to wipe device </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Local Data Storage</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Unencrypted data </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Data encrypted with discovered keys </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Lack of data integrity checks </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Cloud Web Interface</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> SQL injection </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site scripting </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Cross-site Request Forgery </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Username enumeration </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak passwords </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Account lockout </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Known default credentials </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Transport encryption </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Insecure password recovery mechanism </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Two-factor authentication </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Third-party Backend APIs</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Unencrypted PII sent </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Encrypted PII sent </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Device information leaked </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Location leaked </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Update Mechanism</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Update sent without encryption </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Updates not signed </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Update location writable </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Update verification </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Malicious update </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Missing update mechanism </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> No manual update mechanism </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Mobile Application</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Implicitly trusted by device or cloud </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Username enumeration </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Account lockout </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Known default credentials </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak passwords </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Insecure data storage </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Transport encryption </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Insecure password recovery mechanism </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Two-factor authentication </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Vendor Backend APIs</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Inherent trust of cloud or mobile application </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak authentication </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Weak access controls </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Injection attacks </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Ecosystem Communication</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Health checks </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Heartbeats </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Ecosystem commands </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Deprovisioning </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Pushing updates </span></li>
</ul>
</td></tr>
<tr><td><span style="font-family: "trebuchet ms" , sans-serif;"><b>Network Traffic</b> </span></td><td><ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> LAN </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> LAN to Internet </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Short range </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> Non-standard </span></li>
</ul>
</td></tr>
</tbody></table>
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><b>As stated earlier,</b> this is starting guidance on what to look for when building out your Internet of Things Security Framework. For further ideas and guidance, please read the references below. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: large;"><b>Good luck, and happy coding.</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<a href="https://www.icsalabs.com/sites/default/files/2015-11-02_FS16579%20a%20ICSA_Securing_IoT.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif;">Verizon Security whitepaper: Securing the Internet of Things</span></a><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
</div>
<div>
</div>
<div>
</div>
<br />
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">
Resources:</span></h2>
<a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project" style="font-family: "Trebuchet MS", sans-serif; font-size: x-small;" target="_blank">OWASP: Top 10 IoT Security Issues</a><br />
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="https://www.owasp.org/images/8/8e/Infographic-v1.jpg" target="_blank">OWASP Top Ten IoT Security - Infographic</a> </span><br />
<span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="https://www.owasp.org/index.php/IoT_Security_Guidance" target="_blank">OWASP: IoT Security Guidance</a></span><br />
<span style="font-size: xx-small;"><a href="https://www.rsaconference.com/writable/presentations/file_upload/asd-t10-securing-the-internet-of-things-mapping-iot-attack-surface-areas-with-the-owasp-iot-top-10-project.pdf" target="_blank">RSA Conf: Mapping the IoT Attach Surface Areas</a></span><br />
<a href="http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">ARSTechnica: “Internet of Things” security is hilariously broken and getting worse</span></a><br />
<a href="http://arstechnica.co.uk/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">ARSTechnica: Police body cams found pre-installed with notorious Conficker worm</span></a><br />
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="https://www.arm.com/markets/internet-of-things-iot.php" target="_blank">ARM.COM: From Sensor to Server, ARM drives the Internet of Things</a> </span><br />
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="http://www.ti.com/ww/en/internet_of_things/pdf/14-09-17-IoTforCap.pdf" target="_blank">Texas Instruments: Internet of Things - Opportunities and Challenges</a> </span><br />
<a href="https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">DEFCON 23: IoT Attack Surface Mapping</span></a><br />
<a href="http://hpe-enterpriseforward.com/eiu-securing-iot/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">HPE: Securing the IoT </span></a><br />
<a href="https://www.capgemini-consulting.com/resource-file-access/resource/pdf/securing_the_internet_of_things.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">Capgemini: Securing the Internet of Things</span></a><br />
<a href="http://www.theglobeandmail.com/technology/internet-of-things-a-playground-for-hackers/article24953037/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">Globe and Mail: Internet of Things a playground for hackers </span></a><br />
<a href="http://www.theglobeandmail.com/report-on-business/rob-commentary/how-we-can-maintain-privacy-in-the-era-of-the-internet-of-things/article24700062/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">Globe and Mail: The Future is Smart - Why privacy must be baked into the Internet of Things </span></a><br />
<span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="https://www.iamthecavalry.org/" target="_blank">https://www.iamthecavalry.org/</a></span><br />
<a href="https://www.iamthecavalry.org/domains/automotive/5star/" target="_blank"><span style="font-size: xx-small;">IamtheCavalry: Five Star Automotive Cyber Safety Program</span></a><br />
<a href="https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children</span></a><br />
<a href="http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html</span></a><br />
<a href="https://www.exploitee.rs/index.php/Exploiting_Nest_Thermostats"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">https://www.exploitee.rs/index.php/Exploiting_Nest_Thermostats</span></a><br />
<a href="http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/</span></a><br />
<a href="http://www.embedded.com/design/safety-and-security/4440943/2/Security-framework-for-IoT-devices" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">Embedded: Security framework for IoT devices</span></a><br />
<a href="http://www.hldataprotection.com/2015/09/articles/consumer-privacy/nist-releases-draft-framework-on-the-internet-of-things/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">NIST Releases Draft Framework on the Internet of Things </span></a><br />
<a href="https://otalliance.org/system/files/files/resource/documents/iot_trust_frameworkv1.pdf" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">Online Trust Alliance: IoT Trust Framework</span></a><br />
<a href="https://www.wolfssl.com/wolfSSL/Home.html" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">WolfSSL: Embedded SSL Library for Applications, Devices, IoT, and the Cloud</span></a><br />
<a href="http://www.bankingexchange.com/news-feed/item/5770-5-hacks-into-your-internet-of-things-devices" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">http://www.bankingexchange.com/news-feed/item/5770-5-hacks-into-your-internet-of-things-devices</span></a><br />
<a href="https://www.helpnetsecurity.com/2016/05/09/internet-of-fail/" target="_blank"><span style="color: black; font-family: "trebuchet ms" , sans-serif; font-size: xx-small;">https://www.helpnetsecurity.com/2016/05/09/internet-of-fail/</span></a><br />
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><a href="http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/C11-735871.pdf" target="_blank">Cisco: IoT Threat Environment</a></span><br />
<span style="font-size: xx-small;"><a href="https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable" target="_blank">https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable</a></span><br />
<span style="font-size: xx-small;"><a href="http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/" target="_blank">http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/</a></span><br />
<div>
</div>
<div>
</div>
<div>
</div>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
</div>
</div>
</div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Toronto, ON, Canada43.653226 -79.38318429999998243.285985499999995 -80.028631299999986 44.0204665 -78.737737299999978tag:blogger.com,1999:blog-6954236093826966251.post-36866903930929084502016-05-17T10:31:00.003-04:002016-05-17T10:31:47.889-04:00CSIRT: Classifying the Severity of a Breach<br />
<b>We are all aware</b> of the need and value of <a href="https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846" target="_blank">Classifying our Corporate Data</a>. We all have embedded Information Classification into our <a href="https://www.sans.org/reading-room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company-1564" target="_blank">Security Policy Framework</a>, and many of us have even gone through the exercise of tagging and classifying our data. <i>(Read that last sentence as "<a href="http://www.computerweekly.com/news/4500256309/Lack-of-data-classification-very-costly-to-firms-says-survey" target="_blank">a vast majority of us have either not started or not completed this daunting exercise</a>")</i>.<br />
<br />
<br />
<div style="text-align: center;">
<b>One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach. </b></div>
<br />
<b>I was asked recently</b> to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to <a href="http://breach%20communication/" target="_blank">Breach Communication</a>. They wanted a system to "value" the outcome of any potential Data Breach, should one happen. <br />
<b><br /></b>
<b>I was told to constrain</b> my scope to a High, Medium, Low classification model.<br />
<div style="text-align: center;">
<br /></div>
<b>Using their own</b> Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.<br />
<br />
<br />
<div style="text-align: center;">
<i>Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.</i></div>
<br />
<br />
<hr />
<br />
<h2>
Information Security Breach Impact Classification</h2>
<span style="font-family: "calibri"; font-size: 14.6667px;"><b>ABSTRACT: </b></span><br />
<span style="font-family: "calibri"; font-size: 14.6667px;">This document, b</span>ased upon <company><span style="font-family: "calibri"; font-size: 14.6667px;"><company></company></span><span style="font-family: "calibri"; font-size: 14.6667px;"> 's </span>Information Classification Policy,<span style="font-family: "calibri";"><span style="font-size: 14.6667px;"> provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring <a href="https://www.dhs.gov/cybersecurity-insurance" target="_blank">CyberSecurity Insurance. </a></span></span></company><br />
<br />
<span style="font-family: "calibri"; font-size: 12pt;"><b>Significance of Breach</b>: -
High Level Breaches</span><br />
<div lang="en-CA" style="font-family: Calibri; font-size: 12.0pt; margin-left: .75in; margin: 0in;">
-
Medium Level Breaches</div>
<div lang="en-CA" style="font-family: Calibri; font-size: 12.0pt; margin-left: .75in; margin: 0in;">
-
Low Level Breaches</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
<span style="font-size: 11pt;">A </span><span style="font-size: 11pt; font-weight: bold;">High level Breach</span><span style="font-size: 11pt;">
would be considered any breach that exposed PII, PCI, PHI, or </span><span style="font-size: 11pt; font-weight: bold;">Corporate Restricted Information</span><span style="font-size: 11pt;"> pertaining to
either </span><span style="font-family: 'Times New Roman'; font-size: small;"><company> </company></span><span style="font-size: 11pt;">or it’s Partners/Clients/Vendors</span></div>
<div style="font-family: Cambria; font-size: 8.0pt; margin-left: .75in; margin: 0in;">
<span style="font-weight: bold;">RESTRICTED </span></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<br /></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
The ‘RESTRICTED’ classification is assigned to data that, if
corrupted, disclosed without authority or lost, might result in a critical loss
to <span style="font-family: 'Times New Roman'; font-size: small;"><company></company></span>. </div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<span style="font-style: italic;"><b>Example</b>: </span></div>
<div style="font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
<span style="font-style: italic;">‘RESTRICTED’ information
includes but is not limited to personal identifiable information (PII),
employees’ medical history, Credit Card information, Bank account information,
and encryption keys and passwords.</span></div>
<div style="font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
A <span style="font-weight: bold;">Medium level Breach</span>
would be considered any breach that exposed <span style="font-weight: bold;">Corporate
Confidential Information</span>, but not PII, PCI, PHI, or Corporate Restricted
Information pertaining to either <span style="font-family: 'Times New Roman'; font-size: small;"><company></company></span><span style="font-size: 14.6667px;"><company> </company></span><span style="font-size: 11pt;"> or it’s Partners/Clients/Vendors</span></div>
<div style="font-family: Cambria; font-size: 8.0pt; margin-left: .75in; margin: 0in;">
<span style="font-weight: bold;">Confidential </span></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<br /></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
The ‘CONFIDENTIAL’ classification for information is assigned to
data that, if corrupted, lost or disclosed without authority, might result in
important or significant loss to <span style="font-family: "calibri"; font-size: 14.6667px;"><company></company></span><span style="font-family: "calibri"; font-size: 14.6667px;"> </span><span style="font-family: 'Times New Roman'; font-size: small;"><company></company></span><span style="font-size: 8pt;">.</span></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<span style="font-style: italic;"><b>Example</b>: </span></div>
<div style="font-family: Arial; font-size: 8pt; margin-bottom: 8pt; margin-left: 0.75in; margin-top: 0pt;">
<span style="font-style: italic;">‘CONFIDENTIAL’
information includes confidential business proposals, customer information, HR
information such as employment contracts and compensation, and general
financial data.</span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
A <span style="font-weight: bold;">Low level Breach</span>
would be considered any breach that either exposes no data, or only <span style="font-weight: bold;">Corporate Internal Information</span>. A Low Level
Breach does not expose Corporate Restricted or Confidential Information, PII,
PCI, or PHI Information pertaining to either <span style="font-family: 'Times New Roman'; font-size: small;"><company></company></span><span style="font-size: 11pt;"> or it’s
Partners/Clients/Vendors. </span></div>
<div style="font-family: Cambria; font-size: 8.0pt; margin-left: .75in; margin: 0in;">
<span style="font-weight: bold;">Internal </span></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<br /></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
The ‘INTERNAL’ classification is used to denote information that
may be shared within <span style="font-family: 'Times New Roman'; font-size: small;"><company></company></span><span style="font-family: "calibri"; font-size: 14.6667px;"><company> </company></span><span style="font-size: 8pt;"> but is restricted from general release to the public.</span></div>
<div style="font-family: Arial; font-size: 8pt; margin: 0in 0in 0in 0.75in;">
<span style="font-style: italic;"><b>Example</b>: </span></div>
<div style="font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
<span style="font-style: italic;">‘Examples include
training manuals, procedures and communications to all employees.</span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-left: .375in; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-bottom: 8pt; margin-left: .375in; margin-top: 0pt;">
<span style="font-weight: bold;">Definitions:</span></div>
<div lang="en-CA" style="color: #222222; font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
<span style="font-weight: bold;">Personally
Identifiable Information</span> (<span style="font-weight: bold;">PII</span>), or
Sensitive Personal Information (SPI), as used in Canadian, US, and European
privacy law and information security, is information that can be used on its
own or with other information to identify, contact, or locate a single person,
or to identify an individual in context.</div>
<div lang="en-CA" style="color: #222222; font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
The <span style="font-weight: bold;">Payment
Card Industry</span> <span style="font-weight: bold;">(PCI)</span> Data Security
Standard (PCI DSS) is a proprietary <span style="font-weight: bold;">information</span>
security standard for organizations that handle branded credit <span style="font-weight: bold;">cards</span> from the major <span style="font-weight: bold;">card</span> schemes including Visa, MasterCard, American Express,
Discover, and JCB.</div>
<br />
<div style="font-family: Arial; font-size: 8.0pt; margin-bottom: 8pt; margin-left: .75in; margin-top: 0pt;">
<span lang="en-CA" style="color: #222222; font-weight: bold;">Protected
Health Information</span><span lang="en-CA" style="color: #222222;"> (</span><span lang="en-CA" style="color: #222222; font-weight: bold;">PII</span><span lang="en-CA" style="color: #222222;">), </span><span lang="en-US">generally refers to
demographic information, medical history, test and laboratory results,
insurance information and other data that a healthcare professional collects to
identify an individual and determine appropriate care.</span></div>
<br />
<br />
<br />
<b><span style="font-size: large;">References:</span></b><br />
<b><span style="font-size: large;"><br /></span></b>
<span style="font-size: x-small;"><a href="https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846" target="_blank">SANS: Information Classification - Who, Why and How</a></span><br />
<span style="font-size: x-small;"><a href="http://breach%20communication/" target="_blank">CSO Online: What security leaders need to know about breach communication</a></span><br />
<span style="font-size: x-small;"><a href="http://www.iso27001security.com/ISO27k_Model_policy_on_information_classification.pdf" target="_blank">iso27001security.com:Information Classification Policy template</a></span><br />
<span style="font-size: x-small;"><a href="http://www.cmu.edu/iso/governance/guidelines/data-classification.html" target="_blank">Carnegie Mellon: Guidelines for Data Classification</a></span><br />
<span style="font-size: x-small;"><a href="https://www.first.org/_assets/resources/guides/csirt_case_classification.html" target="_blank">FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)</a></span><br />
<span style="color: black; font-size: x-small;"><a href="http://www.sei.cmu.edu/reports/03hb002.pdf" target="_blank"><span style="background-color: white; box-sizing: inherit; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: inherit; text-decoration: none;">Carnegie Mellon: Handbook for CSIRTs</span><span style="background-color: white; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: 18px;">.</span></a></span><br />
<span style="color: black; font-size: x-small;"><span style="background-color: white; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: 18px;"><a href="http://www.databreachtoday.com/blogs/importance-data-classification-p-1153" target="_blank">http://www.databreachtoday.com/blogs/importance-data-classification-p-1153</a></span></span><br />
<span style="background-color: white; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: 18px;"><span style="font-size: x-small;"><span style="color: black;"><a href="https://www.giac.org/paper/gsec/3907/introduction-computer-security-incident-response/106281" target="_blank">GIAC: An Introduction to the Computer Security Incident Response Team</a></span></span></span><br />
<span style="background-color: white; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: 18px;"><span style="font-size: x-small;"><a href="https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm?" target="_blank">CERT: CSIRT Frequently Asked Questions (FAQ)</a></span></span><br />
<span style="background-color: white; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; line-height: 18px;"><span style="font-size: x-small;"><a href="https://iapp.org/media/presentations/14PPS/PPSNY14_Working_PR_Pro_PPT.pdf" target="_blank">IAPP: Communicating a Breach: Best Practices and Examples</a></span></span><br />
<span style="font-size: x-small;"><a href="http://melissaagnes.com/data-breach-crisis-communication/" target="_blank">Your Guide for Data Breach Crisis Communication</a></span><br />
<span style="font-size: x-small;"><a href="http://www.computerweekly.com/news/4500256309/Lack-of-data-classification-very-costly-to-firms-says-survey" target="_blank">Computer Weekly: Lack of data classification very costly to firms, says survey</a></span><br />
<span style="font-size: x-small;"><a href="https://www.dhs.gov/cybersecurity-insurance" target="_blank">DHS: Cyber Risk Management and Cybersecurity Insurance</a></span><br />
<span style="background-color: white; color: #423d3e; font-family: "helvetica neue" , "helvetica" , "helvetica" , "arial" , sans-serif; font-size: 13px; line-height: 18px;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-77961659916736658422016-03-07T12:32:00.002-05:002016-11-24T09:03:07.142-05:00Selling Myself - Michael Ball Consulting Inc. <br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">As of July 2015, I have been providing Information Security Consulting Services on a contract Basis. </span></span></b></div>
<div style="margin: 0cm 0cm 8pt;">
<span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">If interested in hiring me for consulting or a speaking engagement, please contact me at the following:</span></span></div>
<blockquote class="tr_bq">
<strong>Michael Ball Consulting Inc.</strong> <br />
61 Baxter St. Bowmanville Ontario, L1C 5P8 Cell: (647) 458-5064<br />
Email: unix_guru at Hotmail dot com or @unix_guru on Twitter</blockquote>
<div style="margin: 0cm 0cm 8pt;">
<br /></div>
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri"; font-size: large;">Information Security Consulting and
Architecture</span></span></b></div>
<br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Over 25 years Information Security Operations
and Governance in the Finance and Insurance Sectors.</span></span></b></div>
<br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Finance
Sector: </span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo3;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">AGF Mutual Funds</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Jan 2016 – Present),
Acting CISO </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo3;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">CIBC</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Feb 2016), Application Threat/Risk Analysis
–Mobile Money Manager App. </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l0 level1 lfo3;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Dundee Capital Markets</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Oct<span style="mso-spacerun: yes;"> </span>2015), Information Security Maturity Model
(Cobit / ISO 27001 based) </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l0 level1 lfo3;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Dundee Capital Markets</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Nov<span style="mso-spacerun: yes;"> </span>2015), Information Security Architectural gap
analysis and Roadmap </span></div>
</li>
<li style="color: black; font-family: calibri, sans-serif; font-size: 11pt; font-style: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><b>HPE/TD</b>, Toronto (Mar 2016) PCI QSA Self Assessment consulting and review</span></li>
</ul>
<br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Health
Sector: </span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l3 level1 lfo4;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">William Osler Health Institute</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Brampton (Aug 2015), Privacy
Impact Assessment for Patient Record Viewing Application.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l3 level1 lfo4;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">William Osler Health Institute</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Brampton (Sept 2015), Information
Security Threat/Risk Analysis for Patient Record Viewing Application.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l3 level1 lfo4;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Trillium Health, </span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Toronto (Mar 2016), SIEM Infrastructure
Migration and Governance Review</span></div>
</li>
</ul>
<br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Transportation
Sector:</span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l4 level1 lfo5;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Air Canada</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Montreal (Nov 2015), Privileged
Password Management Architectural Review (CyberArk).</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l4 level1 lfo5;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Metrolinx</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Feb 2016), Privileged
Password Management Architectural Design (CyberArk). </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><b style="font-size: 11pt;">Teranet</b><span lang="EN-CA" style="font-size: 11pt;">, Toronto (Sept 2016), Active Directory Risk Assessment and roadmap.</span></li>
<li style="font-family: calibri, sans-serif; font-size: 11pt;"><div style="font-size: 11pt; margin-bottom: 8pt; margin-top: 0cm;">
<b style="mso-bidi-font-weight: normal;">Teranet</b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Toronto (Oct 2016), Privileged Password Management Architectural Design (CyberArk). <span style="mso-spacerun: yes;"> </span></span></div>
</li>
<li style="font-family: calibri, sans-serif; font-size: 11pt;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="mso-spacerun: yes;"><b style="font-size: 14.6667px;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Teranet</span></b><span lang="EN-CA" style="font-size: 14.6667px;">, Toronto (Nov 2016), Web Application Threat/Risk Analysis.</span></span></span></li>
</ul>
<br />
<div style="margin: 0cm 0cm 8pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Industrial
Supply: </span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l2 level1 lfo6;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Wajax</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Mississauga (Sept 2015), Information Security
Maturity Model (Cobit / ISO 27001 based) </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l2 level1 lfo6;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Wajax</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">, Mississauga (Oct 2015), Information Security Threat/Risk
Assessment (ISO 27002 based) </span></div>
</li>
</ul>
<br />
<div style="margin: 0cm 0cm 8pt;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";"> </span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Speaking
Engagements:</span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><b style="font-size: 14.6667px;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><b style="font-size: 14.6667px;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">CIO Innovation Summit 2016</span></b><span lang="EN-CA" style="font-size: 14.6667px; font-weight: normal;"> – Top CISO Concerns 2016</span></span></b></span></b></li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;"><b style="font-size: 14.6667px;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">SC Congress 2016</span></b><span lang="EN-CA" style="font-size: 14.6667px; font-weight: normal;"> – Top 4 CISO concerns</span></span></b></li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Sector <span style="mso-spacerun: yes;"> </span>2015</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Cloud Security Access Brokers</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">DCD Converged Canada </span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;">(Nov 2015)<span style="mso-spacerun: yes;"> </span>- Cloud Security</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">SC Congress 2015</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Cloud Access Security Brokers</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">SC Congress 2015</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – The Role of the CISO</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">CIO Innovation Summit 2015</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Identifying Corporate IS Risk </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">SC Congress 2014</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Privileged Identity Access </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">CyberArk Customer Event 2014</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Corporate Use Cases</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">CIO Innovation Summit 2014</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Cloud Security </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Symantec Vision 2014</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Enterprise Single Sign-On</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l1 level1 lfo2;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Symantec Vision 2014</span></b><span lang="EN-CA" style="mso-ansi-language: EN-CA;"> – Enterprise Host Based Security</span></div>
</li>
</ul>
<div style="margin: 0cm 0cm 8pt;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";"> </span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 19.9733px;"><span style="font-family: "calibri";">Video:</span></span></b></div>
<ul style="direction: ltr;">
<li style="font-family: calibri, sans-serif; font-size: 11pt;"><div style="font-size: 11pt; margin-bottom: 0pt; margin-top: 0cm;">
<a href="https://www.youtube.com/watch?v=izf1S3ntsZk" target="_blank">ITWorld Canada: Top 4 CISO Concerns for 2016</a></div>
</li>
</ul>
<div style="margin: 0cm 0cm 8pt;">
</div>
<br />
<div style="margin: 0cm 0cm 8pt;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";"> </span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-CA" style="font-size: 14pt; line-height: 107%; mso-ansi-language: EN-CA;"><span style="font-family: "calibri";">Services: </span></span></b></div>
<ul style="direction: ltr; list-style-type: disc;">
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><span lang="EN-CA" style="mso-ansi-language: EN-CA;">Office of the CISO - Consulting/Augmentation</span></li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Privacy
Impact Assessment.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Information
Security Program Threat/Risk Assessment.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
Information Security Governance Maturity Model Assessment.</div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Application
Threat/Risk Assessment.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Network
Vulnerability Assessment.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Cloud
Security Consultation and Architecture. </span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Cloud
Provider Access Review.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">SIEM
Governance Review.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Perimeter
Security Review and Architecture.</span></div>
</li>
<li style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal;"><div style="color: black; font-family: "Calibri",sans-serif; font-size: 11pt; font-style: normal; font-weight: normal; margin-bottom: 8pt; margin-top: 0cm; mso-list: l5 level1 lfo1;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;">Network
Security Zoning Review and Architecture.</span></div>
</li>
</ul>
<br />
<div style="margin: 0cm 0cm 8pt;">
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri"; font-size: large;"><b> Articles:</b></span></span><br />
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";"><br /></span></span>
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><span style="font-family: "calibri";"><a href="http://www.itworldcanada.com/article/how-cisos-can-find-and-secure-rogue-cloud-applications/375632" target="_blank">How CISOs can find and secure rogue cloud applications</a></span></span><br />
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><a href="http://www.itworldcanada.com/article/cyber-attacks-on-financial-sector-three-times-other-industries-report/375553" target="_blank">Cyber attacks on financial sector three times other industries</a></span><br />
<a href="http://www.itworldcanada.com/article/itwcchats-breached-preventing-and-mitigating-data-leaks/152727" target="_blank">#ITWCchats – Breached: Preventing and mitigating data leaks </a><br />
<a href="http://www.itworldcanada.com/article/itwcchats-breached-preventing-and-mitigating-data-leaks/152727" target="_blank">Darktrace: The enterprise immune system</a><br />
<a href="http://www.itworldcanada.com/blog/this-canadian-company-aims-to-turn-virtual-desktop-infrastructure-upside-down/99735" target="_blank">Jentu: This Canadian company aims to turn virtual desktop infrastructure upside down</a><br />
<a href="http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109" target="_blank">BlueLine: This Toronto-based company takes data encryption to new heights</a><br />
<span lang="EN-CA" style="mso-ansi-language: EN-CA;"><a href="http://www.itworldcanada.com/blog/augment-encryption-with-tokenization/97358" target="_blank">Augmenting Encryption with Tokenization</a></span></div>
<a href="http://www.itworldcanada.com/blog/the-demise-of-excess-access-a-eulogy-for-traditional-vpn/96655" target="_blank">The demise of excess access: A eulogy for traditional VPN</a><br />
<a href="http://www.retailpro.com/News/blog/index.php/2014/10/08/specialty-retail-stores-not-safe-from-pos-attacks/" target="_blank">Specialty retail stores not safe from POS attacks</a><br />
<div style="margin: 0cm 0cm 8pt;">
</div>
<br />
<div style="margin: 0cm 0cm 8pt;">
</div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-48168751709406267752015-11-12T16:44:00.000-05:002015-11-14T17:10:52.721-05:00Toronto's 2015 SecTor Conference. <span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0d7g6MPCNOG-dNpDBMNYJQOFij0GnhKWVkZgagJAmq9YKMIZLMWMNmICaUtUHmvcJv0tQntq5e12FyOm6VGTWnM8QzluhOTocbBGt6aiCyQivjU3d9PH2Eh_fGjvxXmOHLmniHHMu5dMq/s1600/sector_logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0d7g6MPCNOG-dNpDBMNYJQOFij0GnhKWVkZgagJAmq9YKMIZLMWMNmICaUtUHmvcJv0tQntq5e12FyOm6VGTWnM8QzluhOTocbBGt6aiCyQivjU3d9PH2Eh_fGjvxXmOHLmniHHMu5dMq/s1600/sector_logo.png" /></a><b>I feel utterly privileged</b> to have attended this years <a href="http://sector.ca/" target="_blank">SecTor Conference</a> at the Metro Toronto Convention Center a few weeks ago now.</span></span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>For those of you unaware of what Sector is</b>, it is Toronto's pre-eminent Information Security Conference. Anybody and everybody associated with IT Security is here. SecTor is not only an educational event, but a social one as well. It is one of the annual events where Security Professionals congregate from around the province and indeed across the country. </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>The schedule is hectic</b>, with multiple tracks of discussion panels suited to a variety of current topics. </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Although the main conference is two days in length, there is a third day just before the conference for those who wish to participate in various Infosec educational courses. </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>This years daily Infosec sessions</b> can be found here: <a href="http://www.sector.ca/Program/Sessions" target="_blank">http://www.sector.ca/Program/Sessions</a></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>Over the two days, there were four Keynotes:</b></span></span><br />
<ul>
<li>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="http://www.sector.ca/Program/Sessions/Session-Details/big-data-needs-big-privacy-enter-privacy-by-design" target="_self"><span class="sessionIcon">Big Data Needs Big Privacy ... Enter Privacy by Design</span></a> - Dr. Ann Cavoukian
</span></span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="http://www.sector.ca/Program/Sessions/Session-Details/globalization-of-cybercrime" target="_self"><span class="sessionIcon">Globalization of Cybercrime</span></a> - Jason Brown
</span></span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="http://www.sector.ca/Program/Sessions/Session-Details/it-security-operations-successful-transformation" target="_self"><span class="sessionIcon">IT Security Operations: Successful Transformation</span></a> - Kristin Lovejoy
</span></span></li>
<li>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="http://www.sector.ca/Program/Sessions/Session-Details/maturing-infosec-lessons-from-aviation-on-information-sharing" target="_self"><span class="sessionIcon">Maturing InfoSec: Lessons from Aviation on Information Sharing</span></a> - Trey Ford </span></span></li>
</ul>
<div class="">
</div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>All four of these speakers</b> bring with them a wealth of experience and skill. I was riveted to my seat the entire time. </span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>As for the actual Infosec discussions</b> themselves, they were very wisely organized into a <b>Technology track</b>, a <b>Management track</b>, a <b>Security Fundamentals track</b>, and a <b>Sponsor track</b>. Again, see <a href="http://www.sector.ca/Program/Sessions">http://www.sector.ca/Program/Sessions</a> for a drill down on the actual discussion topics for each. </span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqmqgpX0ViLa_cCADEHUg-pDTaAFTFRY6D0fzujL4S3BBCRweY2BWhn-ohoemCORvnUErlKnojoAD0tjLvjsXWO270UAqzMkyYPt4v0gjPlhTHSkFziudh0yRTYBw5nGXFMdC1xvcJmCuM/s1600/image1-4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqmqgpX0ViLa_cCADEHUg-pDTaAFTFRY6D0fzujL4S3BBCRweY2BWhn-ohoemCORvnUErlKnojoAD0tjLvjsXWO270UAqzMkyYPt4v0gjPlhTHSkFziudh0yRTYBw5nGXFMdC1xvcJmCuM/s320/image1-4.jpg" width="320" /></a><b>I wish I could tell you </b>I saw them all, I *had* planned on jumping between several presentations, but each one I attended had me fully engaged. I can honestly say that SecTor went out of it's way to select exceptional topics and speakers for this event.</span></span></div>
<div class="">
</div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>Part of the problem with committing to a track</b> as an attendee is that the <a href="http://www.sector.ca/Program/Training/CSO-Summit" target="_blank">CSO Summit</a> is co-hosted alongside SecTor! The CSO Summit is co-sponsored by <a href="http://kpmg.com/" target="_blank">KPMG</a>, and this year featured discussions by </span><a href="http://www.sector.ca/Program/Speakers/SpeakersDetail/kristin-lovejoy">Kris Lovejoy</a><span style="font-size: small;">, the former Global CISO if IBM, and T<a href="http://www.sector.ca/Program/Speakers/SpeakersDetail/tim-rains" target="_blank">im Rains</a>, Chief Security Advisor, Microsoft.</span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b>The Expo Hall itself</b> was huge, with a broad cross section of Infosec vendors from Educational Institutions, Compliance and Governance bodies, to Appliance and Software Vendors. <a href="http://securesense.ca/" target="_blank">Securesense</a> and <a href="http://fortinet.com/" target="_blank">Fortinet</a> showed off their "Forti-Express" a state-of-the-art rolling Briefing and Demo center. </span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><b> Two things that grabbed my attention</b> among all of the commotion in the Expo Hall were the "Lockpick Village" and the "Internet of Things Hack Lab".</span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6QjCdeTqXV5bFPUVcmYIzJzl4HWkgj_PPRDTDIvn3vviPOM7Eu6wjxY-AEECqw3DgDrCmS3p_X3XR3NFYKbLqVzWKPMykjNueaIdVkja7PV1ZLntly8ZNoSAmvgvwpkjRnnLCrDAbG6we/s1600/2015-10-20+11.36.18.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6QjCdeTqXV5bFPUVcmYIzJzl4HWkgj_PPRDTDIvn3vviPOM7Eu6wjxY-AEECqw3DgDrCmS3p_X3XR3NFYKbLqVzWKPMykjNueaIdVkja7PV1ZLntly8ZNoSAmvgvwpkjRnnLCrDAbG6we/s200/2015-10-20+11.36.18.jpg" width="200" /></a></span><br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">The Lockpick Village <span style="font-weight: normal;">has been a mainstay of SecTor for the past several years now. It's a free, full participation, workshop in using the standard tools of the trade to learn how to pick physical locks! Attendee times are recorded, with a prise at the end for the quickest time. The people sitting at these seats are among the happiest at the entire event. </span></span></span></h3>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> </span></span></span></h3>
</div>
<div class="">
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">This year <a href="http://tripwire.com/" target="_blank">Tripwire</a> introduced the Internet of Things Hack Lab.</span></span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"> <span style="font-weight: normal;">Employees from Tripwire, as well as one of their previous hackathon winners were onsite to guide
attendees into the world of IoT hacking. They brought samples of common IoT devices with them, and were willing to educate anyone who wanted to sit for a while and get an understanding of the security (or specifically lack thereof) of the Internet of Things.</span></span></span></h3>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>SecTor was an overall success in my books</b>. They brought the right people to discuss relevant topics, the vendor space was very well represented, and the social quality was outstanding. Thank you SecTor for once again putting on a remarkable event.</span></span></span></h3>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> </span></span></span></h3>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> </span></span></span></h3>
<br />
<br />
</div>
<div class="">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Bowmanville, ON L1C 5P8, Canada43.901128 -78.70598899999998843.8982675 -78.71103149999999 43.9039885 -78.700946499999986tag:blogger.com,1999:blog-6954236093826966251.post-31192815571506286672015-10-14T13:40:00.001-04:002015-10-14T13:59:28.588-04:00What is a Security Governance Review, and why do I need one?<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtQIhN94OE3T0-BvvOQqiSWtHCNF7FNCzG-LykGLWC9fK16fZOyFNvHvFbRKIkf3D5dH2b0zPrV5NEaWiRdnMteJjgBj3k2VywIrW-PxaUU5TQ1CwcRT-U30SysRdL6bZCYSDTMrgNvWKH/s1600/locked-padlock.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtQIhN94OE3T0-BvvOQqiSWtHCNF7FNCzG-LykGLWC9fK16fZOyFNvHvFbRKIkf3D5dH2b0zPrV5NEaWiRdnMteJjgBj3k2VywIrW-PxaUU5TQ1CwcRT-U30SysRdL6bZCYSDTMrgNvWKH/s200/locked-padlock.jpg" width="134" /></a><b>Regardless of what service or product your company produces</b>, Information is your most critical asset. The organization, management, and protection of that data could make or break your ability to stay operational in today's corporate environment.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Many high-profile organizational failure</b>s over the past several years have driven home the requirement to adopt appropriate Information Systems policies, processes, and standards.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Privacy requirements</b>, regulatory compliance, shareholder and customer transparency are all mandating a more mature approach to Information Security.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Your corporate reputation</b> and well being depend on your ability to manage, organize, and protect your Information Assets.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<hr />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><br /></span></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">This article, and the next few, will try at a high level to explain the various tools we can use to assess and document your roadmap to Information Security Maturity.</span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<hr />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrpki9VKd6KnF80Sa2jsuoEAI9f-7Ja4cXW0z7qO4-BMD6hzOUA4E4D4vIpeO-omt3FNYv0pmN26vdCkUkzipXDeNXvgHm7E7RwaVYen40X1AEcwAwxu9eTBu_w81Rvjhud8hScEOPzVqp/s1600/gartner-mm.jpeg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrpki9VKd6KnF80Sa2jsuoEAI9f-7Ja4cXW0z7qO4-BMD6hzOUA4E4D4vIpeO-omt3FNYv0pmN26vdCkUkzipXDeNXvgHm7E7RwaVYen40X1AEcwAwxu9eTBu_w81Rvjhud8hScEOPzVqp/s200/gartner-mm.jpeg" width="200" /></a><span style="font-size: small;"><b>Let's start with</b> the definition of an<b> Information Security Governance Maturity Model:</b></span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">An Information Security Governance Maturity Model is a representation of how well your company understands, organizes, manages, and maintains security controls and processes specific to your <a href="https://en.wikipedia.org/wiki/Asset_%28computer_security%29" target="_blank">Corporate Information assets</a>.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>There are a few models to chose from</b>, but the Industry accepted standard is the 6-level <a href="http://www.isaca.org/Journal/archives/2008/Volume-2/Pages/Assessing-IT-Security-Governance-Through-a-Maturity-Model-and-the-Definition-of-a-Governance-Profile1.aspx" target="_blank">COBIT maturity model</a>, which is based on work pioneered at the <a href="http://www.sei.cmu.edu/" target="_blank">Software Engineering Institute at Carnegie Mellon</a>, to evaluate each of the <a href="http://www.praxiom.com/iso-27002.htm" target="_blank">ISO 27002:2013</a> security control groups. </span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>That said, the </b><b><a href="http://www.iso27001security.com/html/27002.html" target="_blank">ISO 27002:2013</a> security control groups</b>, in and of themselves are the Industry Standard set of controls - based on <a href="http://security-musings.blogspot.ca/2015/10/what-is-security-governance-review-and.html#Domains" target="_blank">18 specific sections</a> - that provide guidance in protecting your corporate assets.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>The COBIT definitions for the 6 levels of maturity are:</b></span> <br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<br />
<div>
<span style="font-size: x-small;"><b>0 – Non-existent –</b> Management processes are nonexistent or not applied</span></div>
<span style="font-size: x-small;">
</span><br />
<ul><span style="font-size: x-small;">
</span>
<li><span style="font-size: x-small;">Complete lack of any recognizable processes. The organization has not even recognized that there is an issue to be addressed.</span></li>
</ul>
<br />
<div>
<span style="font-size: x-small;"><b>1 – Initial –</b> Processes are ad hoc and disorganized</span></div>
<span style="font-size: x-small;">
</span><br />
<ul><span style="font-size: x-small;">
</span>
<li><span style="font-size: x-small;">There is evidence that the organization has recognized that the issues exist and need to be addressed. There are, however, no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.</span></li>
<span style="font-size: x-small;">
</span></ul>
<span style="font-size: x-small;">
</span><br />
<div>
<span style="font-size: x-small;"><b>2 – Repeatable –</b> Processes follow a regular pattern</span></div>
<span style="font-size: x-small;">
</span><ul><span style="font-size: x-small;">
</span>
<li><span style="font-size: x-small;">Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.</span></li>
<span style="font-size: x-small;">
</span></ul>
<span style="font-size: x-small;">
</span><div>
<span style="font-size: x-small;"><b>3 – Defined –</b> Processes are documented and communicated</span></div>
<span style="font-size: x-small;">
</span><ul><span style="font-size: x-small;">
</span>
<li><span style="font-size: x-small;">Procedures have been standardized and documented, and communicated through training. However, it is left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.</span></li>
<span style="font-size: x-small;">
</span></ul>
<span style="font-size: x-small;">
</span><div>
<span style="font-size: x-small;"><b>4 – Managed –</b> Processes are monitored and measured</span></div>
<span style="font-size: x-small;">
</span><ul><span style="font-size: x-small;">
</span>
<li><span style="font-size: x-small;">It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.</span></li>
<span style="font-size: x-small;">
</span></ul>
<span style="font-size: x-small;">
</span><div>
<span style="font-size: x-small;"><b>5 – Optimized –</b> Best practices are followed and automated</span></div>
<span style="font-size: x-small;">
</span></blockquote>
<blockquote>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. Information technology is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.</span></span></li>
</ul>
</blockquote>
</blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>To understand where your company sits</b> with respect to each of the <a href="http://www.iso27001security.com/html/27002.html" target="_blank">ISO 27002:2013</a> security control groups, you would engage a non-biased 3rd party to conduct a<b> <a href="http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Governance-Guidance-for-Information-Security-Managers.aspx" target="_blank">Security Governance Review</a>. </b>This review would be an immersive engagement between the Security Assessors and various members of your organization. Everyone from Human Resources, Privacy, IT administrators, Network Administrators, Database Administrators, Software Developers, Project and Change Managers, Internal Auditors, and Corporate Executive.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>A Security Governance Review </b> (SGR) provides guidance for Corporate Executives and Board of Directors in establishing and maintaining an appropriate Information Security programme within your company. </span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>A Security Governance Review</b> provides critical feedback regarding the adequacy of existing controls and safeguards in maintaining your security posture. This feedback can provide guidance in the reduction and/or mitigation of Information Security risks within the company. </span></span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs-jaBHrqcEoAMLARY9Azt1mDkaq7KZyu4TxvFjcDXS6Wx4fRuBAx22U_tI57L0UMIhZY2JMDeC7dkizNfNNIJ9-vgWBsl_1qOlCN-BNSZwEdAiCtY8XD-iG9_ewPZx_hd_MUw9vMkNlXj/s1600/radarmap.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs-jaBHrqcEoAMLARY9Azt1mDkaq7KZyu4TxvFjcDXS6Wx4fRuBAx22U_tI57L0UMIhZY2JMDeC7dkizNfNNIJ9-vgWBsl_1qOlCN-BNSZwEdAiCtY8XD-iG9_ewPZx_hd_MUw9vMkNlXj/s320/radarmap.png" width="320" /></a><span style="font-size: small;"><b>Typically, this report would</b> consist of a high level executive summary of your organization's maturity levelsacross the ISO security domains, compared to peers in your particular industry. Remediation recommendations and a roadmap to completion would usually be included. Most Security assessors would also deliver the detailed ISO27002:2013 working sheets with which the domains have been assessed.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">The <a href="https://en.wikipedia.org/wiki/Radar_chart" target="_blank">Radar Map</a> to the right represents a sample posture map compared to a baseline of your industry.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div class="MsoBodyText" style="margin: 6pt 0cm 9pt;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span lang="EN-US" style="font-size: small;">This chart illustrates, by ISO 27002:2013
control area, the areas which </span><span lang="EN-US" style="font-size: small;">Acme Widgets Inc.</span><span lang="EN-US" style="font-size: small;"> is performing at a evaluated level to its industry peers (yellow
within the red boundary), and the areas which </span><span lang="EN-US" style="font-size: small;"><span lang="EN-US">Acme Widgets Inc.</span></span><span lang="EN-US"><span style="font-size: small;"> is evaluated to be performing at a level below its industry peers
(yellow outside the red boundary), as along with the relative degree of effort
required to accomplish improvements (more yellow exposed = more effort).</span><o:p></o:p></span></span><!--[if supportFields]><span lang=EN-US><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>DOCPROPERTY<span style='mso-spacerun:yes'>
</span>Client<span style='mso-spacerun:yes'> </span>\* MERGEFORMAT <span
style='mso-element:field-separator'></span></span><![endif]--><!--[if supportFields]><span
lang=EN-US><span style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>DOCPROPERTY<span style='mso-spacerun:yes'>
</span>Client<span style='mso-spacerun:yes'> </span>\* MERGEFORMAT <span
style='mso-element:field-separator'></span></span><![endif]--></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>You will want to periodically (annually?) review</b> this maturity model to ensure that you are on track as things change both outside and within your organization. This periodic review will allow you to show metrics regarding your security governance programme growth.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<hr />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">In future posts, we will be discussing the following:</span></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>What is a Threat Risk Assessment?</b></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>What is a Privacy Impact Assessment?</b></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>What is a Vulnerability Assessment?</b></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>What is a Penetration Test?</b></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<hr />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://www.blogger.com/null" name="Domains">
<span style="font-size: large;"><b>Sections of the ISO27002:2013 </b></span></a></span><br />
<blockquote class="tr_bq">
<span style="font-family: "Trebuchet MS",sans-serif;"> 5. Security Policy Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> 6. Corporate Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> 7. Personnel Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> 8. Organizational Asset Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> 9. Information Access Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">10. Cryptography Policy Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">11. Physical Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">12. Operational Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">13. Network Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">14. System Security Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">15. Supplier Relationship Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">16. Security Incident Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">17. Security Continuity Management</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">18. Security Compliance Management</span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.isaca.org/knowledge-center/research/documents/information-security-govenance-for-board-of-directors-and-executive-management_res_eng_0510.pdf" target="_blank">ISACA: Information Security Governance Guidance for Boards of Directors and Executive Management</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://qatar.cmu.edu/media/assets/CPUCIS2010-1.pdf" target="_blank">Comparing different information security standards: COBIT vs. ISO 27001 </a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.isaca.org/Journal/archives/2008/Volume-2/Pages/Assessing-IT-Security-Governance-Through-a-Maturity-Model-and-the-Definition-of-a-Governance-Profile1.aspx" target="_blank">ISACA: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.praxiom.com/iso-27002.htm" target="_blank">ISO 27002:2013 in plain English.</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.iso27001security.com/html/27002.html" target="_blank">ISO/IEC 27002:2013 Information technology — Security techniques -Code of practice for information security controls</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://en.wikipedia.org/wiki/ISO/IEC_27002" target="_blank">Wikipedia: ISO27002</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.securityprocedure.com/control-objectives-information-and-related-%20technology-cobit" target="_blank">http://www.securityprocedure.com/control-objectives-information-and-related- technology-cobit</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com1Bowmanville, ON L1C 5P8, Canada43.901128 -78.70598899999998843.8982675 -78.71103149999999 43.9039885 -78.700946499999986tag:blogger.com,1999:blog-6954236093826966251.post-70342085077950354292015-09-25T15:02:00.001-04:002015-09-29T10:49:43.595-04:00From Blueline to BlueZone - PCI Tokenization Matures<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQeakXiCIjwSAgvKatmd8yTDf3qEa4EcfYj77BdhHibRjLLGg1hi6ujJ-qsPxGNk_qNr2pZYm2YZOv_b9cpZPjonl8M9uIuw3lIPgA_dWGJKwrG1uJ5YRAxopjrtvKFGci84EmJfmx-3fi/s1600/blueline_logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQeakXiCIjwSAgvKatmd8yTDf3qEa4EcfYj77BdhHibRjLLGg1hi6ujJ-qsPxGNk_qNr2pZYm2YZOv_b9cpZPjonl8M9uIuw3lIPgA_dWGJKwrG1uJ5YRAxopjrtvKFGci84EmJfmx-3fi/s1600/blueline_logo.png" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Last year, I </b><a href="http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109" target="_blank"><b>wrote about</b> a new Canadian company</a> that had entered the Compliance Appliance market space. <a href="http://bluelinex.com/" target="_blank">Blueline Data</a> had developed a <a href="http://www.mastercard.com/gateway/payment-processing/tokenization.html" target="_blank">tokenization gateway</a> that would help you define and isolate your <a href="https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/" target="_blank">PCI compliance scope</a> boundary. This isolation was not only for <a href="https://en.wikipedia.org/wiki/Point_of_sale" target="_blank">Point Of Sale</a> and Web Merchant portals (Shopping portal), but for <a href="http://www.bluelinex.com/strategy_voip.htm" target="_blank">Telephony and Unified Communications traffic as well</a>! This was a revolutionary step in this industry. Several other companies had tokenization systems available for structured and/or unstructured data, however no one had a viable solution that would also cover voice and unified communications. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>A lot has gone on in the past year</b>, and I decided to revisit them, to see where their technology has progressed...</span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<div>
</div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>Read my </b><a href="http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html" target="_blank"><b>Tokenization as a companion to Encryption </b></a></span></span></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"> </span><span style="font-size: small;"> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Last year,</b> <a href="http://forrester.com/" target="_blank"><b>Forrester</b></a><b> issued a paper </b>defining the requirements necessary to secure data into the future, and discussing the technologies that will get us there. The Document titled "<a href="https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547" target="_blank">TechRadar™: Data Security, Q2 2014</a>", states clearly that you need to:</span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Restrict and strictly enforce access control to data.</b> This includes denying access to unauthorized persons or blocking their attempts to gain access.</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Monitor and identify abnormal patterns of network or user behavior.</b> This includes tools that analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (e.g., improper or excessive use of entitlements such as bulk downloads of sensitive customer information).</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Block exfiltration of sensitive data.</b> These are tools or features of tools that detect, and optionally prevent, violations to policies regarding the use, storage, and transmission of sensitive data.</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Render successful theft of data harmless.</b> Once you’ve identified your most sensitive data, the best way to protect it is to “kill” it.6 “<a href="http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf">Killing” data through encryption, </a>tokenization, and other means renders the data unreadable and useless to would-be cybercriminals who want to sell it on the underground market.</span></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>The first three </b>have been the bread and butter of the Information Security industry for the past 20 years or so. From firewalls and both signature and heuristics based Intrusion Detection/Prevention, to Data Loss Prevention systems, the industry has been diligently protecting our perimeters.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<br />
<div>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>It's that fourth one</b> that I'm interested in here. "<b>Render successful theft of data harmless</b>." In other words, replace any valuable data such as Payment Card Info, Personal Health Info, Social Insurance Numbers, etc... with a "token" that has no value to would be thieves. These tokens can be made to preserve the format requirements of the original data, so as not to break backend processing, as well as including search/index criteria. </span></span></div>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<br />
<div>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnhmpONKMC1KxXokY8Es5Kkwoamb75yG6B5ZVxXSF9Z1uJBSP6KBy4OMl6HDLKj4IFzpQQ6VRwNVA9lTEcqXCV4cqSGKEC3TGgnN4eJMYudCthK3FJUNGczANXqfOUHEtjdapDtsBPFDVR/s1600/block-trust.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnhmpONKMC1KxXokY8Es5Kkwoamb75yG6B5ZVxXSF9Z1uJBSP6KBy4OMl6HDLKj4IFzpQQ6VRwNVA9lTEcqXCV4cqSGKEC3TGgnN4eJMYudCthK3FJUNGczANXqfOUHEtjdapDtsBPFDVR/s1600/block-trust.jpg" /></a><b>To properly provide security</b> through tokenization, one must be able to implement it not only on the server side for data at rest, but also for data in transit, as well as at the client side, such that the relevant sensitive data never even leaves the client's network.</span></span></div>
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<br />
<div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>What if, there was a service</b>... APIs that could provide tokenization either at the client browser, or as data is passed to cloud apps?</span> </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;">I know that I'm not new to <a href="http://www.cybersource.com/resources/collateral/Resource_Center/whitepapers_and_reports/Reduce_PCI_Scope_Tokenization.pdf" target="_blank">this train-of-thought</a>, but the cost of non-compliance is growing exponentially. </span></div>
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Financial Damage can be insured against... Reputational damage cannot.</b></span></span></div>
</div>
<br /></div>
<div>
</div>
<div>
</div>
<div>
</div>
<hr />
<div>
</div>
<div>
</div>
<span style="font-family: "Trebuchet MS", sans-serif;"><b></b></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"><span style="font-size: large;"><b>As I said... a lot has gone on in the past year</b>.</span> <span style="font-size: small;">Blueline has matured from just providing <a href="https://www.bluelinex.com/products.html" target="_blank">on-premise gateway appliances</a>, to hosting <a href="https://www.bluezonex.com/" target="_blank">Compliance Services in the cloud</a>. </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS", sans-serif;"><strong>Blueline is about to introduce</strong> several hosting options. You can still get on-premise control if that is what you desire, but that has been augmented with <a href="https://en.wikipedia.org/wiki/Colocation_centre" target="_blank">co-located</a> gateway services as well as true Cloud based "<strong>Compliance as a Service</strong>" Tokenization/Encryption through APIs. </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Another move that Blueline has made</b>
it to provide "Diskless Tokenization". Typically, tokenization
services keep a very secure database in a <a href="http://www.math.ucla.edu/~jimc/documents/cryptovault.html" target="_blank">cryptographic vault</a>. This
database would include a table of sensitive data to token pairs that
are used to index and manage the tokens. Across the industry,
customers have expressed concern over having this database, even though
it is protected in a vault. Complaints from too much residual risk, to
database latency in very large token pair tables (tens or hundreds of
millions of pairs) have driven out an alternate solution.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Blueline has introduce a diskless solution </b>that creates a "derived" token using a <a href="https://en.wikipedia.org/wiki/One-time_pad" target="_blank">one time pad</a>, without the need for the data/token pairs to be stored. These <i>derived</i> tokens, can be recalculated from some secret value that do not need to be stored in a database. </span><br />
<div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></div>
<br />
<span style="font-size: large;"><b><span style="font-family: "Trebuchet MS", sans-serif;">Blueline has created two new offerings:</span></b></span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9RBGfUuFrOI3rFNlIke68VStO0OIVQ3_gJ4FFe2_8iE7dVsO1lc9zowZ_yBdSd0EeKPy0TZs_ITIMKigbc6_Hxj70XLJlCy-UZjVYj5um6hPVJ6KH3wTDXlH6VUa8xqR-ov56L0TWvoV/s1600/blueline_rack.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9RBGfUuFrOI3rFNlIke68VStO0OIVQ3_gJ4FFe2_8iE7dVsO1lc9zowZ_yBdSd0EeKPy0TZs_ITIMKigbc6_Hxj70XLJlCy-UZjVYj5um6hPVJ6KH3wTDXlH6VUa8xqR-ov56L0TWvoV/s200/blueline_rack.png" width="118" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b><span style="font-size: large;">bluegrid™ </span></b>is a turnkey solution for "Compliance in a Box". It is a standard 19" cabinet, consisting of a series of redundant "</span><b>bluenodes™"</b> that provide the various security, and compliance services required for a self contained Compliance DMZ. It can be installed in your own data center, or hosted externally for you. Applying the <a href="http://security-musings.blogspot.ca/2013/10/host-protection-standards-and-reference.html" target="_blank">"Zero Trust</a>" model, </span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b><span style="font-size: large;"><span style="font-size: small;">bluegrid™</span></span></b><span style="font-size: large;"> <span style="font-size: small;">encapsulates your sensitive application environment and provides a full security stack to protect that environment, from firewall, IPS, authentication store, tokenization, encryption, logging and storage.</span></span><b><span style="font-size: large;"><span style="font-size: small;"><br /></span></span></b></span></span><br />
<br />
A standard <span style="font-family: "Trebuchet MS",sans-serif;"> </span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b><span style="font-size: large;"><span style="font-size: small;">bluegrid™</span></span></b><span style="font-size: large;"><span style="font-size: small;"> rack would consist of a mix of the following </span></span></span></span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>bluenode™ </b>appliances:<b><br /></b></span></span></span></span></span><br />
<table><tbody>
<tr><td><b>bluenode tx</b> - Traffic Manager (zero-impact deployment)<br />
<b>bluenode dx</b> - Data Gateway (financial network integration)<br />
<b>bluenode cx </b>- Cyber Vault (diskless tokenization, encryption)<br />
<b>bluenode ix</b> - Identity Manager (device and service access)<br />
<b>bluenode ex</b> - Event Manager (logging and event analytics)<br />
<b>bluenode sx </b>- Storage Block (low-latency shared storage)</td></tr>
</tbody></table>
<div>
</div>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<div>
</div>
<div>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">bluegrid™ can centralize and limit most of your PCI compliance scope to a single rack in the data center. <span style="font-size: xx-small;">(Point-of-Sale systems excluded)</span> </span></b></span></div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;"><br /></span></b></span></div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAQhxuPXrqDuVdIzRmaZOgYllu5QJb_MugrU7uQBB_1RlZrIlI5Lxi6B-NRByaTcW0rsWlUye4UKh6b8B5_YLyyh6juAUAmvIKiJ3YHTEWgV6Xy4Dz2LRKC0NGU5AvGUttbjUa64dF0jc/s1600/Bluezone+Application+Integration.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAQhxuPXrqDuVdIzRmaZOgYllu5QJb_MugrU7uQBB_1RlZrIlI5Lxi6B-NRByaTcW0rsWlUye4UKh6b8B5_YLyyh6juAUAmvIKiJ3YHTEWgV6Xy4Dz2LRKC0NGU5AvGUttbjUa64dF0jc/s320/Bluezone+Application+Integration.png" width="320" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">bluezone™ </span></b>takes this one step further, providing a Cloud based Security Infrastructure - leveraging APIs to isolate the sensitive data outside of your IT environment and enabling secure financial or other confidential data processing and exposing the following security services: </span></div>
<ul><span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Tokenization</b>–replacement of the original sensitive data with a risk-free replica for secure transmission, processing or storage</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Encryption</b>–military-grade cryptographic protection of digital content</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Key Management</b>–cryptographic key storage and lifecycle control</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Payment Gateway</b>–secure real-time and offline merchant acquirer processing of tokenized e-commerce and m-commerce transactions</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Credit Scoring</b>–secure personal or commercial credit check against a credit bureau, reference agency or central bank</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Address Verification</b>–secure cardholder address validation</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Issuer Reconciliation</b>–transaction batch transfer to issuer bank</span></li>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Digital Wallet</b>–secure checkout for merchant commerce sites and mobile applications with the e-wallet payment method</span></li>
</ul>
<div>
</div>
<div>
</div>
<div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">bluezone™ can effectively remove most of your PCI compliance scope from your environment altogether.</span></b></span><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;"><span style="font-size: xx-small;">(Point-of-Sale systems excluded)</span></span></b></span></div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;"><br /></span></b></span></div>
</div>
<br />
<hr />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b><span style="font-family: "Trebuchet MS", sans-serif;">Forrester TechRadar report on Data Security Q2 2014 clearly shows Tokenization having "Significant Success" in securing sensitive data.</span></b></span></div>
<span style="font-family: Trebuchet MS;"></span><br />
<br />
<div align="LEFT">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggt2yGrZeOuUbJ-ga-A-EVq4zJbSYPo4uWKbNunr1z25e3opcq4F2wfeAKNboBAogTUbZeKtS-21I7x-YcAOJbaJ03kUi8uLd-FeTiQxC6AdZc0o0fDzWM-AmTBMY6oleeMh6K1hgKHDPj/s1600/Screenshot+from+2015-09-23+13%253A34%253A07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggt2yGrZeOuUbJ-ga-A-EVq4zJbSYPo4uWKbNunr1z25e3opcq4F2wfeAKNboBAogTUbZeKtS-21I7x-YcAOJbaJ03kUi8uLd-FeTiQxC6AdZc0o0fDzWM-AmTBMY6oleeMh6K1hgKHDPj/s400/Screenshot+from+2015-09-23+13%253A34%253A07.png" width="393" /></a></div>
<br />
<br />
<br />
<br />
<b><span style="font-size: large;">Resources:</span></b><br />
<br />
<span style="font-size: x-small;"><a href="http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html">http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html</a></span><br />
<span style="font-size: x-small;"><a href="http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109">http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109</a></span><br />
<span style="font-size: x-small;"><a href="https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547">https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547</a></span><br />
<span style="font-size: x-small;"><a href="http://www.mashery.com/blog/tokenization-and-api-gateways-future-mobile-commerce">http://www.mashery.com/blog/tokenization-and-api-gateways-future-mobile-commerce</a></span><br />
<span style="font-size: x-small;"><a href="http://www.mastercard.com/gateway/payment-processing/tokenization.html">http://www.mastercard.com/gateway/payment-processing/tokenization.html</a></span><br />
<span style="font-size: x-small;"><a href="https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/">https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/</a></span><br />
<span style="font-size: x-small;"><a href="http://www.protegrity.com/2012/02/differences-between-vault-based-tokenization-and-vaultless-tokenization/">http://www.protegrity.com/2012/02/differences-between-vault-based-tokenization-and-vaultless-tokenization/</a></span><br />
<span style="font-size: x-small;"><a href="http://www.protegrity.com/wp-content/uploads/2013/04/Protegrity-Vaultless-Tokenization-Fact-Sheet.pdf">http://www.protegrity.com/wp-content/uploads/2013/04/Protegrity-Vaultless-Tokenization-Fact-Sheet.pdf</a></span><br />
<span style="font-size: x-small;"><a href="https://securosis.com/blog/token-vaults-and-token-storage-tradeoffs">https://securosis.com/blog/token-vaults-and-token-storage-tradeoffs</a></span><br />
<span style="font-size: x-small;"><a href="https://en.wikipedia.org/wiki/One-time_pad">https://en.wikipedia.org/wiki/One-time_pad</a></span><br />
<span style="font-size: x-small;"><a href="https://en.wikipedia.org/wiki/Tokenization_(data_security">https://en.wikipedia.org/wiki/Tokenization_(data_security</a>)</span><br />
<span style="font-size: x-small;"><a href="https://www.voltage.com/technology/tokenization-and-key-management/hp-secure-stateless-tokenization/">https://www.voltage.com/technology/tokenization-and-key-management/hp-secure-stateless-tokenization/</a></span><br />
<span style="font-size: x-small;"><a href="http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf">http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf</a></span><br />
<span style="font-size: x-small;"><a href="http://www.bluelinex.com/trends.html" target="_blank">http://www.bluelinex.com/trends.html</a></span><br />
<span style="font-size: x-small;"><a href="http://www.bluelinex.com/resources/blp204_osfi_compliance_sheet.pdf" target="_blank">http://www.bluelinex.com/resources/blp204_osfi_compliance_sheet.pdf </a></span><br />
<span style="font-size: x-small;"><a href="http://www.bluelinex.com/resources/blp204_pci_compliance_sheet.pdf" target="_blank">http://www.bluelinex.com/resources/blp204_pci_compliance_sheet.pdf</a></span><br />
<span style="font-size: x-small;"><a href="http://www.bluelinex.com/resources/blp204_hipaa_compliance_sheet.pdf" target="_blank">http://www.bluelinex.com/resources/blp204_hipaa_compliance_sheet.pdf</a></span><br />
<span style="font-size: x-small;"><a href="http://searchcloudsecurity.techtarget.com/tutorial/PCI-and-cloud-computing-Cloud-computing-compliance-guide" target="_blank">http://searchcloudsecurity.techtarget.com/tutorial/PCI-and-cloud-computing-Cloud-computing-compliance-guide</a></span><br />
<span style="font-size: x-small;"><a href="http://www.crn.com/news/managed-services/300075263/2015s-big-opportunity-for-msps-compliance-as-a-service.htm" target="_blank">http://www.crn.com/news/managed-services/300075263/2015s-big-opportunity-for-msps-compliance-as-a-service.htm </a></span><br />
<span style="font-size: x-small;"><a href="http://www.infoworld.com/article/2622986/risk-management/the-case-for-compliance-as-a-cloud-service.html" target="_blank">http://www.infoworld.com/article/2622986/risk-management/the-case-for-compliance-as-a-cloud-service.html</a></span><br />
<br />
<br />
<br />
<br />security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-21986447037011035982015-05-08T12:31:00.001-04:002015-05-08T12:42:27.561-04:00Test Driving The Aegis Secure Key 3.0 <div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQ7l18Hukfl9wxlHXvz446tcFAVmSDk6Cst6oDy5VKlsP-7F9yqs1jgrmIMOumLtKOAYhTSlZd5VPO-QnrVo6Ag0rCx4zpQetvjXR5W-u67WztaVZNCkiJ2DpUKMcQSaRje340mhojW8d/s1600/IMG_20150508_112148.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQ7l18Hukfl9wxlHXvz446tcFAVmSDk6Cst6oDy5VKlsP-7F9yqs1jgrmIMOumLtKOAYhTSlZd5VPO-QnrVo6Ag0rCx4zpQetvjXR5W-u67WztaVZNCkiJ2DpUKMcQSaRje340mhojW8d/s200/IMG_20150508_112148.jpg" width="200" /></a><span style="font-size: large;"><b>I just received a new item across my desk, and was so excited I had to share!</b></span></span></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">The <b><a href="http://www.apricorn.com/aegis-secure-key-3-0.html" target="_blank">Apricorn Aegis Secure Key 3.0</a> </b>is a high capacity hardware encrypted USB 3.0 flash drive with up to 240GB in Storage Capacity. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg34FMnqUc5_Z9uwZGZdqUfeKvXjtLRJlUN8_8tcRdso2JPS86hPLFETfruV1BXv26jTIYfPyQWZsPrqxtU5b5VMuPD8AmY1mAOFrOV9RMXyW3Qe9U4dUZL4uE0ccoO82R9Bv9NfP6AzygS/s1600/IMG_20150508_112200.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg34FMnqUc5_Z9uwZGZdqUfeKvXjtLRJlUN8_8tcRdso2JPS86hPLFETfruV1BXv26jTIYfPyQWZsPrqxtU5b5VMuPD8AmY1mAOFrOV9RMXyW3Qe9U4dUZL4uE0ccoO82R9Bv9NfP6AzygS/s200/IMG_20150508_112200.jpg" width="200" /></a><b>The one I received,</b> an ASK-30GB is.. well.. 30GB capacity. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">The first thing I noticed in this impressive device, is the crush resistant black aluminum extruded case. Rubber seals provide dust and water resistance. The buttons on the front present a very good high quality tactile feel. A comfortable aluminum case closes over the keypad with the aforementioned rubber seals. There is also a nice comfortable weight to it. Not too heavy... </span><br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;">More like "<b><i>This feels like a tool, not a toy</i></b>" heavy.</span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Now, there *is* a very slight learning curve</b> to getting it up and running, as you have to train two separate 7-16 digit PINs: one Administrator, and one User pin. As a corporate tool, this is very much a requirement. If the user loses/forgets their PIN, we can still retrieve the secured contents. Once completed, daily use just requires your User PIN.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>This is a true hardware encryption (</b></span><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">256-Bit AES XTS Hardware Encryption)</span></span></b>
based USB media key. What this means is that there are no specific
drivers required for your Operating System to share encrypted files. Aegis are currently awaiting<span style="font-size: small;"> </span></span><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">FIPS 140-2 Level 3 certification, expected Q2 this year. </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Once unlocked via the keypad</b>, the device shows up as a standard USB media drive. I was able to read/write files easily between <b>Windows 7</b>, my <b>Ubuntu Laptop</b>, my <b>OSX </b>machine, as well as a<b> Raspberry Pi</b>, and an <b>embedded microcontroller</b> board I'm working on. Serious compatibility across the board. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Data transfer was fast</b>. I did not measure it, but it was quicker than many of the "normal" USB 3.0 flash drives I have on hand. The documentation put it capable of </span><br />
195MB/s.<br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> </span><br />
<b><span style="font-family: "Trebuchet MS",sans-serif;">Specifications according to Apricorn:</span></b><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span><br />
<blockquote class="tr_bq">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIVx34oErP4s-OK-dsUWZYrgZ8JaswlMAqE9tgYHDTWIXQMWozLs7PFLRRcFRQy5l-ePg7YeJB5mZYvSNWf2fU6wS8bdisLuh_7f7ZQG-52uBITqts1V6UfpobTfOHZ8R71A9w2OLeaCd/s1600/IMG_20150508_112214.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIVx34oErP4s-OK-dsUWZYrgZ8JaswlMAqE9tgYHDTWIXQMWozLs7PFLRRcFRQy5l-ePg7YeJB5mZYvSNWf2fU6wS8bdisLuh_7f7ZQG-52uBITqts1V6UfpobTfOHZ8R71A9w2OLeaCd/s200/IMG_20150508_112214.jpg" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• 256-Bit AES XTS Hardware Encryption</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Software-Free Design</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Cross-Platform Compatible</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Embedded Authentication</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• No Authentication Info Shared with Host</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Two Read-Only Modes</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Programmable Brute Force Protection</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Separate Admin and User Modes</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Lock-Override Option</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• Forced Enrollment</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• 3-Year Limited Warranty</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• FIPS 140-2 Level 3 (Pending Q2)</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">• IP-58 Certified: Dust and Water Resistant</span></span></blockquote>
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Having come from</b> using a few other software based "Secure Flash" Keys,<b> this device is a godsend</b>. The software keys typically have to store multiple binaries on an<b> </b>application partition in support of the popular Operating Systems. (Windows and OSX are usually included, and more frequently, Linux binaries are available.) Running the appropriate binary unlocks the remainder of the drive once authenticated. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<b><span style="font-family: "Trebuchet MS",sans-serif;">I highly recommend this </span></b><span style="font-family: "Trebuchet MS",sans-serif;"><b><a href="http://www.apricorn.com/aegis-secure-key-3-0.html" target="_blank">Aegis Secure Key 3.0</a> </b>anywhere you require sensitive data to be securely stored and transferred between machines. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> </span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://content.webcollage.net/apps/cs/mini-site/apricorn/module/apricorn/wcpc/1414625532083?channel-product-id=aegis-secure-key-3-0&enable-reporting=true&showtabs=&suppress-site-prefs=&wc-target=&from-pp=" target="_blank"><img border="0" src="http://www.apricorn.com/media/product_tour/SecureKey_tour.jpg" style="margin-left: auto; margin-right: auto;" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://content.webcollage.net/apps/cs/mini-site/apricorn/module/apricorn/wcpc/1414625532083?channel-product-id=aegis-secure-key-3-0&enable-reporting=true&showtabs=&suppress-site-prefs=&wc-target=&from-pp=" target="_blank">Interactive Product Tour</a></td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Bowmanville, ON L1C 5P8, Canada43.901128 -78.70598899999998843.8982675 -78.71103149999999 43.9039885 -78.700946499999986tag:blogger.com,1999:blog-6954236093826966251.post-53345188119918007372015-04-28T14:42:00.001-04:002015-07-22T10:26:06.920-04:00Understanding Cloud Access Security Broker Services<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>Over the past 30 years</b></span>, we the IT Security team have been promoting and building a "<a href="http://en.wikipedia.org/wiki/Defence_in_depth" target="_blank">Defence in Depth</a>" strategy to protect our corporate assets. </span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9qtq4UZrkv85Wv_-uxf-58IR9wb1gBlpQfoHMe6rghAS1D8Hq7H9So-feD6hqDAgbEWCvBf-gpjxyYoPvSNo8RnzQ3SZS0PXLzTym_9SRMCoo5LwdESbFBuB7prHzWBHM1ONs2PlMZx-M/s1600/cloud.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9qtq4UZrkv85Wv_-uxf-58IR9wb1gBlpQfoHMe6rghAS1D8Hq7H9So-feD6hqDAgbEWCvBf-gpjxyYoPvSNo8RnzQ3SZS0PXLzTym_9SRMCoo5LwdESbFBuB7prHzWBHM1ONs2PlMZx-M/s1600/cloud.jpg" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>This methodology </b>was predicated on the fact that we need to assure our employees, customers, and shareholders that we were able to provide adequate <a href="http://en.wikipedia.org/wiki/Information_security" target="_blank">Confidentiality, Integrity, and Availability</a> <span style="font-size: x-small;">(The CIA-Triad) </span> for the sensitive data/intellectual property residing in physical data centers. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>We have installed Firewalls</b>, Intrusion Prevention, AntiMalware, Data Loss Prevention, Secure Email, VPN, etc... All with the intent on providing a stack of security capabilities to protect data withing our corporate network. Within our corporate data centers.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Simultaneously</b>, our lines of business are becoming <a href="http://www.allaboutagile.com/what-is-agile-10-key-principles/" target="_blank">more agile</a>, more complex, and more attune to services available <a href="http://en.wikipedia.org/wiki/Cloud_computing" target="_blank">"in the cloud"</a>. <b><a href="http://en.wikipedia.org/wiki/Cloud_computing" target="_blank">Shadow IT</a> is the new trend.</b> Lines of Business can and are spinning up new services at an aggressive rate to keep up with their online competition. Our ability to manage them "technically" as opposed to by policy has been almost non-existent.</span><br />
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>We as Security Experts</b>, are scrambling to augment our "<a href="http://bricks and mortar" target="_blank">bricks and mortar</a>" based Defense in Depth strategy with Cloud Services, but the path is not presently clear.</span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><b><br />Very recently</b>, a niche market has developed to fill this void. Several vendors identifying themselves as <a href="http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs" target="_blank">Cloud Access Security Brokers (CASBs)</a> have defined a strategy to mitigate this problem. CASBs are either on-premise,
or cloud-based (or both) security policy enforcement points. Placed between your end users and the various cloud service providers, they can inspect traffic, manage and enforce policy, alert on anomalous behavior, and in most cases provide some level of DLP enforcement.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Either leveraging existing</b> <a href="http://security-musings.blogspot.ca/2013/04/comparing-cloud-enterprise-sso.html" target="_blank">Single Sign On providers</a>, or corporate <a href="http://en.wikipedia.org/wiki/Active_Directory" target="_blank">Active directory services</a>, these Cloud Access Security Brokers can identify individuals' access into <a href="http://talkincloud.com/tc100" target="_blank">Cloud Service Providers</a> that are affiliated with the broker. Currently these number in the hundreds if not thousands. For<a href="http://pages.ciphercloud.com/Cloud-Adoption-and-Risk-Report-landing-page.html" target="_blank"> "Sanctioned" Cloud Applications</a> (those services for which your enterprise has procured directly) end user access can be strictly enforced by context:</span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Who you are</b> <span style="font-size: x-small;">(Role based access)</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Where you are coming from</b> <span style="font-size: x-small;">(corporate network, public Internet, wifi, geographic region)</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>What device you are using</b> <span style="font-size: x-small;">(Corporate laptop, Home PC, Tablet or phone)</span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="font-size: small;"><b>What time of day you're working</b> </span>(Are you authorised to work during this time?)</span></span></li>
</ul>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijeulst0ggrOJvOGp13TizDavKtriwudYDUdtUeWIGNHOxatMbpuRQ7trDq_Hgt7moASf-oE2o8QKnOSdQimpKcJFSq2o_UA8ucfkvmWRyZL8tU38EhO9g_zxzOV8FtyCYWqIuhi7gVCHx/s1600/locked-padlock.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijeulst0ggrOJvOGp13TizDavKtriwudYDUdtUeWIGNHOxatMbpuRQ7trDq_Hgt7moASf-oE2o8QKnOSdQimpKcJFSq2o_UA8ucfkvmWRyZL8tU38EhO9g_zxzOV8FtyCYWqIuhi7gVCHx/s1600/locked-padlock.jpg" width="134" /></a><span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>This Context Awareness</b> also allows the CASB providers to employ heuristic analysis on Cloud bound traffic, to do some form of anomaly detection to identify malicious or erroneous traffic. This is an area that they are all investing heavily in today.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> </span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Most of the Cloud Access Security Brokers</b> provide granular encryption, but only t<span style="font-size: small;">hree</span> provide <a href="http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html" target="_blank">Tokenization</a> of your Corporate Data in the Cloud. This can be as coarse as entire records or documents, or as fine grained as a field in a form. Adallom has also leveraged the Right's Management functionality of <a href="https://www.adallom.com/wp-content/uploads/2015/02/Check-Point-Brief-File.pdf" target="_blank">Checkpoint's Capsule</a> to secure data in the cloud, while allowing trusted collaboration. </span><br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "Trebuchet MS",sans-serif;"><i><span style="color: blue;"><b>For more on Tokenization vs encryption, please see my articles:</b> </span><span style="font-size: x-small;"><span style="color: blue;"><a href="http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html" target="_blank">Tokenization as a companion to Encryption</a> and </span><a href="http://security-musings.blogspot.ca/2014/10/toronto-based-pci-compliance-upstart.html" target="_blank"><span style="color: blue;">Toronto based PCI Compliance upstart Blueline brings holistic solution to Voice-Web-POS</span> </a></span></i></span></blockquote>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>One of the strengths</b> of some of the Cloud Access Security Brokers is the ability to identify and report on employee access to <a href="http://en.wikipedia.org/wiki/Shadow_IT" target="_blank">"Shadow IT"</a> cloud services. </span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-family: "Trebuchet MS",sans-serif;">"Shadow IT" are described as</span> services that the corporation has not subscribed to as a whole, or has not specifically provisioned for the user in question. These typically include Cloud Storage facilities like Box or Dropbox. Again, if the CASB has an affiliation with the cloud service provider, these can be managed by policy, otherwise they can be flagged and alerted on to your security operations team for manual remediation.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Several of these CASBs </b>provide on-premise inspection and policy gateways to augment your corporate network controls and provide definitive logical access control to the cloud services from within the corporate network. These on-premise gateways complement the cloud based CASB services and provide for a hybrid view of data movement. </span><br />
<br />
<br />
<blockquote class="tr_bq">
<i>Since their emergence in 2012, CASBs have grown in importance and today
are the primary technical means of giving organizations more control
over SaaS security. This technology will become an essential component
of SaaS deployments by 2017.
</i></blockquote>
<blockquote class="tr_bq">
<i> By 2016, 25% of enterprises will secure access to
cloud-based services using a CASB platform, up from less than 1% in
2012, reducing the cost of securing access by 30%.</i></blockquote>
<br />
<blockquote class="tr_bq">
<b>- <a href="https://www.gartner.com/doc/2032015/growing-importance-cloud-access-security" target="_blank">Gartner, The Growing Importance of Cloud Access Security Brokers</a></b></blockquote>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>Gartner has defined the four pillars of CASB as:</b></span></span><br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b> <span style="font-size: small;">Visibility, Data Security, Compliance and Threat Prevention.</span></b></span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9FxWq38stYK4gHJMM3wFdXwbkYgOK9nTxzYNLpdlitUB6f02EUztwelaNAVF9_KhvQsFEtZlGe6bAKLYK7gQxCm2gz8KX29kNqa3BTL-i_b9IrkdZO4F7We06_uORtqbowOF3SMJJ5FNe/s1600/CASB.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9FxWq38stYK4gHJMM3wFdXwbkYgOK9nTxzYNLpdlitUB6f02EUztwelaNAVF9_KhvQsFEtZlGe6bAKLYK7gQxCm2gz8KX29kNqa3BTL-i_b9IrkdZO4F7We06_uORtqbowOF3SMJJ5FNe/s1600/CASB.jpg" width="400" /></a></div>
<br />
<h3>
<span style="font-family: "Trebuchet MS",sans-serif;"> As of this time, there are about twelve companies playing in this space. I would like to highlight the leaders at the moment. </span></h3>
<h3>
<span style="font-family: "Trebuchet MS",sans-serif;">(In alphabetical order, and in their own words. <span style="font-size: x-small;">ie: pilfered from their websites.</span>)</span></h3>
<h2>
</h2>
<h2>
<span style="font-family: "Trebuchet MS",sans-serif;">
</span></h2>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><a href="https://www.adallom.com/" target="_blank">Adallom</a></b></span><span style="color: #4496ff; font-family: "Arial","sans-serif"; font-size: 9.0pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"> </span></span><span style="font-family: "Trebuchet MS",sans-serif;">delivers
an extensible platform to secure and govern cloud applications. In
addition to discovering almost 13,000 cloud services in use, Adallom
offers comprehensive controls for data sharing, data security, DLP,
eDiscovery and access control. The Adallom platform also integrates with
existing on-premises solutions such as SIEMs, MDMs, NACs and DLPs.
Adallom has identified new malware attacks in the wild, including a <a href="http://www.networkworld.com/article/2174314/malware-cybercrime/zeus-malware-botnet-variant-spotted--crawling--salesforce-com.html">Zeus variant attacking Salesforce</a>, and an <a href="http://www.zdnet.com/article/office-365-bug-allows-hackers-to-steal-credentials/">identity token hijacking vulnerability affecting Office 365</a>. <a href="http://www8.hp.com/us/en/hp-news/press-release.html?id=1964113#.VTkSFJOnRBw" target="_blank">On April 21st, Adallom announced an HP partnership</a>
where its platform will be resold on the HP price list, and offered
with the HP Enterprise Security Products and Enterprise Security
Services portfolio. https://www.adallom.com </span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/adallom" target="_blank">https://www.crunchbase.com/organization/adallom</a></span></span></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /><span style="font-size: large;">
</span><span style="font-size: large;"><b><a href="http://www.bitglass.com/" target="_blank">Bitglass</a></b></span>
</span><span style="font-family: "Trebuchet MS",sans-serif;"><span class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_raw_html" data-hs-cos-general-type="widget" data-hs-cos-type="raw_html" id="hs_cos_wrapper_module_14219685199528531">the Total Data Protection company,</span> is a Cloud Access Security Broker, founded in 2013, that delivers innovative technologies
that transcend the network perimeter to deliver total data protection
for the enterprise - in the cloud, on mobile devices and anywhere on the
internet. </span><span style="font-family: "Trebuchet MS",sans-serif;">Bitglass delivers the
security, visibility, and control that IT needs to enable mobile and
cloud in the workplace, while respecting user privacy.</span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/bitglass" target="_blank">https://www.crunchbase.com/organization/bitglass </a></span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"> </span></span><span style="font-family: "Trebuchet MS",sans-serif;"></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><a href="http://www.ciphercloud.com/" rel="external" target="_blank">CipherCloud</a></b> </span>is
a cloud security software suite that encrypts data during the upload
process, and decrypts during download. The encryption keys used for this
process remain within your business network; thus, unauthorized users
accessing data in the cloud will only see indecipherable text.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">CipherCloud also comes with built-in malware detection and data loss prevention.
There are specific builds for commonly used cloud applications such as
Salesforce, Office 365, Gmail and Box, as well as a variant that can be
configured to work with any <a href="http://www.hongkiat.com/blog/cloud-ide-developers/" rel="external" target="_blank">cloud-based applications</a> your business uses.</span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/ciphercloud" target="_blank">https://www.crunchbase.com/organization/ciphercloud</a></span></span></span></div>
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="_Tgc"><span style="font-size: large;"><b><a href="http://netskope.com/" target="_blank">Netskope</a></b></span> is a leader in cloud app analytics and policy enforcement. Netskope
aims to eliminate the catch-22 between being agile and being secure and
compliant by providing visibility, enforcing sophisticated policies,
and protecting data in cloud apps. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.netskope.com/" rel="external" target="_blank">Netskope</a> is a service that discovers and monitors
cloud apps and shadow IT used on your network. Netskope monitors users,
sessions, shared and downloaded content as well as the shared content
details, and provides detailed analytics based on this information.</span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/netskope">https://www.crunchbase.com/organization/netskope</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"> </span> </span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSg5FAZdC2IESUdEqMaqbZknpT0y0NP9RwpXVX53FtLYOEk81XzSE-uL4pDPmQiGDbqDp4WniL_4BRuGqOQYNWRN4RSMi4MTPWZdXkjOiE2oQgZC-go063iE2iPLyMsx1StXrnCpTsQo70/s1600/Canada_flag1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSg5FAZdC2IESUdEqMaqbZknpT0y0NP9RwpXVX53FtLYOEk81XzSE-uL4pDPmQiGDbqDp4WniL_4BRuGqOQYNWRN4RSMi4MTPWZdXkjOiE2oQgZC-go063iE2iPLyMsx1StXrnCpTsQo70/s1600/Canada_flag1.png" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><a href="http://www.perspecsys.com/" target="_blank">Perspecsys</a></b></span>' <a href="http://perspecsys.com/perspecsys-cloud-protection-gateway/appprotex-cloud-control-gateway/">AppProtex Cloud Data Protection Platform</a>
provides a flexible cloud data control platform that enables
organizations to identify and monitor cloud usage and then encrypt or
tokenize data that it does not want to put in the cloud “in the clear”. The Platform intercepts sensitive data
while it is still on-premise and replaces it with a random tokenized or
encrypted value, rendering it meaningless should anyone outside of the
company access the data while it is being processed or stored in the
cloud.</span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/perspecsys" target="_blank">https://www.crunchbase.com/organization/perspecsys</a></span></span></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;"><span id="ecxOLK_SRC_BODY_SECTION"><span id="ecxOLK_SRC_BODY_SECTION"><a href="http://skyhighnetworks.com/" target="_blank">Skyhigh Networks</a> </span></span></span></b><span style="font-size: large;"><span id="ecxOLK_SRC_BODY_SECTION"><span id="ecxOLK_SRC_BODY_SECTION"><span style="font-size: small;">enables organizations to adopt cloud services with appropriate
security, compliance, and governance. Skyhigh supports the entire cloud
adoption lifecycle, providing unparalleled visibility, analytics, and
policy-based control. Specifically,
Skyhigh shines a light on Shadow IT by giving a comprehensive view into
an organization’s use and risk of all cloud services. Skyhigh analyzes
the use of all cloud services to identify anomalous behavior indicative
of security breaches, compromised accounts
or insider threats. Finally, Skyhigh enforces the organization's
policies on the use of over 12,000 cloud services by providing
contextual access control, structured and unstructured data encryption
and tokenization, data loss prevention, and detailed cloud
activity monitoring for forensic and compliance purposes.</span></span></span></span><b> </b></span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.crunchbase.com/organization/skyhigh-networks">https://www.crunchbase.com/organization/skyhigh-networks</a></span></span></div>
<br />
<div style="text-align: right;">
</div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><a href="http://www.zscalar.com/" target="_blank">Zscaler</a></b></span> is leading two fundamental transformations in the world of IT
security. First—the shift from on-premise hardware appliances and
software to Security as a Service. Second—the transition from point
security solutions to broad unified security and compliance platforms.
Both transformations exactly parallel what has happened in every other
sector of information technology—CRM, ERP, HR, eCommerce, and personal
productivity—all have evolved from on-premises point applications to
comprehensive cloud—based platforms. </span><br />
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://www.crunchbase.com/organization/zscaler" target="_blank">https://www.crunchbase.com/organization/zscaler</a> </span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<hr />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>While conducting this review of the CASB market</b>, I looked at a number of Security Controls that I would expect a mature Access Broker to provide. I've laid this out in accordance with Gartner's four pillars: </span><br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"> </span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><span style="font-size: small;">Visibility, Data Security, Compliance and Threat Prevention.</span></b></span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><span style="font-size: small;"> </span></b></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim8P_6WmFf9PI1qXdJjR38Ews4VX10tqUG7t66nbkKcqMQ02I7ia6gWuyr0phzW7TfLJ_QX4kynmOhZG1kAqTmtpC3Gi7QCyYObW2c99NY4clrw_Y6vWTlI23d8F5yQ8ypoxwOSntk-Ef_/s1600/casb4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim8P_6WmFf9PI1qXdJjR38Ews4VX10tqUG7t66nbkKcqMQ02I7ia6gWuyr0phzW7TfLJ_QX4kynmOhZG1kAqTmtpC3Gi7QCyYObW2c99NY4clrw_Y6vWTlI23d8F5yQ8ypoxwOSntk-Ef_/s1600/casb4.jpg" width="473" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<blockquote class="tr_bq">
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><b>If you think I have omitted</b> your favorite Cloud Access Security Broker, or have mis-represented a control above, please have them forward details to me including their position on each of the items in the above controls list. After validating each, I will gladly amend the list.</span></blockquote>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Although the CASB market space</b> is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">I'm interested to see what happens to this space over the next three years. My money is on convergence of CASB, SSO, and Mobile Security providers.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif; font-size: large;"><b>Also Read: </b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://security-musings.blogspot.ca/2013/01/standing-at-crossroads-employee-use-of.html" target="_blank">Standing at the Crossroads: Employee Use of Cloud Storage. </a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span><br />
<br />
<span style="font-size: large;"><b>References:</b></span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.gartner.com/doc/2032015/growing-importance-cloud-access-security" target="_blank">Gartner: The Growing Importance of Cloud Access Security Brokers</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.computerweekly.com/news/2240223323/Cloud-access-brokers-top-security-technology-says-Gartner" target="_blank">http://www.computerweekly.com/news/2240223323/Cloud-access-brokers-top-security-technology-says-Gartner</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.gartner.com/doc/2856117?srcId=1-2819006590&pcp=itg" target="_blank">Gartner: Emerging Technology Analysis: Cloud Access Security Brokers</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.ciphercloud.com/2014/09/30/public-cloud-security-demands-cloud-access-security-broker-casb/">http://www.ciphercloud.com/2014/09/30/public-cloud-security-demands-cloud-access-security-broker-casb/</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.netskope.com/">https://www.netskope.com</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://blog.bitglass.com/the-definitive-guide-to-cloud-access-security-brokers" target="_blank">Bitglass: The Definitive Guide to Cloud Access Security Brokers</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://pages.ciphercloud.com/rs/ciphercloud/images/CipherCloud-%20Impact%20Report-%2011%20Dec%202014.pdf" target="_blank">CipherCloud looks to stay at the head of the cloud security class </a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://pages.ciphercloud.com/The10-MinuteGuidetoCloudEncryptionGateways.html" target="_blank">Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways</a><br /><a href="http://pages.ciphercloud.com/Cloud-Adoption-and-Risk-Report-landing-page.html" target="_blank">Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.networkworld.com/article/2691104/security0/how-the-cloud-is-changing-the-security-game.html" target="_blank">NetworkWorld: How the cloud is changing the security game </a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.adallom.com/wp-content/uploads/2014/12/TheCaseForACASB.pdf" target="_blank">Adallom: The Case For A Cloud Access Security Broker</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://learn.adallom.com/rs/adallom/images/Adallom_Cloud_Risk_Report-Nov14.pdf" target="_blank">Adallom: Cloud Risk Report Nov 2014</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.adallom.com/wp-content/uploads/2015/02/Check-Point-Brief-File.pdf" target="_blank">Check Point Capsule and Adallom Integration</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www8.hp.com/us/en/software-solutions/cloud-data-security-governance/" target="_blank">HP - Adallom: Proven Cloud Access Security Protection Platform</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.4-traders.com/news/Adallom--to-Offer-Comprehensive-Cloud-Security-Solution-for-Businesses-With-HP--20227632/" target="_blank">Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.pingidentity.com/content/dam/pic/downloads/resources/Misc/skyhigh_partner_solutions_brief.pdf" target="_blank">PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://managedmethods.com/solutions/role-enterprise-cloud-access-security-broker/" target="_blank">ManagedMethods: Role of Enterprise Cloud Access Security Broker</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://security-musings.blogspot.ca/2013/01/standing-at-crossroads-employee-use-of.html" target="_blank">Standing at the Crossroads: Employee Use of Cloud Storage. </a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.ijarse.com/images/fullpdf/1427897972_32_Research_Paper.pdf" target="_blank">Cloud Computing: Security Threats and Tools</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.scmagazineuk.com/most-cloud-applications-in-use-are-not-sanctioned/article/396549/" target="_blank">SC Magazine: Most cloud applications in use are not sanctioned </a> </span></span><br />
<br />security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com11Bowmanville, ON L1C 5P8, Canada43.901128 -78.70598899999998843.8982675 -78.71103149999999 43.9039885 -78.700946499999986tag:blogger.com,1999:blog-6954236093826966251.post-10089069033092434742015-04-27T17:06:00.002-04:002015-05-08T15:05:03.867-04:00What's the difference between a Virtual Machine and a Container? <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPTlFfJAiz43zksvWw_GwRTLHknOtdE6H-4m58YNLfyHfXScWIbsBVrK8TFx_FD5glDatUVMLXrujK__UcLS3fHQOfC-z43UJA-4wPCaZfjihSkVyYZxqIO8rQKZ4LbnOhH2y9VEerS_T7/s1600/vm_vs_container.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPTlFfJAiz43zksvWw_GwRTLHknOtdE6H-4m58YNLfyHfXScWIbsBVrK8TFx_FD5glDatUVMLXrujK__UcLS3fHQOfC-z43UJA-4wPCaZfjihSkVyYZxqIO8rQKZ4LbnOhH2y9VEerS_T7/s1600/vm_vs_container.png" width="173" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><b>With the current trend towards "Containers"</b> as opposed to <b>"Virtual Machines"</b>, I've had a few people asking what the difference was, and where you might use one over the other.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>I hope to keep this brief, but... </b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Both Containers and Virtual Machines</b> have been around for quite some time. Mainframe and Commercial UNIX have had terms like LPAR for Logical Partition (Representing VM) and WPAR for Workload Partition (Representing Containers) for over a decade (Mainframe since 1972!!!). </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>UNIX/Linux have used "chroot" filesystems</b> (otherwise known as "<a href="http://en.wikipedia.org/wiki/Chroot" target="_blank">chroot jail</a>") for years to secure running processes such as a web server or database server. The earliest implementation of "containers" was the 1979 introduction of chroot into <a href="http://cm.bell-labs.com/7thEdMan/v7vol1.pdf" target="_blank">UNIX Version 7</a>.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Currently <b>chroot</b> is a part of just about every major <a href="https://help.ubuntu.com/community/BasicChroot" target="_blank">distribution of Linux</a>. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">________________________________________________________________________________</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>In very high level terms</b>, a Virtual Machine or Hypervisor (such as <a href="http://vmware.com/" target="_blank">VMWare</a>, <a href="http://www.microsoft.com/en-ca/server-cloud/solutions/virtualization.aspx" target="_blank">Hyper-V</a>, <a href="http://www.linux-kvm.org/page/Main_Page" target="_blank">KVM</a>, <a href="http://www.virtualbox.org/" target="_blank">VirtualBox</a>, and <a href="http://www.xenproject.org/" target="_blank">Xen</a>) is designed to emulate an entire physical computer including the various hardware abstraction required for networking, video, audio, etc... </span><br />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><b><span style="font-family: "Trebuchet MS",sans-serif;">In a word, VMs are FAT! </span></b></span></div>
<div style="text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.accenture.com/us-en/blogs/technology-blog/Lists/Photos/virtual-machines-containers.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="http://www.accenture.com/us-en/blogs/technology-blog/archive/2014/08/26/inspiration-through-elevation-simplified-configuration-management-with-docker.aspx" border="0" src="http://www.accenture.com/us-en/blogs/technology-blog/Lists/Photos/virtual-machines-containers.jpg" height="172" title="Via Accenture" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Via Accenture:</td></tr>
</tbody></table>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>A container on the other hand</b> (</span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-family: "Trebuchet MS",sans-serif;"> <a href="http://www.docker.com/" target="_blank">Docker</a>, </span><a href="http://www.parallels.com/" target="_blank" title="Parallels">Parallels</a><span style="font-family: "Trebuchet MS",sans-serif;"> , <a href="http://en.wikipedia.org/wiki/CoreOS" target="_blank">CoreOS</a>,<a href="https://help.ubuntu.com/community/BasicChroot" target="_blank"> chroot</a>, ...) </span>runs on top of an existing kernel, leveraging resources form the kernel, and merely presents a virtual <a href="http://en.wikipedia.org/wiki/User_space" target="_blank">userspace</a> with separate filesystem, CPU, memory and protected processes. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Without having to emulate</b> the underlying hardware, you can pack 3-4 times as many containers into the same resource pool as a single Virtual Machine.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>So why would I use Virtual Machines</b>, if Containers are just as good? </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Well, </b>because a Virtual Machine abstracts the <b>ENTIRE</b> hardware platform, there's evidence that it is better suited to defined network segregation. </span><br />
<br />
<blockquote class="tr_bq">
<a href="https://i-msdn.sec.s-msft.com/dynimg/IC36655.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://i-msdn.sec.s-msft.com/dynimg/IC36655.gif" width="164" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><b>You could</b>, for instance, define a Virtual Machine to represent your web application in it's entirety, then within that VM, create containers for the<a href="http://en.wikipedia.org/wiki/Multitier_architecture" target="_blank"> web, app, and database tiers</a>. The containers would provide logical segregation between the tiers, and the VM would protect the entire application from other apps in the DMZ.</span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Virtual Machines also allow</b> you to run completely different Operating Systems simultaneously on the same hardware. For instance, on your <a href="http://ubuntu.com/" target="_blank">Ubuntu</a> Laptop, you could use <a href="http://virtualbox.org/" target="_blank">Virtualbox</a>, to simultaneously run <a href="http://windows.microsoft.com/en-ca/windows-8/whats-new" target="_blank">Windows 8.1</a> and <a href="https://www.apple.com/ca/osx" target="_blank">OSX</a>. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Or, on your server</b>, you could simultaneously run <a href="http://www.redhat.com/promo/rhev3/sysreq.html" target="_blank">Redhat Linux</a>, <a href="https://technet.microsoft.com/en-ca/windowsserver/bb414778.aspx" target="_blank">Windows Server 2008</a>, and <a href="https://technet.microsoft.com/en-ca/library/dn303418.aspx" target="_blank">Windows Server 2012</a>. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>A containerized system, </b>as mentioned above, runs all containers off of the same Operating System Kernel.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>And by far the biggest benefit</b> of Containers over Virtual Machines is speed of launch. A Virtual Machine is, for all intents and purposes, a complete computer Operating System. On boot, it has to run through all of the legacy boot processes... </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>A Container launches on an already running kernel</b>. A full containerized application can launch in a fraction of a second (restricted only by I/O) whereas that same app launched within a Hypervisor context could be from tens of seconds to potentially a minute or more depending on boot requirements.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<br />
<b>Edit: (04/28/2015)</b><br />
<br />
<b><a href="http://bromium.com/" target="_blank">Bromium</a> is an newcomer </b>to the virtualization space, and one to watch carefully. Based on a fork of the Xen hypervisor, Bromium relies heavily on <a href="http://en.wikipedia.org/wiki/X86_virtualization#Intel_Virtualization_Technology_for_x86_.28Intel_VT-x.29" target="_blank">Intel's hardware virtualization</a> for isolation.<br />
<br />
<b>Unlike either of the above</b> Hypervisor or Container approaches, Bromium isolates specific services in Windows, such as launching an application, downloading an email attachment, or clicking a hyper link in a browser. When these activities are identified, Bromium creates a small task-specific "Microvisor" to encapsulate and segregate only the resources required for that task. <a href="http://en.wikipedia.org/wiki/Mandatory_access_control" title="Mandatory access control">Mandatory Access Control</a> policies ensure protection of the underlying Operating System, as well as any other apps running on the host.<br />
<br />
<b>When </b><a href="http://www.bromium.com/company/press-releases/bromium-vsentry-sets-new-standard-security-effectiveness.html" target="_blank"><b>NSS Labs tested </b>the Bromium architecture</a>, it achieved a perfect score in defeating all malware, as well as manual and scripted attempts at penetration.<br />
<br />
<sup class="reference" id="cite_ref-17"><a href="http://en.wikipedia.org/wiki/Bromium#cite_note-17"></a></sup><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.networkworld.com/article/2911944/virtualization/vmware-just-created-its-first-linux-os-and-its-container-friendly.html" target="_blank">VMware just created its first Linux OS, and it’s container-friendly</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://blog.smartbear.com/web-monitoring/why-containers-instead-of-hypervisors/" target="_blank">Why Containers Instead of Hypervisors?</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.unixmantra.com/2013/04/wpars-vs-lpars.html" target="_blank">WPARs Vs LPARs </a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.ibmsystemsmag.com/aix/administrator/lpar/An-LPAR-Review/" target="_blank">IBM Systems Magazine: An LPAR Review</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Workload_Partitions" target="_blank">Wikipedia: Workload Partitions</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Virtual_machine" target="_blank">Wikipedia: Virtual machine</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Operating-system-level_virtualization" target="_blank">Wikipedia: Operating-system-level virtualization</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Chroot" target="_blank">Wikipedia: Chroot</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.unixwiz.net/techtips/chroot-practices.html" target="_blank">Best Practices for UNIX chroot() Operations </a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://help.ubuntu.com/community/BasicChroot" target="_blank">Ubuntu: Basic chroot</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://cm.bell-labs.com/7thEdMan/v7vol1.pdf" target="_blank">BELL LABS: UNIX (TM) TIME-SHARING SYSTEM: UNIX PROGRAMMER’S MANUAL Version 7</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://linuxcontainers.org/" target="_blank">LinuxContainers.org (LXC) </a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud" target="_blank">Containers—Not Virtual Machines—Are the Future Cloud</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.cybera.ca/news-and-events/tech-radar/contain-your-enthusiasm-part-one-a-history-of-operating-system-containers/" target="_blank">Contain your enthusiasm - Part One: a history of operating system containers</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.docker.com/" target="_blank">Docker</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.accenture.com/us-en/blogs/technology-blog/archive/2014/08/26/inspiration-through-elevation-simplified-configuration-management-with-docker.aspx" target="_blank">Accenture: Inspiration through Elevation: Simplified Configuration Management with Docker </a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://blogs.gartner.com/neil_macdonald/2013/03/16/virtualization-containers-and-other-sandboxing-techniques-should-be-on-your-radar-screen/" target="_blank">Gartner: Virtualization, Containers and Other Sandboxing Techniques Should be on Your Radar Screen</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.bromium.com/company/press-releases/bromium-vsentry-sets-new-standard-security-effectiveness.html" target="_blank">Bromium vSentry Sets New Standard for Security Effectiveness</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.nsslabs.com/reports/threat-isolation-technology-test-report-bromium-vsentry" target="_blank">NSSLABS: Threat Isolation Technology Test Report: Bromium vSentry</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://blogs.bromium.com/2013/03/27/micro-virtualization-for-the-security-architect/" target="_blank">Bromium: Micro-virtualization for the Security Architect</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Bowmanville, ON L1C 5P8, Canada43.901128 -78.70598899999998843.8982675 -78.71103149999999 43.9039885 -78.700946499999986tag:blogger.com,1999:blog-6954236093826966251.post-29028320670579863012015-03-04T11:15:00.000-05:002015-03-04T11:15:07.275-05:00Tokenization as a companion to Encryption<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV1tZ9pcm3a9WrLB4_tlO71PT4NcqW0W-cvBJywmR2Gegz8oIsHgSfLLQ7Ki1H1t_lFKnaO-NGPwqaTeKOgBAMSwdJHPJU76gjAeQHvHgBDGXSz_H9w-wYl8yCkB22c2loVCWBqYnnoDW7/s1600/block-trust.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV1tZ9pcm3a9WrLB4_tlO71PT4NcqW0W-cvBJywmR2Gegz8oIsHgSfLLQ7Ki1H1t_lFKnaO-NGPwqaTeKOgBAMSwdJHPJU76gjAeQHvHgBDGXSz_H9w-wYl8yCkB22c2loVCWBqYnnoDW7/s1600/block-trust.jpg" height="136" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>For the protection of sensitive data, tokenization is every bit as important as data encryption.</b></span></span></div>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;">(This article first ran in <a href="http://www.itworldcanada.com/blog/augment-encryption-with-tokenization/97358" target="_blank">ITworld Canada</a> in October 2014) </span></div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>We
are all</b> very familiar with the requirement to encrypt sensitive data at
rest as well as in transit. We have many tools that perform these
functions for us. Our database systems allow for encryption as granular
as field, or as course as table or entire database. Network file
systems likewise allow for various degrees of encryption. All of our
tools for moving, viewing, editing data have the ability to transport
data encrypted via SSL/TLS or SCP.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b><a href="http://en.wikipedia.org/wiki/Encryption" target="_blank">Encryption</a>, however</b>, is
intended to be reversed. Sensitive data is still resident in the
filestore/database, but in an obfuscated manner, meant to be decrypted
for later use. Backups of your data still contain a version of your
original data. Transaction servers working on this data may have copies
of sensitive data in memory while processing. Recently we saw in the <a data-mce-href="http://www.itworldcanada.com/post/hackers-likely-stole-40-million-credit-card-data-target" href="http://www.itworldcanada.com/post/hackers-likely-stole-40-million-credit-card-data-target">Target breach</a>,
that memory resident data is not secure if the host is compromised.
Memory scraping tools are among the payloads commonly delivered in a
malware incursion.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>As long as</b> the valuable sensitive data such as
Personally Identifiable Information (PII) or Payment Card Industry (PCI)
resides in your facility, or is transmitted across your network, there
is reason for a malicious threat agent to want to breach your network
and obtain that information.</span><br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Additionally</b>,
the cost and time involved in regulatory compliance to ensure and
attest to the security of that sensitive data can be daunting. For PCI
data, there are 12 rigorous <a data-mce-href="https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml" href="https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml">Payment Card Industry Card Data Security Standard (PCI DSS)</a> requirements that have to be signed off on annually.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">For
the rest of this discussion, I'm going to focus on credit card (PCI)
data, as it is nearest and dearest to my field of experience, but the
process is similar regardless of the type of sensitive data.</span><br />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><strong>Tokenization is not encryption</strong></span></span></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><strong>(Also read my:</strong></span><a href="http://security-musings.blogspot.ca/2014/10/toronto-based-pci-compliance-upstart.html" target="_blank"><strong><span style="color: black;"> </span></strong>Toronto based PCI Compliance upstart brings single solution to Voice-Web-POS</a>)</span></div>
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><strong> </strong></span></span></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://en.wikipedia.org/wiki/Tokenization_%28data_security%29" target="_blank"><b>Tokenization</b></a>
completely removes sensitive data from your network, and replaces it
with a format preserving unique placeholder or "token". You no longer
store an encrypted copy of the original data. You no longer transmit an
encrypted copy of the original data. Transaction servers no longer
keep a copy of the sensitive data in their memory.</span><br />
<br />
<b><span style="font-family: "Trebuchet MS",sans-serif;">With no data to steal, any network breach would prove fruitless.</span></b><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>The
token value</b> is randomly generated, but typically designed to retain the
original format, ie: Credit card tokens retain the same length as a
valid credit card number, and pass the same <a data-mce-href="http://en.wikipedia.org/wiki/Luhn_algorithm" href="http://en.wikipedia.org/wiki/Luhn_algorithm" target="_blank">checksum validation algorithm</a> as an actual credit card number, but cannot be reverse engineered to acquire the original credit card number.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Don't
get me wrong</b>, the actual data does get stored somewhere, but typically
in an offsite, purpose-built, highly secure, managed and monitored
vault.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>In the case of PCI compliance</b>, this vault and it's
associated security mechanisms are the only infrastructure that requires
review/attestation. The rest of your network, including the
transaction servers become outside the scope of review.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Neither
Tokenization nor Encryption</b> is a silver bullet in and of itself, but the
appropriate mix of each will greatly reduce your overall risk exposure,
and potentially keep your name off the next <a data-mce-href="http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf" href="http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf" target="_blank">Breach Report</a>.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Also Read</b>: <a data-mce-href="http://security-musings.blogspot.ca/2013/02/pci-dss-cloud-computing-guidelines.html" href="http://security-musings.blogspot.ca/2013/02/pci-dss-cloud-computing-guidelines.html" target="_blank">PCI DSS Cloud Computing Guidelines - Overview</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br data-mce-bogus="1" /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>References:</b></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="https://www.pcisecuritystandards.org/security_standards/index.php" href="https://www.pcisecuritystandards.org/security_standards/index.php" target="_blank">https://www.pcisecuritystandards.org/security_standards/index.php</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="http://gateway.elavon.com/documents/Tokenization_Guidelines_White_Paper.pdf" href="http://gateway.elavon.com/documents/Tokenization_Guidelines_White_Paper.pdf" target="_blank">Securosis: Tokenization Guidance: How to reduce PCI compliance costs</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf" href="https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf" target="_blank">PCI Security Standards Coucil: PCI Data Security Standard (PCI DSS)</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="https://securosis.com/assets/library/reports/TokenizationVsEncryption_V2_FINAL.pdf" href="https://securosis.com/assets/library/reports/TokenizationVsEncryption_V2_FINAL.pdf" target="_blank">Securosis: Tokenization vs. Encryption: Options for Compliance, version 2 </a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="http://cardvault.com/credit-card-tokenization-101/" href="http://cardvault.com/credit-card-tokenization-101/" target="_blank">Cardvault: Credit Card Tokenization 101 – And Why it’s Better than Encryption</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="https://www.brighttalk.com/webcast/5573/48271" href="https://www.brighttalk.com/webcast/5573/48271" target="_blank">3 Core PCI-DSS Tokenization Models- Choosing the right PCI-DSS Strategy</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="http://www.transactionworld.net/articles/2011/september/security.asp" href="http://www.transactionworld.net/articles/2011/september/security.asp" target="_blank">Encryption and Tokenization</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="https://www.firstdata.com/downloads/thought-leadership/fd_encrypt_token_pci_whitepaper.pdf" href="https://www.firstdata.com/downloads/thought-leadership/fd_encrypt_token_pci_whitepaper.pdf" target="_blank">Data
Encryption and Tokenization: An Innovative One-Two Punch to Increase
Data Security and Reduce the Challenges of PCI DSS Compliance </a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="http://www.paymetric.com/wp-content/uploads/Tokenization-Amplified-%C2%AD-XiIntercept.pdf" href="http://www.paymetric.com/wp-content/uploads/Tokenization-Amplified-%C2%AD-XiIntercept.pdf" target="_blank">Paymetric: Tokenization Amplified </a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a data-mce-href="http://www.chasepaymentech.com/documents/tokenization_perspective.pdf" href="http://www.chasepaymentech.com/documents/tokenization_perspective.pdf" target="_blank">Tokenization is About More Than PCI Compliance</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a data-mce-href="http://www.bankinfosecurity.com/tokenization-pci-guidance-a-3986/op-1" href="http://www.bankinfosecurity.com/tokenization-pci-guidance-a-3986/op-1" target="_blank">Tokenization: The PCI Guidance</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://bluelinex.com/" target="_blank">Blueline Tokenization Infrastructure and Tokenization as a Service</a> </span></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com1Bowmanville, ON L1C, Canada43.913042999999988 -78.68961718.391008499999987 -119.998211 69.435077499999991 -37.381023tag:blogger.com,1999:blog-6954236093826966251.post-72117637507730287002015-02-13T14:05:00.001-05:002015-02-19T07:44:02.594-05:00Giving your network a shot in the arm! Darktrace: The Enterprise Immune System.<a href="http://www.uscg.mil/Acquisition/ioc/images/ioc.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://www.uscg.mil/Acquisition/ioc/images/ioc.jpg" height="141" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">I understand that most of you reading this have never worked <span style="font-size: small;">in a</span> <span style="font-size: small;"><a href="http://en.wikipedia.org/wiki/Security_operations_center" target="_blank">Security Operations Center</a></span></span> or SOC for short, but you've all seen them in movies.. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Sterile, brightly lit rooms of computer screens. All showing spreadsheets or charts or static maps of the world. I yawn even thinking of it.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>And yet</b> the men and women working this environment 24/7 are responsible for detecting <a href="http://en.wikipedia.org/wiki/Network_Behavior_Anomaly_Detection" target="_blank">that one little anomaly</a> or sorting out the <b>REAL</b> bad traffic patterns from among the thousands of <a href="http://en.wikipedia.org/wiki/False_positives_and_false_negatives" target="_blank">False Positive</a> bad traffic patterns that show up on their screens hourly.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Little wonder</b> the poor Security Analysts over at Target <a href="http://security-musings.blogspot.ca/2014/06/what-if-target-had-followed-zero-trust.html" target="_blank">missed the evidence in front of them</a>. The sheer enormity and chaos of data that assaults them in the course of their workday is stressful and overwhelming. All the screens look the same, tables and columns, and rows of information about network and security events collected and forwarded by every device on the network. Then hundred or thousands of rules process them to try to find deviations from "<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/how-threats-disguise-their-network-traffic/" target="_blank">normal traffic</a>". Like any network has "<a href="http://www.lovemytool.com/blog/2012/11/what-is-normal-traffic-anyway-by-chris-greer.html" target="_blank">normal traffic</a>". Right...</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>I know.</b> I've worked in or around these systems for the past two decades. I've seen the tools appear, mature, merge, morph, and become "fairly" useable. But the false positives are still rampant, and low and slow "<a href="http://security-musings.blogspot.ca/2014/07/advanced-persistent-threats-killchain.html" target="_blank">Advanced Persistent Threats</a>" are under the radar and typically don't show up here.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>So when an upstart Security Analytics company called me</b> late in 2013 to show me what they've been working on, well... I could care less. Really... They tried hard to influence me with their Pedigree: Harking from the minds<span class="caption"> <a href="https://www.mi5.gov.uk/" target="_blank">ex-MI5</a> Security Intelligence employees, and </span></span><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption">funded by <a href="http://www.autonomy.com/" target="_blank">Autonomy</a> founder Mike Lynch. But all big software stands on the shoulders of giants, right?</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>Then a few months ago</b>, a friend of mine convinced me to come out to a public demo of their system. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b><span class="caption">Five minutes in, I was awestruck. </span></b></span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>So let me take a second</b> to say that the basis of their tools revolves around some very <a href="http://www.zdnet.com/article/darktrace-what-happens-when-bayesian-analysis-is-turned-on-intruders/" target="_blank">propeller head complex math</a> that us mere mortals could never comprehend. They do not rely on rules or signatures or feeds from your network devices. Yes... they DO <a href="http://security-musings.blogspot.ca/2013/07/security-appliances-in-band-or-out-of.html" target="_blank">require network span or tap at critical aggregation points</a> in your network, but they are able to watch, analyze, identify, and correlate your traffic over a period of time, and through machine learning techniques, develop and understanding of "normal traffic" within several contexts. </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>Darktrace touts themselves</b> to be your "<a href="https://www.digital.je/media/Public_Files/Darktrace_Enterprise%20Immune%20System_whitepaper_digital-2.pdf" target="_blank">Enterprise Immune System</a>", in that like the human body's immune system, which has an understanding of "self" or what belongs or is normal versus contaminants like bacteria or viruses. After a period of mapping your environment's traffic patterns: Source/Destination/Port/Protocol/Time of day/Day of year/etc... Darktrace will use it's learning algorithms to alert on traffic patterns that are NOT normal, and therefore should be looked at.<b> It learns what "normal" or "self" is for each device on your network. </b> The difference here is the heuristic learning. Not rules, made be people who think they know the system. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>All very impressive... BUT...</b> that's not really what caught my eye. Sorry Darktrace guys, but<b> </b>the person or people you can never let leave your company<b> </b>are the ones who wrote that <b>AWESOMELY FUTURISTIC HUMAN INTERFACE!!! Oh My God! </b></span></span><br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"> (pause here to collect my breath)</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.darktrace.com/img/visualiser.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.darktrace.com/img/visualiser.jpg" height="225" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiljEpjYGvQ3zAH7Ff3NXd7Y708qunuPg-2prmSa8xkXDTkVQLhaCsAE1Xj-CPKadL4C4i2JPc1DaCXmLNWbDVJHIUpbMvL7fth5Com8FC9_5fKedbhFvN924Tv_cZlMgt19crCUkXflyWt/s1600/Minority-report-UI.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiljEpjYGvQ3zAH7Ff3NXd7Y708qunuPg-2prmSa8xkXDTkVQLhaCsAE1Xj-CPKadL4C4i2JPc1DaCXmLNWbDVJHIUpbMvL7fth5Com8FC9_5fKedbhFvN924Tv_cZlMgt19crCUkXflyWt/s1600/Minority-report-UI.jpg" height="200" width="320" /></a></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>Remember up top </b>where I said how sterile and drab and monotonous staring a<span style="font-size: small;">t a </span>gazillion screens full of spreadsheets was? Well... now picture having the tools from <a href="http://en.wikipedia.org/wiki/Minority_Report_%28film%29" target="_blank">Minority Report</a>! Yeah, you know the ones! </span></span><br />
<br />
<br />
<br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>The screen in front of me</b> started off with a wireframe globe. Little pins of light would show up, intensify, dim... whatever.. I've seen this before. But... Our presenter took the mouse, spun the globe a few degrees, and zoomed in "just like in the movies". </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b> I got the feeling at first that this was canned video footage</b>. But then the presenter selected one of those intensifying lights. Zoomed in, and as he zoomed, images of network devices started showing up. Lines between them glowing as well, in various intensities and colors. They then portrayed a communication session initiated from a desktop to a webserver. a faint white line... Then immediately more light from that webserver back to another device that turned out to be an associated database server... AND more illuminated lines back to the network storage array... That one transaction, a web page request I would imagine, allowed me to visualize <b>*VISUALIZE*</b> connectivity to the various sub components of the web applications infrastructure. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><b>Before anyone had a chance to ask</b> about those red glowing devices and lines, the presenter clicked one and detailed how <b>THIS</b> was not typical traffic from that particular device at this time of day, nor from the area of the network being connected. <a href="http://en.wikipedia.org/wiki/Network_Behavior_Anomaly_Detection" target="_blank">Anomalous behavior</a>. <b>VISIBLE in real time</b>. </span></span><br />
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><span style="font-size: large;">On a 3D rotatable glowing thingamabobber of a Awesome Graphical User Interface.</span> </span></span></div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSRmpZIDvvsG-dC02NgZ6GRtlQmPzCct9tEmDZ90XuaDPpZ-6U87fmCGzPLALFou452Kb9EtImUgP-nl5eNGH5-Mpbb0EvumkY62_PYLhXbtUBu8FJJrkpD9xJoVGVTXNwucm2GZ3kzBN/s1600/Darktrace+interface+-+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSRmpZIDvvsG-dC02NgZ6GRtlQmPzCct9tEmDZ90XuaDPpZ-6U87fmCGzPLALFou452Kb9EtImUgP-nl5eNGH5-Mpbb0EvumkY62_PYLhXbtUBu8FJJrkpD9xJoVGVTXNwucm2GZ3kzBN/s1600/Darktrace+interface+-+1.png" height="179" width="320" /></a></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span></div>
<div style="text-align: center;">
<b><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption">If you want your Security Operations Center personnel to be engaged, alert, </span></span></b></div>
<div style="text-align: center;">
<b><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><span style="font-size: large;">and notice the anomalies... </span></span></span></b></div>
<div style="text-align: center;">
<b><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption">let them play with <a href="http://www.darktrace.com/" target="_blank"><span style="font-size: small;">Darktrace</span></a> just for a few days. I guarantee you'll leave it in. </span></span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg7sa54eRbh8R1XRhwXS_AdUYTJJhNvpclNQotq-_RY8NmlMS3S4mhSv-87e1aHeAF9h87lG1erVkOfLVMltyI-g6e9pMx4fDctMbgCthWp1UzsUodH3mSG6IblR_5PH0n5QcjUdeISe0M/s1600/darktrace-image4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg7sa54eRbh8R1XRhwXS_AdUYTJJhNvpclNQotq-_RY8NmlMS3S4mhSv-87e1aHeAF9h87lG1erVkOfLVMltyI-g6e9pMx4fDctMbgCthWp1UzsUodH3mSG6IblR_5PH0n5QcjUdeISe0M/s1600/darktrace-image4.jpg" height="193" width="320" /></a></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/oqyKH5wOlS0/0.jpg" frameborder="0" height="266" src="http://www.youtube.com/embed/oqyKH5wOlS0?feature=player_embedded" width="320"></iframe></div>
<br />
<div style="text-align: center;">
<b><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption">Darktrace Corporate Overview. </span></span></span></b></div>
<br />
<b><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption">References:</span></span></span></b><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.darktrace.com/" target="_blank">www.darktrace.com</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.darktrace.com/technology/enterprise-immune-system/" target="_blank">Darktrace: Enterprise Immune System</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.darktrace.com/technology/recursive-bayesian-estimation/" target="_blank">Darktrace: Recursive Bayesian Estimation</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.prnewswire.com/news-releases/darktrace-ceo-joins-prime-minister-david-cameron-on-official-cyber-security-visit-to-washington-dc-288803871.html" target="_blank">Darktrace CEO Joins Prime Minister David Cameron on Official Cyber Security Visit to Washington D.C. </a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.intelligenceonline.com/corporate-intelligence/2015/01/14/former-mi5-chief-advises-darktrace,108056695-ART" target="_blank">Former MI5 chief advises Darktrace</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.independent.co.uk/news/business/news/gchq-defence-chief-to-head-cyber-security-startup-darktrace-9098180.html" target="_blank">GCHQ Defence chief to head cyber security start-up Darktrace </a> </span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.zdnet.com/article/darktrace-what-happens-when-bayesian-analysis-is-turned-on-intruders/" target="_blank">ZDNet: Darktrace: What happens when Bayesian analysis is turned on intruders</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><br /></span></span></span>
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://deloitte.wsj.com/cio/2013/05/29/cyber-security-the-immune-system-of-enterprise-it/" target="_blank">Deloitte: The ‘Immune System’ of Enterprise IT?</a></span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/how-threats-disguise-their-network-traffic/" target="_blank">How Threats Disguise Their Network Traffic</a> </span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-network-detection-evasion-methods.pdf" target="_blank">TrendMicro: Network Detection Evasion Methods</a></span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><a href="http://www.lovemytool.com/blog/2012/11/what-is-normal-traffic-anyway-by-chris-greer.html" target="_blank">What is “Normal Traffic” Anyway? (by Chris Greer)</a> </span></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><span style="font-size: x-small;"><a href="https://www.mi5.gov.uk/" target="_blank">MI5: UK Security Intelligence</a></span></span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span class="caption"><span style="font-size: x-small;"><a href="http://www.cyber-securityexchange.com/AgendaDay.aspx?tp_day=45468" target="_blank">Cyber Security Exchange Conference with Darktrace</a> </span></span></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Bowmanville, ON L1C, Canada43.913042999999988 -78.68961718.391008499999987 -119.998211 69.435077499999991 -37.381023tag:blogger.com,1999:blog-6954236093826966251.post-81928510932254821512014-11-20T15:38:00.000-05:002014-11-21T07:34:12.830-05:00Jentu: Canadian Company aims to turn VDI upside down<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://web.citrix.com/go/citrix-resources/mwidgets/social/citrix-logo-250x250.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://web.citrix.com/go/citrix-resources/mwidgets/social/citrix-logo-250x250.png" height="200" width="200" /></a><span style="font-size: large;">For the past decade and a half</span>, <a href="http://www.citrix.com/" target="_blank">Citrix</a> and then <a href="http://www.vmware.com/" target="_blank">VMWare</a> have promised to deliver <a href="http://en.wikipedia.org/wiki/Virtual_desktop" target="_blank">Virtual Desktop</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">seamlessly and efficiently to the corporate user... Maintenance and patching could be done on images on the server side, and when a user logged in, they would receive the updates. Beautiful!</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> Citrix first called it <a href="http://en.wikipedia.org/wiki/Citrix_WinFrame" target="_blank">WinFrame</a>, then <a href="http://windowsitpro.com/systems-management/citrix-metaframe-presentation-server-30" target="_blank">Metaframe Presentation Server</a>, then finally <a href="http://www.citrix.com/products/xenapp/overview.html" target="_blank">XenApp</a>. Any which way, it is Server Based Computing, and they had the market share in virtualized desktops and application streaming for the better part of the late 90s through mid 2000s. They used a proprietary protocol called <a href="http://en.wikipedia.org/wiki/Independent_Computing_Architecture" target="_blank">ICA or Independent Computing Architecture</a> to deliver applications or complete desktops to an end user.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">This "<a href="http://en.wikipedia.org/wiki/Thin_client" target="_blank">thin computing</a>" as it was called could be delivered to a smart terminal or any of the existing Desktop Platforms of the time, whether it be Windows, MAC OSX, or UNIX/Linux. It was going to greatly reduce the cost of the desktop through reductions in hardware requirements and maintenance.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.vmware.com/files/images/vmrc/VMware_logo_gry_RGB_300dpi.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://www.vmware.com/files/images/vmrc/VMware_logo_gry_RGB_300dpi.jpg" height="70" width="200" /></a></span></div>
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://vmware.com/" target="_blank">VMware</a> was working on a very robust <a href="http://en.wikipedia.org/wiki/Virtualization" target="_blank">Server Virtualization</a> at the same time, and did not bring a <a href="http://en.wikipedia.org/wiki/Desktop_virtualization" target="_blank">Desktop Virtualization</a> product to market until significantly later than Citrix. Their first product was called <a href="http://www.vmware.com/pdf/vdm20_intro.pdf" target="_blank">VMWare VDM (Virtual Desktop Manager)</a>. This was later branded VMWare View, then recently <a href="http://searchvirtualdesktop.techtarget.com/news/2240178359/VMware-folds-View-into-Horizon-Suite-eliminates-low-end-VDI-pricing" target="_blank">VMWare Horizon View</a>.</span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Years later, Microsoft also joined the game with <a href="http://www.microsoft.com/en-ca/windows/enterprise/products-and-technologies/virtualization/operating-system/default.aspx" target="_blank">Microsoft Virtualization Desktop Infrastructure.</a></span><br />
<br />
<br />
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Citrix positioned itself on a mantra it called MAPS: </b></span></span></div>
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b><u>M</u>anagement, <u>A</u>ccess, <u>P</u>erformance, and <u>S</u>ecurity.</b></span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Through centralizing the desktop images and applications, <b>Management </b>became infinitely easier. You didn't have to install, patch, or maintain Operating Systems or Applications on a myriad of desktops. You managed them locally on the server, and an end user would get the update when they logged back in. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Access</b> meant that just about every desktop platform used at the time had the ability to render Citrix presentations. As long as they had adequate video capabilities, a keyboard, mouse, and network connectivity, it was likely that they could run Citrix ICA. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Performance</b> was achieved for many applications that required constant backed or file share access. Two-tiered applications where the desktop application connected to a database or file share on the back end could be placed close to that back end and latency was practically removed. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Security</b> was achieved through several artifacts of the technology. Firstly, your data never left the data center. Merely a video representation of it in the form of an ICA session was made available to your monitor. Secondly patching was done on the image files on the server, and were inherently available the next time the user logged in. Antivirus could be done from the backend, scanning all of the running guest images simultaneously. Updates would be immediate, and complete. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"> <span style="font-size: large;"><b>So how come uptake is now less than stellar?</b></span></span></div>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>Today, there is little delta in cost</b> between a Smart Terminal and a low end Intel/AMD based PC. Without the cost incentive, adoption has slowed. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>Network's have become exponentially faster</b>. Today's network environment has removed most of the latency issues chronically plaguing legacy applications.</span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>Another entire tier of infrastructure is required</b> to satisfy a typical VDI solution. High end multi-core server clusters with hundreds of Gigabytes of memory are required to host these remote sessions. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>Offline is not an option</b>. In a typical VDI infrastructure, when your network saturates or becomes disconnected... your entire farm is unavailable. All workstations cease to work.</span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><b>And most importantly, today's applications are Media Rich</b>. High end graphics and audio processors are the norm on the average desktop purchased, but the Server Based Computing model still fails to deliver on the performance requirements in this area. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> </span></span></span></h2>
<h2 class="definition-subtitle" style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><span style="font-weight: normal;">So? What's this Upside Down VDI thing you started with?</span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> In 2006, <a href="http://www.networkworld.com/article/2302270/infrastructure-management/citrix-acquires-ardence-for-pc--server-provisioning.html" target="_blank">Citrix acquired a company/technology called</a> <a href="http://www.brianmadden.com/blogs/brianmadden/archive/2006/03/22/using-ardence-disk-streaming-with-citrix-servers.aspx" target="_blank">Ardence.</a> Ardence basically stood up generic workstation boot images and user profile drives, and provisioned them through PXE boot to your workstations. You got the benefits of secure patching and antivirus every time you booted, and if there were hiccups in the network, you were still operational. AND!!! The image ran locally on your Desktop hardware. No huge backend server infrastructure other than the provisioning box, and all the media performance you could manage locally! </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;">Citrix has since rebranded this as <a href="http://support.citrix.com/proddocs/topic/provisioning-60/pvs-product-wrapper.html" target="_blank">Citrix Provisioning Services</a> and focused it more on provision virtual images for its core line of business, the XenApp services as opposed to physical workstations. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"> </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><span style="font-size: large;">Now, if you follow VDI or Citrix in general, the name <b><a href="http://brianmadden.com/" target="_blank">Brian Madden</a> </b>is etched into your very optic nerves. He is the defacto guru of anything resembling Virtualized Desktop.</span></span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-weight: normal;"><span style="font-size: large;"> </span></span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-weight: normal;"><span style="font-size: small;"><b>In early October, he issued the following article</b>: </span></span><span style="font-size: x-small;"><span style="font-size: small;"><a href="http://www.brianmadden.com/blogs/brianmadden/archive/2014/10/06/remember-how-ardence-was-awesome-before-citrix-screwed-it-up-you-need-to-know-about-jentu-disk-streaming-to-physical-desktops.aspx" target="_blank">Brian
Madden: Remember how Ardence was awesome before Citrix screwed it up?
You need to know about Jentu: Disk streaming to physical desktops </a></span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="font-size: small;"> </span></span></span></h2>
<h2 class="definition-subtitle" style="text-align: center;">
<a href="http://jentu-networks.com/wp-content/uploads/2014/05/jentuORANGE-300x159.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://jentu-networks.com/wp-content/uploads/2014/05/jentuORANGE-300x159.png" height="105" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: large;"><a href="http://jentu-networks.com/" target="_blank">Jentu</a> is a Canadian Company, out of Toronto Ontario. </span></span></span></span></h2>
<h2 class="definition-subtitle">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrF67TnBiQ9i01C1ics3HFvQaj4YaSXAJqBUdfwfJ736g4HmK9p6h-tS0QuA4DRPlfTb-yMenY_jR79W0C2Pj4IaFCcG53pj2kPLObXb5OV9-zgP86q2vaM8ElFJ3YSpatuY5wPvUT-Y7W/s1600/jentu-1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrF67TnBiQ9i01C1ics3HFvQaj4YaSXAJqBUdfwfJ736g4HmK9p6h-tS0QuA4DRPlfTb-yMenY_jR79W0C2Pj4IaFCcG53pj2kPLObXb5OV9-zgP86q2vaM8ElFJ3YSpatuY5wPvUT-Y7W/s1600/jentu-1.jpg" height="169" width="320" /></a><span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b> </b></span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b> </b></span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Even though the company name is relatively new</b>, Jentu has been around in one form or another for over a decade. Jentu introduced their Diskless Workstation provisioning architecture several years ago as a means to support multiple workstations at their remote customer sites. Rather than remotely accessing and managing individual workstations on a remote network, they came up with a scheme that would manage Virtual Disk images on a file server. These images would be maintained for patching and antimalware. Typical office applications would be applied to the image and maintained as well. User profiles and data, as well as host hardware profiles would be stored on a separate volume on the network. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>When a user rebooted their physical workstation</b>, a <a href="http://en.wikipedia.org/wiki/Preboot_Execution_Environment" target="_blank">PXE boot</a> (network boot) would connect the workstation (based on MAC address) to the correct boot image, and stream that image via secured iSCSI to the workstation. User logon would then pull down their personal profile for desktop, etc via group policy in Active Directory. </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>From that point on</b>, the user is running live on their own physical workstation with all the benefits of the hardware on their desk. </span></span></span></h2>
<h2 class="definition-subtitle">
<hr />
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Remember that MAPS acronym from Citrix? </b> </span></span></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"> </span></span></span><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><b><u>M</u>anagement, <u>A</u>ccess, <u>P</u>erformance, and <u>S</u>ecurity.</b></span></span></h2>
<div class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Jentu is batting 4 for 4 on this. Management is still centralized. Access to images is local to the provisioning server. Performance is determined by the individual desktop hardware used, and the network connectivity provisioned. Security is ensured through encrypted iSCSCI, as well as security and patch management of centralized images. </span> </span></span></span></div>
<h2 class="definition-subtitle" style="text-align: center;">
<span style="background-color: white;"><b><span style="font-size: large; font-weight: normal;"><span style="font-family: "Trebuchet MS",sans-serif;"><span style="color: blue;">If you haven't heard of <a href="http://jentu-networks.com/" target="_blank"><b>Jentu</b></a>, I suggest you go check them out now. You'll definitely be hearing more of them in the future.</span></span></span></b></span></h2>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><span style="background-color: white;"><span style="color: blue;"> </span></span></span></span></span></h2>
<h2 class="definition-subtitle">
<a href="http://jentu-networks.com/" target="_blank"><span style="font-size: large;"><span style="font-weight: normal;"><span style="font-family: "Trebuchet MS",sans-serif;">From the Jentu site: </span></span></span></a></h2>
<h2 class="definition-subtitle">
</h2>
<div class="wpb_text_column wpb_content_element ">
<div class="wpb_wrapper">
<blockquote class="tr_bq">
<div style="text-align: center;">
<b><span style="font-weight: normal;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Jentu is a server-controlled
diskless computing platform that enables an organization to manage their
desktop infrastructure through the cloud, while keeping all processing
at the local endpoint</b>.</span></span></b></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;">Without a hard drive at the workstation,
a user simply reboots to have their system restored to a clean and
pristine operating system. The removal of hard drives reduces the number
of costly on-site service failures. Task automation increases
administrator efficiency, while the intuitive Jentu Control Panel allows
a single administrator to manage hundreds of locations, dramatically
reducing annual management costs. Jentu does not suffer bottlenecks
associated with traditional VDI as it utilizes an adaptive cache which
learns how your workstations are using the OS and keeps frequently
accessed bits in memory.</span></div>
</blockquote>
</div>
</div>
<h2 class="definition-subtitle">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"> </span></span></span></h2>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>Resources:</b></span></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://brianmadden.com/" target="_blank">Brianmadden.com </a><b><br /></b></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.amazon.com/The-VDI-Delusion-Virtualization-Enterprise-ebook/dp/B007MWG378" target="_blank">The VDI Delusion: Why Desktop Virtualization Failed to Live Up to the Hype, and What the Future Enterprise Desktop will Really Look Like</a></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.discoposse.com/index.php/2014/01/02/why-it-is-always-and-never-the-year-of-vdi-but-network-virtualization-is-here-to-stay/" target="_blank">Why it is always, and never, the year of VDI, but network virtualization is here to stay</a></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://searchvirtualdesktop.techtarget.com/news/2240178359/VMware-folds-View-into-Horizon-Suite-eliminates-low-end-VDI-pricing" target="_blank">VMware folds View into Horizon Suite, eliminates low-end VDI pricing</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://searchvirtualdesktop.techtarget.com/news/2240150659/VMwares-Wanova-acquisition-extends-VDI-to-physical-desktops" target="_blank">VMware's Wanova acquisition extends VDI to physical desktops</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://blogs.vmware.com/cto/vmware-welcomes-wanova-to-the-euc-family/" target="_blank">VMware Welcomes Wanova to the EUC Family</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://searchvirtualdesktop.techtarget.com/definition/Persistent-desktop" target="_blank">What is Persistent Desktop?</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://en.community.dell.com/techcenter/virtualization/vworkspace/b/vworkspace-blog/archive/2010/07/12/who-says-thin-client-failed" target="_blank">Dell: Who says thin client failed?</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.brianmadden.com/blogs/citrix_presentation_server_45_advanced_technical_design_guide/pages/a-decade-of-server-based-computing-how-we-got-from-winframe-to-the-virtual-streamed-vdi-xenapp-world-of-today.aspx" target="_blank">Brian Madden: A decade of server-based computing: how we got from WinFrame to the virtual, streamed, VDI, XenApp world of today</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.citrix.com/content/dam/citrix/en_us/documents/partner-documents/white-paper-desktop-virtualization-with-citrix.pdf" target="_blank">Fujitsu: Desktop Virtualization with Citrix</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Desktop_virtualization" target="_blank">Wikipedia: Desktop Virtualization</a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://searchvirtualdesktop.techtarget.com/feature/When-to-use-Local-VDI-vs-offline-VDI" target="_blank">Brian Madden: When to use local VDI vs. offline VDI </a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.intervalzero.com/newsevents/test-news-and-event/" target="_blank">Ardence: IntervalZero Acquires Ardence Embedded Software Business From Citrix </a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.brianmadden.com/blogs/brianmadden/archive/2006/03/22/using-ardence-disk-streaming-with-citrix-servers.aspx" target="_blank">Brian Madden: Using Ardence Disk Streaming with Citrix Servers </a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.brianmadden.com/blogs/brianmadden/archive/2009/10/19/double-take-s-flex-product-is-like-citrix-provisioning-server-without-citrix.aspx" target="_blank">Brian Madden: Double-Take’s Flex product is like Citrix Provisioning Server without Citrix </a> </span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"> <span style="font-size: small;"><a href="http://www.brianmadden.com/blogs/brianmadden/archive/2014/10/06/remember-how-ardence-was-awesome-before-citrix-screwed-it-up-you-need-to-know-about-jentu-disk-streaming-to-physical-desktops.aspx" target="_blank">Brian Madden: Remember how Ardence was awesome before Citrix screwed it up? You need to know about Jentu: Disk streaming to physical desktops </a></span></span></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com2tag:blogger.com,1999:blog-6954236093826966251.post-62123423371939070372014-11-16T19:50:00.000-05:002014-11-16T19:53:17.978-05:00CyberArk Privileged Identity Vault - Enterprise Case Study<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="direction: ltr; line-height: 90%; margin-bottom: 0pt; margin-left: 0in; margin-top: 2.16pt; text-align: left; text-indent: 0in; unicode-bidi: embed; vertical-align: baseline;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://cyberark.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" target="_blank"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi41ECh9T0buy26Gbv0gYrl0Jsc1awujm23RGFAvmbrFBNLqH8L_RqKbcmwp9QfQMi-NHvuI_kQAUKxkOUsf58JRaHDp-MZUZewuLM480qPIGGNlIHZ83TP2b8NqYTX4oQIxxnykE3gF6ge/s1600/cyberark.jpg" /></a><a href="http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/" target="_blank"><span style="font-size: small;"><b>Cyber-Ark Enterprise Password Vault (EPV)</b></span></a><b><span style="font-size: small;"><span style="color: black;"> </span></span></b></span><br />
<br />
<span style="font-size: small;"><b><span style="font-size: small;"><span style="color: black;"> </span></span></b><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="color: black;"> </span></b></span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="color: black;">Cyber-Ark EPV </span></b><span style="color: black;">is a suite of applications to securely manage passwords and other related sensitive objects. While it typically is used to store and manage privileged account passwords, it has the capability to manage any type of sensitive information including such as database connection strings.</span></span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: small;"><span style="color: black;">Features include:</span></span></b></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: x-small;"><span style="color: black;">Granular password object access
controls</span></span></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="color: black;">Ability to manage passwords
automatically as per a predefined policy (i.e. change password every 90 days,
verify password every 30 days, etc.) for many platforms</span></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="color: black;">One-time passwords possible</span></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="color: black;">Dual control authentication possible </span></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="color: black;">API spanning all common
languages/development environments to integrate with custom applications
facilitating secure storage and retrieval of sensitive application specific
credentials and other information (i.e. private keys, database connection
strings, etc.)</span></span></span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.ithound.com/abstract/privileged-password-security-cyber-ark-enterprise-password-vault-280" target="_blank"><span style="color: black;">Seven layers of security/access control for vault objects</span></a></span></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span>
<span style="font-size: small;"><br /><span style="font-size: large;"><span style="color: black; font-weight: bold;">Privileged Password Management </span></span></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="direction: ltr; line-height: 90%; margin-bottom: 0pt; margin-left: 0in; margin-top: 2.4pt; text-align: left; text-indent: 0in; unicode-bidi: embed; vertical-align: baseline;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: small;"><span style="color: black;">What
is a privileged account?</span></span></b></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Privileged accounts are a required part of any software whether it is an operating system, database or application.</span> Most hardware appliances also require <span style="font-size: small;">privileged accounts</span> for administration.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Similar to the <a href="http://en.wikipedia.org/wiki/Superuser" target="_blank">UNIX's root and Windows' administrator accounts</a>, privileged system accounts are required for systems to function and are frequently used by system administrators to do their jobs, granting special system privileges that average users don't need, and that even administrators need only from time to time when making major changes.</span><br /><br /><span style="font-size: small;">However, <b>these privileged accounts have no accountability</b>, as they typically do not belong to any individual user and are commonly shared by many administrative staff.</span></span><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">Alternatively, many organizations bestow excessive privileges onto the accounts of those conducting administrative tasks</span>. </span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<div style="direction: ltr; line-height: 90%; margin-bottom: 0pt; margin-left: 0in; margin-top: 2.4pt; text-align: left; text-indent: 0in; unicode-bidi: embed; vertical-align: baseline;">
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: small;"><span style="color: black;">So
why care about privileged accounts?</span></span></b></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">These accounts have elevated access rights, meaning that those with access can circumvent the internal controls of the target system.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">Once these controls are bypassed, users can breach confidential information, change transactions and delete or alter audit data.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span></blockquote>
<b><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"> </span></span></b><br />
<div style="text-align: center;">
<b><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">Privileged Account security is at the top of compliance and auditor’s concerns.</span></span></b></div>
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><span style="color: black; font-weight: bold;">The Problem with Privileged Passwords</span></span></span>
<br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">The most common type of hacker breaks into target systems using default
lists of Privileged User accounts and can easily crack weak passwords.</span></span></li>
<span style="font-size: small;">
</span></ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">Compliance audit regulations (such as Sarbanes Oxley and PCI )
require organizations to periodically monitor and prove who has accessed shared accounts, what was done, and whether passwords are managed
according to policy</span></span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif; font-size: small;">
</span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">With hundreds or more servers and network devices, manually updating and reporting on Privileged Passwords
can be extremely time-consuming, in particular, defining individual user access to a shared account, and when the access
occurred</span></span></li>
</ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">Most enterprises consist of a multitude of
disparate IS platforms (Windows, UNIX, Mainframe, AS/400, Databases,
etc…). Each of these platforms pose unique
challenges in managing privileged access</span></span></li>
</ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">Too many people have access to
passwords for “generic” privileged access accounts (Administrator, DBA, ROOT).</span></span></li>
</ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">Too many people have more access to
privileged resources on their own account than is required by their role. Access tends to accumulate over the course of a user's employment.</span></span></li>
</ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">Most companies have not done a great job in
the past in cleaning up user accounts that had privileged access.</span></span></li>
</ul>
<ul><span style="font-size: small;">
</span>
<li><span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><span style="color: black;">System or service accounts have
been created with significant privileged access, but for technical reasons have
not followed password compliance standards.</span></span></li>
</ul>
<br />
<br />
<hr />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><span style="color: black;"><span style="font-size: small;"><b><span style="font-size: large;">Case Study:</span> Large Global Enterprise with multiple outsourced data centers.</b></span></span></span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="color: black; font-size: small;"> <b>Outsourcing your data center administration</b> has particular challenges when it comes to privileged access management. In this case, a third part organization has access to the very <a href="https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf" target="_blank">keys of your critical information assets</a>. Typically outsource arrangements allow for pools of administrators in off-shore locations, with a high rate of turn over. Yet we bestow privileges onto their accounts, or give them unfettered access to group accounts that have excessive privileges and little or no monitoring and auditing capabilities.</span><span style="font-size: small;"> </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9Jvd9RRJ9XXKXrX-w-VoHyrTJ-Nh5dCl7dlly9E7N0TnopCR6PaNJjJIzJSiMHY6DxGRZ6VpWiCNhrMWv55Cmpic11QvFKMgcuIC8AvOPg3CKdG9aYEAoSm-wE2rhEYjGrFtAikdmIrj/s1600/Cyber-Ark+Architecture-+Basic+PSM.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9Jvd9RRJ9XXKXrX-w-VoHyrTJ-Nh5dCl7dlly9E7N0TnopCR6PaNJjJIzJSiMHY6DxGRZ6VpWiCNhrMWv55Cmpic11QvFKMgcuIC8AvOPg3CKdG9aYEAoSm-wE2rhEYjGrFtAikdmIrj/s1600/Cyber-Ark+Architecture-+Basic+PSM.jpg" height="256" width="320" /></a><span style="font-size: small;"><b>In this case study</b>, an organization has implemented Cyber-Ark Enterprise Password Vault redundantly between two data centers.<br /><br /><b>This implementation will allow</b> the various Business Units to Securely control access to their Privileged System Accounts. This would include "infrastructure service accounts" like ROOT, Administrator, SYS, and DBA, as well as Business Unit and Application specific account that required privilege for the purposes of administration.<br /><br /> </span></span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://books.google.ca/books?id=UlktBAAAQBAJ&pg=PA245&lpg=PA245&dq=firecall+id&source=bl&ots=PJyct7iccv&sig=J7jVfGzQBtAS-Dby--TgKK59LFs&hl=en&sa=X&ei=5eZoVO-sLIf8yQT_gYHABQ&ved=0CEEQ6AEwBTgK#v=onepage&q=firecall%20id&f=false" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifX14kOWF5VrSBFx_qigdkFWu0cJTqH-b8ZXx_EOdqJyNM2LNm2lJwnZLQQ4hH76bYWkGxuEd1EjjHI9lMlOJnrt78ZQFe2nXC4Hpkf_HAlEP7cuI91HfCCSX6HR5RQjf2_l1BzPeYknkB/s1600/firecall-process.jpg" height="240" width="400" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS",sans-serif;"> "Security Policies and Implementation Issues" By Robert Johnson</span></td></tr>
</tbody></table>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">The new privileged access follows a Best Practice “<b>Firecall Process</b>”</span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Any employee (local or off-shore) with an "Administrator" role in a particular environment would not have these privileges added to their own user account. Nor would they have access to the password of a shared privileged account. </span></span><br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>By virtue of their role</b>, the employee would be granted access to the <a href="http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/" target="_blank">Enterprise Password Vault</a>, to check out a privileged account for the purpose of administration. </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>The easiest way to implement this</b>, is to show them a password for the target system upon checkout, and allow them to cut and paste it into a remote access session, resetting the password immediately upon use. Better yet, hide the password, but log them directly into the target system via remote access proxy. Again, a one time use password would reset to restrict un-approved use.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Various workflow options</b> can be applied to this process, including but not limited to two-factor authentication (requiring a token as well as your user credentials) or dual authentication (requiring your manager or delegate to approve your access). The Password vault can also integrate into most change/incident management systems, and can require that an appropriate change ticket be in place in order to grant access, and to outline the time frame and target system of access. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /><b>All passwords in the vault are secured</b> with industry standard strong encryption, and replicated to the opposite data center.<br /><br /><b>There is no single point of failure</b>, and should “both” vaults become unavailable, there is provision for an “out of band” password recovery. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Within each vault</b>, there is the concept of "<b>safes</b>". A safe is basically a collection of privileged ids with a common association. Maybe a Business Unit would have all of their privileged ids from various applications within one safe, or a particular third party provider might have all of it's </span></span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">privileged ids within one safe. </span></span><br />
<div style="direction: ltr; line-height: 90%; margin-bottom: 0pt; margin-left: 0.25in; margin-top: 2.16pt; text-align: left; text-indent: -0.25in; unicode-bidi: embed; vertical-align: baseline;">
<span style="font-family: "Trebuchet MS",sans-serif;"></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">
</span></span><br />
<div style="direction: ltr; line-height: 90%; margin-bottom: 0pt; margin-left: 0.25in; margin-top: 2.16pt; text-align: center; text-indent: -0.25in; unicode-bidi: embed; vertical-align: baseline;">
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></div>
<div style="text-align: center;">
<div style="text-align: center;">
<b><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;">This infrastructure can potentially remove privileged access from thousands of end user and service accounts.</span></span></b></div>
<span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;"></span></span></div>
<br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><b><span style="font-size: large;">In fact</span>, the company was able to remove a couple hundred individual third party user accounts</b> that had direct Windows Domain Admin access, and replaced them with a small pool of Domain Admin accounts in the vault. Another pool was created for UNIX root accounts. By virtue of their role, the Administrators could check out access to perform their duties, but the request was logged and sent to SEIM. The treat landscape was greatly diminished by this one action. </span></span><br />
<br />
<b><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">They went on to enroll Business unit applications into safes, and saw a significant reduction in the number of unmanaged privileged accounts being reviewed annually.</span></span></b><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span><br />
<br />
<br />
<ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM-xpJzjQdKUv6f76rvHdTz0oSK8K8VTtonR1Uyzh4bGIqyf87EIJ_XXyJ5kyXsf2KzwiiKfCGGG324TIVtU2SGUWYkoxXPSYgRmhPNYJnBiPZ4TjyLEowlgChYyzosPHxxH4W8SajUkta/s1600/Cyber-Ark+Architecture-Jump+Servers.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM-xpJzjQdKUv6f76rvHdTz0oSK8K8VTtonR1Uyzh4bGIqyf87EIJ_XXyJ5kyXsf2KzwiiKfCGGG324TIVtU2SGUWYkoxXPSYgRmhPNYJnBiPZ4TjyLEowlgChYyzosPHxxH4W8SajUkta/s320/Cyber-Ark+Architecture-Jump+Servers.jpg" width="320" /></a></span></ul>
<span style="font-size: large;"><b><span style="font-family: "Trebuchet MS",sans-serif;">Future Extensions:</span></b></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>By adding <a href="http://www.cyberark.com/products/privileged-account-security-solution/privileged-session-manager/" target="_blank">Privileged Session Manager</a></b>, the company will be able to enforce policies around the actual content of a privileged access session. Individual commands or processes can be whitelisted/blacklisted by role, and any activity deemed anomalous can be flagged and sent to a manager/audit for review and/or attestation. </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><b>Entire administrative sessions</b> to a target system can be recorded - both for secure remote desktop in the case of windows, or SSH in the case of UNIX or network appliances. These sessions can later be played back, annotated, and approved by managers or audit.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">for more detail on this </span><span style="font-size: small;"><b><a href="http://www.cyberark.com/products/privileged-account-security-solution/privileged-session-manager/" target="_blank">Privileged Session Manager</a></b></span> please see my blog </span></div>
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><a href="http://security-musings.blogspot.ca/2014/11/risk-reduction-through-jump-servers.html" target="_blank">Risk reduction through Jump Servers </a></span></span></div>
<div style="text-align: center;">
<br /></div>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><span style="color: black; font-weight: bold;">Supported
Managed Devices:</span></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="color: black; font-weight: bold;">
</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;"> <b>Operating Systems</b><br /> Windows, Linux/UNIX, OS390, AS400<br /><br /> <b> Windows Applications</b><br /> Service accounts, Scheduled Tasks, IIS Application Pools<br /><br /> <b>Databases</b><br /> Oracle, MSSQL, DB2,Informix, Sybase, sny ODBC compliant<br /><br /> <b> Security Appliances</b><br /> CheckPoint, Nokia, Juniper, Cisco, Blue Coat,Fortinet<br /><br /> <b> Network Devices</b><br /> Cisco, Juniper, F5, Alactel, Quintum,<br /><br /> <b>Applications –</b><br /> SAP, WebSphere, WebLogic, JBOSS, Oracle ERP<br /><br /> <b>Directories</b><br /> Microsoft, Sun, Novell<br /><br /> <b>Remote Control and/Monitoring</b><br /> IBM, HP iLO, Sun, Digi<br /><br /> <b>Generic Interfaces </b>– any SSH/Telnet device, Windows registry</span></span><br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-size: x-small;"><a href="http://security-musings.blogspot.ca/2013/01/privileged-identity-management-make.html" target="_blank"><span style="font-family: "Trebuchet MS",sans-serif;">Privileged Identity Management - Make those with the most access, accountable for their activities! </span></a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://security-musings.blogspot.ca/2014/11/risk-reduction-through-jump-servers.html" target="_blank">Security Musings: Risk reduction through Jump Servers </a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.cyberark.com/resource/isolation-control-monitoring-next-generation-jump-servers/">http://www.cyberark.com/resource/isolation-control-monitoring-next-generation-jump-servers/</a>
<a href="http://en.wikipedia.org/wiki/Privileged_Identity_Management" target="_blank">http://en.wikipedia.org/wiki/Privileged_Identity_Management</a> </span><br />
<span style="font-size: x-small;"><a href="http://www.cyberark.com/esg-validating-privileged-account-security-while-validating-cyberark" target="_blank"><span style="font-family: "Trebuchet MS",sans-serif;">ESG: Validating Privileged Account Security While Validating CyberArk</span></a></span><br />
<span style="font-size: x-small;"><a href="http://lp.cyberark.com/rs/cyberarksoftware/images/br-privileged-account-security-solution-9-26-13-en.pdf" target="_blank"><span style="font-family: "Trebuchet MS",sans-serif;">http://lp.cyberark.com/rs/cyberarksoftware/images/br-privileged-account-security-solution-9-26-13-en.pdf </span></a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-65296026305764971872014-11-08T16:03:00.001-05:002014-11-08T18:59:31.139-05:00Risk reduction through Jump Servers<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujA_i6TWE4RN4_OAfBBRhGtJZU5493KWviKf-aj18VxFtxeC0a8ewrpemdjwq2Q4QYI1_KxjYb9iQUwHzoX8MrOxUtIm11flP92FGjCHN4gfwlbLG2MGur3TiOQrVWr37i2yQ41iYrWd4/s1600/jump+servers.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujA_i6TWE4RN4_OAfBBRhGtJZU5493KWviKf-aj18VxFtxeC0a8ewrpemdjwq2Q4QYI1_KxjYb9iQUwHzoX8MrOxUtIm11flP92FGjCHN4gfwlbLG2MGur3TiOQrVWr37i2yQ41iYrWd4/s1600/jump+servers.jpg" height="137" width="320" /></a></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">A common practice </span>in today's data centers is to allow Systems Administrators Remote Desktop <a href="http://en.wikipedia.org/wiki/Remote_Desktop_Protocol" target="_blank">(RDP)</a> or Secure Shell <a href="http://en.wikipedia.org/wiki/SSH" target="_blank">(SSH)</a> access to the servers they are administrating, directly from their desktops. Regardless of where they are located!</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Although <a href="http://How Do Threat Actors Move Deeper Into Your Network?" target="_blank">restricting Lateral access</a> between servers is quite easily achieved through <a href="http://blogs.technet.com/b/pfesweplat/archive/2014/10/17/prevent-lateral-movement-using-local-accounts-with-the-new-groups.aspx" target="_blank">group policy</a> on Windows, or source <a href="http://en.wikipedia.org/wiki/Whitelist" target="_blank">whitelisting</a> <a href="http://searchenterprisedesktop.techtarget.com/feature/Local-firewalls" target="_blank">local firewall</a> rules for both <a href="http://en.wikipedia.org/wiki/Windows_Firewall" target="_blank">Windows</a> and <a href="http://en.wikipedia.org/wiki/Iptables" target="_blank">UNIX/Linux</a>, these are not enabled by default. Typically, even with <a href="http://en.wikipedia.org/wiki/Network_segmentation" target="_blank">network segmentation</a> and <a href="http://en.wikipedia.org/wiki/Access_control_list" target="_blank">access control lists</a>, is is possible to jump from server to server unhindered, by simply having access to the appropriate credentials. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div data-angle="0" data-canvas-width="580.7816666666668" data-font-name="g_font_8" style="font-size: 18.3333px; left: 366.667px; position: absolute; top: 622.904px; transform-origin: 0% 0% 0px; transform: rotate(0deg) scale(0.999682, 1);">
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Both the <a href="http://www.itworldcanada.com/post/hacking-of-hvac-supplier-led-to-target-breach-report" target="_blank">Target Breach</a>, and the <a href="http://www.itworld.com/article/2844505/home-depot-says-attackers-stole-a-vendors-credentials-to-break-in.html" target="_blank">Home Depot Breach</a></b> were initiated by a compromised business partner with access to internal resources. Those accounts were used to assess the network topology and browse the corporate directories to find more privileged accounts. Once inside, these credentials could be used to log onto servers within the environment in search of information or more credentials to abuse. The attacker could, over time, hop from server to server essentially unnoticed.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">(Also read: <a href="http://security-musings.blogspot.ca/2014/06/what-if-target-had-followed-zero-trust.html" target="_blank">What if Target had followed a Zero Trust model?</a>)</span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Restricting Lateral Access within your Network</b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikzfMJ8yRTe2KCahwQRrStPMgWHWv8fxvGPWxKHL3ygIvr_1XxItmrH0aw3O8495UL6-xRcXrPCUCTH1_H5gLmME_XI2ZKW4RDlRezr6hn-kNzsQlJ1iEo12x2BwES4HnY4RPHFUU7g4xI/s1600/jump+servers-2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikzfMJ8yRTe2KCahwQRrStPMgWHWv8fxvGPWxKHL3ygIvr_1XxItmrH0aw3O8495UL6-xRcXrPCUCTH1_H5gLmME_XI2ZKW4RDlRezr6hn-kNzsQlJ1iEo12x2BwES4HnY4RPHFUU7g4xI/s1600/jump+servers-2.jpg" height="157" width="320" /></a>The concept of a "<a href="http://en.wikipedia.org/wiki/Jump_server" target="_blank">jump</a>" server has been around for decades, but is rarely in use or enforced. One popular use of <a href="http://www.techrepublic.com/blog/data-center/jump-boxes-vs-firewalls/" target="_blank">jump servers</a> is to restrict access into a <a href="http://en.wikipedia.org/wiki/DMZ_%28computing%29" target="_blank">DMZ</a>. This allows administrative control of servers in the DMZ to be regulated and audited as per compliance rules.</span><br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">In <a href="http://technet.microsoft.com/" target="_blank">Microsoft Technet's</a> "<span style="font-weight: normal;"><span style="font-size: small;"><a href="http://technet.microsoft.com/en-us/library/dn487449.aspx" target="_blank">Implementing Secure Administrative Hosts</a>", they state: </span></span></span><br />
<blockquote class="tr_bq">
<span style="background-color: #f3f3f3;">Secure administrative hosts are workstations or servers that have
been configured specifically for the purposes of creating secure
platforms from which privileged accounts can perform administrative
tasks in Active Directory or on domain controllers, domain-joined
systems, and applications running on domain-joined systems. In this
case, “privileged accounts” refers not only to accounts that are members
of the most privileged groups in Active Directory, but to any accounts
that have been delegated rights and permissions that allow
administrative tasks to be performed.</span><br />
....... <br />
<br />
<span style="background-color: #f3f3f3;">Although the “most privileged” accounts and groups should
accordingly be the most stringently protected, this does not eliminate
the need to protect any accounts and groups to which privileges above
those of standard user accounts have been granted.</span><br />
<span style="background-color: #f3f3f3;"><br /></span>
<span style="background-color: #f3f3f3;">A secure administrative host can be a dedicated workstation
that is used only for administrative tasks, a member server that runs
the <a href="http://technet.microsoft.com/en-us/library/cc731150.aspx" target="_blank">Remote Desktop Gateway</a> server role and to which IT users connect to
perform administration of destination hosts, or a server that runs the
Hyper-V® role and provides a unique virtual machine for each IT user to
use for their administrative tasks. In many environments, combinations
of all three approaches may be implemented. </span></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="color: red;"><span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">So...</span></b> restrict access to servers, specifically for anyone with privileges above a basic user. </span><br /><span style="font-family: "Trebuchet MS",sans-serif;">I can't argue with that at all... </span></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPeMmj-gbFkG56_vxPhCDeVL0G17zxF1jyayauIJL28VdCo-4FBbrVdcaxzxCc44vCFJe3COjMErp_u71O0mIjIu9qqv0cv3WApEfDpmt4-MzkD60FouZWZUHJR7ByLecUNauSiXoMyxpS/s1600/cyberark.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPeMmj-gbFkG56_vxPhCDeVL0G17zxF1jyayauIJL28VdCo-4FBbrVdcaxzxCc44vCFJe3COjMErp_u71O0mIjIu9qqv0cv3WApEfDpmt4-MzkD60FouZWZUHJR7ByLecUNauSiXoMyxpS/s1600/cyberark.jpg" height="129" width="200" /></a><b><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span></b>
<b><span style="font-family: "Trebuchet MS",sans-serif;">Enter <a href="http://www.cyberark.com/" target="_blank">CyberArk's</a> <a href="http://www.cyberark.com/are-you-ready-take-next-jump-secure-your-it-environment-next-gen-jump-servers/" target="_blank">Next Generation Jump Server</a>: </span></b><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">More than just a jump server from which to initiate RDP or SSH sessions, CyberArk has added <a href="http://www.cyberark.com/resource/privileged-session-manager-data-sheet/" target="_blank">Privileged Session Management</a> to <a href="http://www.cyberark.com/solutions/audit-compliance/monitor-record-privileged-activity/" target="_blank">monitor and record all access</a> through the jump server. The tightly integrated SSH proxy is context aware, and can be configured to look for anomalous behavior. Not only can you control <b>"who" has access to "what"</b> through the jump server, but you can alert on suspicious or anomalous activity within those sessions. Both secure RDP to Windows servers, as well as SSH to UNIX/Linux/Network appliances are managed via Privileged Session Manager on the jump server. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">The jump server can now be used to isolate your server environment from your workstation endpoints, and provide real-time visibility into administrative access. Without adding agents to the servers being administered, you can use workflows to augment authentication and authorization, and monitor access at a granular level, recording all activities for future playback and potential audit attestation.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Integrate this service with their <a href="http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/" target="_blank">Enterprise Password Vault</a>, and you have significantly reduced privilege escalation from your threat landscape.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Rogue or Malicious Administrator </b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">Many companies, small and large alike, allow almost unrestricted access to the data center servers for administrator, both from within the local network, and over VPN. The excuse being that this is required in case of a emergency.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">This excessive access allows anyone authenticated, malicious or otherwise, to jump laterally from server to server. The<a href="http://security-musings.blogspot.ca/2014/06/what-if-target-had-followed-zero-trust.html" target="_blank"> Target Breach,</a> in particular is known to have accommodated it's attackers by allowing a credentialed account in the Business Partner network to access servers in the core data center, and ultimately get on to the <a href="http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf" target="_blank">Point-of-Sale systems</a>. Restricting this lateral access by enforcing the use of jump servers would not totally remove the Rogue Administrator threat, however all access through the server would be monitored and recorded. <b>Any administrative commands/requests/activities that were deemed anomalous by predefined security policies could be blocked and/or alerted on.</b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Malware Mitigation</b></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_3sWnDMC0bN79hyphenhyphenTlXYvY3nZJAz6UDj7Dx1Ek8SY5GpK0-8YoPqbJz5ZEGAXq3xaSVQ3jIuESICh8ViZktrORYl5ZiH2l_LYOOz7SFBXL1kiKnndQdtpG-DXTNuFtHChcVCloL8CPgZkS/s1600/jump+servers-malware.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_3sWnDMC0bN79hyphenhyphenTlXYvY3nZJAz6UDj7Dx1Ek8SY5GpK0-8YoPqbJz5ZEGAXq3xaSVQ3jIuESICh8ViZktrORYl5ZiH2l_LYOOz7SFBXL1kiKnndQdtpG-DXTNuFtHChcVCloL8CPgZkS/s1600/jump+servers-malware.jpg" height="163" width="320" /></a><span style="font-family: "Trebuchet MS",sans-serif;">By allowing lateral access between servers, an infected server could act to propagate malicious code to its peers. Most <a href="http://securityaffairs.co/wordpress/22818/cyber-crime/2013-advanced-threat-report.html" target="_blank">Advanced Persistent Threats</a> rely on the ability to see peer servers laterally and scan them for exploitable opportunities. With jump servers in place, and lateral access removed through policy, malicious actors and malware alike will not be able to propagate without going through the jump server and being seen/alerted/blocked.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Pass the Hash</b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">One of the techniques typical of a APT is the “<a href="http://www.cyberark.com/press/cyberark-launches-enhanced-cyberark-dna-detect-pass-hash-vulnerabilities/" target="_blank">Pass the Hash</a>” attack, where the invader captures account logon credentials in the form of a cached password "<a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" target="_blank">hash</a>" on one machine and then use them to authenticate to another machine. <a href="http://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283" target="_blank">This little known exposure</a> has been around for a <a href="http://www.microsoft.com/security/sir/strategy/default.aspx#!password_hashes" target="_blank">couple decades</a>, but has become an industry favorite among cyber criminals. By enforcing all server remote administration through the jump servers, this method of subversion is eliminated.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Don't be the next headline.</b> Choosing either CyberArk's suite of Privileged Access and Session Management tools or another Remote Access Gateway product will significantly reduce your threat landscape and allow you to sleep more easily. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.cyberark.com/are-you-ready-take-next-jump-secure-your-it-environment-next-gen-jump-servers/" target="_blank">CyberArk: Are You Ready to Take the Next Jump? Secure your IT Environment with Next Gen Jump Servers</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.infosecurity-magazine.com/news/privileged-accounts-at-root-of/" target="_blank">Privileged Accounts at Root of Most Data Breaches</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Pass_the_hash" target="_blank">http://en.wikipedia.org/wiki/Pass_the_hash</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283" target="_blank">SANS: Pass-the-hash attacks: Tools and Mitigation</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.microsoft.com/security/sir/strategy/default.aspx#!password_hashes" target="_blank">Microsoft: Defending Against Pass-the-Hash Attacks</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.cyberark.com/press/cyberark-launches-enhanced-cyberark-dna-detect-pass-hash-vulnerabilities/" target="_blank">CyberArk Launches Enhanced “CyberArk DNA” to Detect Pass-the-Hash Vulnerabilities</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://cryptome.org/2014/01/nsa-pass-hash.pdf" target="_blank">NSA: Reducing the Effectiveness of Pass-the-Hash</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.cyber-security-blog.com/2013/09/Worlds-Top-Cyber-Security-Risk-Active-Directory-Privilege-Escalation.html" target="_blank">The World's #1 Cyber Security Risk - Active Directory Privilege Escalation</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.itworldcanada.com/post/early-lessons-from-the-target-breach" target="_blank">IT World Canada: Early lessons from the Target breach </a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.itworldcanada.com/post/hacking-of-hvac-supplier-led-to-target-breach-report" target="_blank">IT World Canada: Hacking of HVAC supplier led to Target breach: Report </a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.itworld.com/article/2844505/home-depot-says-attackers-stole-a-vendors-credentials-to-break-in.html" target="_blank">IT World: Home Depot says attackers stole a vendor's credentials to break in</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://blogs.cisco.com/security/putting-a-damper-on-lateral-movement-due-to-cyber-intrusion" target="_blank">Cisco: Putting a Damper on ‘Lateral Movement’ due to Cyber-Intrusion </a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf" target="_blank">Trend Micro: How Do Threat Actors Move Deeper Into Your Network?</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://blogs.technet.com/b/pfesweplat/archive/2014/10/17/prevent-lateral-movement-using-local-accounts-with-the-new-groups.aspx" target="_blank">Prevent Lateral Movement With Local Accounts (Windows)</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.respectnetwork.com/lateral-movement-no-patch-for-privilege-escalation/" target="_blank">Lateral Movement: No Patch for Privilege Escalation</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/vpro-pci-dss-retail-paper.pdf" target="_blank">Intel: Achieving PCI DSS compliance when managing retail devices with Intel® vPro™ technology</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.techrepublic.com/blog/data-center/jump-boxes-vs-firewalls/" target="_blank">Techrepublic: Jump boxes vs. firewalls</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://technet.microsoft.com/en-us/library/dn487449.aspx" target="_blank">Microsoft: Implementing Secure Administrative Hosts</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://lp.cyberark.com/rs/cyberarksoftware/images/ds-privileged-session-manager-03-14-14-en.pdf" target="_blank">CyberArk: Privileged Session Manager</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://www.itworldcanada.com/archive/Documents/whitepaper/Trend_Micro_10StepActionPlan_PRINT.pdf" target="_blank">ITWorld Canada: The 10 Step Action Plan - Building Your Custom Defense Against Targeted Attacks and Advanced Persistent Threats</a></span><span style="font-size: x-small;">
</span><span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-87553347880592380152014-10-29T18:18:00.001-04:002014-10-29T18:18:23.071-04:00Eliminate HTTP Man-In-The-Middle attacks with HSTS<span style="font-family: "Trebuchet MS",sans-serif;">The most prolific Internet Protocol (ok, maybe aside from mail) is <a href="http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol" target="_blank">HTTP</a>, or common Web traffic, between end user <a href="http://en.wikipedia.org/wiki/Web_browser" target="_blank">browsers</a> and <a href="http://en.wikipedia.org/wiki/Web_server" target="_blank">web servers</a>. However, it is also one of the most insecure. Setting up a </span><span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack" target="_blank" title="Man-in-the-middle attack">man-in-the-middle attack</a>
has been <a href="http://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-simple-man-middle-attack-0147291/" target="_blank">proven quite trivial</a>, and leaves both the end user and the web service vulnerable to attack.</span><span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.owasp.org/images/2/21/Main_the_middle.JPG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="177" src="https://www.owasp.org/images/2/21/Main_the_middle.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From OWASP.ORG</td></tr>
</tbody></table>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">What this means in layman's terms, is that an attacker could set up a computer system in such a way that they <a href="http://blog.kaspersky.com/man-in-the-middle-attack/" target="_blank">pretend to be the website</a> you are hoping to visit. Everything *looks* legitimate, and they pass your traffic back and forth to the real site, keeping copies of everything, including sensitive information. They could potentially even alter information on your behalf. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><a href="http://en.wikipedia.org/wiki/HTTP_Secure" target="_blank"><span style="font-size: large;">HTTPS</span>,</a> was born out of the need to secure Web transactions. Basically it wraps standard HTTP traffic in an <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" target="_blank">SSL/TLS</a> tunnel, thus <span style="background-color: white; color: #252525; line-height: 22.3999996185303px;">preventing </span><a href="http://en.wikipedia.org/wiki/Eavesdropping" style="background: none rgb(255, 255, 255); color: #0b0080; line-height: 22.3999996185303px; text-decoration: none;" title="Eavesdropping">eavesdropping</a><span style="background-color: white; color: #252525; line-height: 22.3999996185303px;"> and </span><a class="mw-redirect" href="http://en.wikipedia.org/wiki/Tamper-evident" style="background: none rgb(255, 255, 255); color: #0b0080; line-height: 22.3999996185303px; text-decoration: none;" title="Tamper-evident">tampering</a><span style="background-color: white; color: #252525; line-height: 22.3999996185303px;">.</span></span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">The problem is, that most web servers will initially establish an HTTP session, and if secure communications is required (ie: Banking, medical, personal information, etc..) then the web server will re-direct your browser to the HTTPS version. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">But even here, a cunning hacker could set up an SSL proxy using a "<a href="https://www.globalsign.com/ssl-information-center/dangers-of-self-signed-certificates.html" target="_blank">self signed SSL certificate</a>" and pretend to be the official site. You would connect to the HTTP version, the attacker would redirect you to THEIR SSL service, and then connect you with the official site. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtEpsEalMNBRu0GaJRtZWQ8GjdfKiAHE1Im1JbOgERSXEx1BxC8L2jyKacUFJPM9tZ70vN-5BTxAAXYT2fpYaGdbCuU-hoMISA32K08oqOLrC-xGr4x1hAzDtIJXqt-ck89G6kWy5VzQO9/s1600/self-signed-warning.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtEpsEalMNBRu0GaJRtZWQ8GjdfKiAHE1Im1JbOgERSXEx1BxC8L2jyKacUFJPM9tZ70vN-5BTxAAXYT2fpYaGdbCuU-hoMISA32K08oqOLrC-xGr4x1hAzDtIJXqt-ck89G6kWy5VzQO9/s1600/self-signed-warning.jpg" height="133" width="320" /></a><span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: large;">Many of you are now screaming at me:</span></span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><span style="font-size: large;"></span><a href="https://support.google.com/chrome/answer/98884?hl=en" target="_blank">"<b>Modern browsers WARN the user that they do not trust Self Signed Certificates"</b></a> </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br />
</span><br />
<span style="color: red; font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="color: red; font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="color: red; font-family: Trebuchet MS, sans-serif;">The sad news is that most people ignore these warnings, do not read them fully and click through to accept the certificate.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank"><span style="font-size: large;">HSTS: HTTP Strict-Transport-Security</span></a> was developed to remediate this issue. It basically sends information from a web server to the users browser that FORCES an HTTPS secure connection the next and subsequent times that the user goes to that site. Even if the user types HTTP:// and the site name, they are forced to the HTTPS variant. ALSO, if the certificate is self signed, revoked, or expired, <a href="https://www.owasp.org/index.php/HTTP_Strict_Transport_Security" target="_blank">HSTS</a> will terminate the session. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">A Web server configured for HSTS would</span><span style="font-family: 'Trebuchet MS', sans-serif;"> supply a header over an HTTPS connection to the browser. Current browsers are designed to understand and keep this header for future use. When the site is revisited, it will force a HTTPS redirection from the browser. Also, if the certificate is untrusted, aconnection WILL NOT be established.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">This HSTS Policy helps protect web traffic against </span><a href="https://en.wikipedia.org/wiki/Eavesdropping" style="font-family: 'Trebuchet MS', sans-serif;" title="Eavesdropping">eavesdropping</a><span style="font-family: 'Trebuchet MS', sans-serif;"> and most </span><a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack" style="font-family: 'Trebuchet MS', sans-serif;" title="Man-in-the-middle attack">man-in-the-middle attacks</a>. <br />
<br />
<br />
<span style="font-size: large;">I highly recommend that you adopt <b>HSTS</b> for both your External as well as your Internal web servers to further reduce your threat landscape.</span><br />
<b><span style="font-size: large;"><br /></span></b>
<span style="font-family: Trebuchet MS, sans-serif;"><br />
<br />
<br />
<span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://tools.ietf.org/html/rfc6797" target="_blank">EITF: RFC6797 - HTTP Strict Transport Security (HSTS)</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://linux-audit.com/configure-hsts-http-strict-transport-security-apache-nginx/" target="_blank">Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx</a></span><br />
<span style="font-size: x-small;"><a href="https://www.owasp.org/index.php/HTTP_Strict_Transport_Security" target="_blank">https://www.owasp.org/index.php/HTTP_Strict_Transport_Security</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="https://www.owasp.org/index.php/Man-in-the-middle_attack" target="_blank">https://www.owasp.org/index.php/Man-in-the-middle_attack</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack" target="_blank">http://en.wikipedia.org/wiki/Man-in-the-middle_attack</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;"><a href="http://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-simple-man-middle-attack-0147291/" target="_blank">Hack Like a Pro: How to Conduct a Simple Man-in-the-Middle Attack</a></span><br />
<span style="font-size: x-small;"><a href="https://www.owasp.org/index.php/Man-in-the-middle_attack">https://www.owasp.org/index.php/Man-in-the-middle_attack</a></span><br />
<span style="font-size: x-small;"><a href="https://www.us-cert.gov/ncas/tips/ST05-010" target="_blank">US CERT: Understanding Web Site Certificates</a></span><br />
<a href="http://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w" target="_blank"><span style="font-size: x-small;">How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?</span></a><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-1079082642084194182014-10-22T19:13:00.000-04:002014-10-22T19:15:04.829-04:00CyberArk positioned to lead Industry in SSH key management practice<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhpqyd4yeUOI5fI0gPet9qH4e-llS6J7KgpdfoPcLRDxE_A1PdpvkELW65DjmUqvXYjFiJ5hWCP4ktV43-Yj6jQQoaPSATs1ay9Hk5FmmeoQmVyvnVKwSkqSk-g2HruQdNHAiZMTSdg4J/s1600/cyberark.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhpqyd4yeUOI5fI0gPet9qH4e-llS6J7KgpdfoPcLRDxE_A1PdpvkELW65DjmUqvXYjFiJ5hWCP4ktV43-Yj6jQQoaPSATs1ay9Hk5FmmeoQmVyvnVKwSkqSk-g2HruQdNHAiZMTSdg4J/s1600/cyberark.jpg" height="129" width="200" /></a><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"> <a href="http://cyberark.com/" target="_blank">CyberArk</a>,</span> best known for it's <a href="http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/" target="_blank">Privileged Password Vault</a>, and <a href="http://www.cyberark.com/press/cyberark-announces-closing-initial-public-offering-including-full-exercise-underwriters-option-purchase-additional-shares/" target="_blank">recent IPO success</a> story has just announced a new product set. At the 2014 CyberArk Customer Event held in Boston this week, they <a href="http://www.cyberark.com/blog/ssh-keys-powerful-unprotected-privileged-credentials/" target="_blank">announced their new SSH key manager</a>. <span style="font-size: x-small;">(October 21st 2014)</span></span><br />
<br />
<br />
<br />
<blockquote class="tr_bq">
<b><span style="font-family: "Trebuchet MS",sans-serif;">"The CyberArk SSH Key Manager is designed to securely store, rotate and
control access to SSH keys to prevent unauthorized access to privileged
accounts."</span></b></blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;">Extending their already successful Enterprise Vault Infrastructure, CyberArk protects SSH keys with the highest level of security and granular control. Keys in the vault are encrypted, and managed in a fashion not unlike their <a href="http://www.cyberark.com/products/privileged-account-security-solution/" target="_blank">Password Management Infrastructure</a>. Integrating SSH keys into this platform creates a one-stop-shop for Privileged Access Management on both Windows and UNIX/Linux platforms.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">In January of 2013, <a href="http://en.wikipedia.org/wiki/CyberArk" target="_blank">CyberArk</a> added <a href="http://www.cyberark.com/press/cyberark-launches-new-solution-securing-auditing-privileged-accounts-unix-based-systems/" target="_blank">Privileged Session Management</a> for UNIX and Linux systems to their growing arsenal of Privileged Management tools. This led me to blog about the requirement to </span><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://security-musings.blogspot.ca/2013/02/treat-your-key-pairs-like-passwords.html" target="_blank">Treat Your Key Pairs Like Passwords!</a> It looks like they were listening...</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Up until this week, there was only <a href="http://ssh.com/" target="_blank">SSH.COM</a>, with their <a href="http://www.ssh.com/products/universal-ssh-key-manager" target="_blank">Universal SSH Key Manager</a>, and <a href="http://venafi.com/" target="_blank">Venafi</a>, with their <a href="https://www.venafi.com/products/trust-authority/ssh-ta/" target="_blank">Trust Authority SSH</a> manager. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> With the announcement of CyberArk's </span><span style="font-family: "Trebuchet MS",sans-serif;"> <a href="http://www.cyberark.com/blog/ssh-keys-powerful-unprotected-privileged-credentials/" target="_blank">new SSH key manager</a>, we now have an Enterprise <b>holistic approach</b> to <a href="http://en.wikipedia.org/wiki/Privileged_Identity_Management" target="_blank">Privileged User Account Management</a> across the network.</span><br />
<br />
<br />
<b><span style="font-size: large;"><span style="font-family: "Trebuchet MS",sans-serif;">References:</span></span></b><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.cyberark.com/products/privileged-account-security-solution/ssh-key-manager/" target="_blank">CyberArk: SSH Key Manager</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://security-musings.blogspot.ca/2013/02/treat-your-key-pairs-like-passwords.html" target="_blank">Infosec Musings: Treat Your Key Pairs Like Passwords! </a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://security-musings.blogspot.ca/2013/01/privileged-identity-management-make.html">http://security-musings.blogspot.ca/2013/01/privileged-identity-management-make.html</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.cyberark.com/resource/isolation-control-monitoring-next-generation-jump-servers/">http://www.cyberark.com/resource/isolation-control-monitoring-next-generation-jump-servers/</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://en.wikipedia.org/wiki/Privileged_Identity_Management">http://en.wikipedia.org/wiki/Privileged_Identity_Management</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.cyberark.com/esg-validating-privileged-account-security-while-validating-cyberark">http://www.cyberark.com/esg-validating-privileged-account-security-while-validating-cyberark</a></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://pages.ssh.com/2013-idc-white-paper.html" target="_blank">IDC: A Gaping Hole in Your Identity and Access Management Strategy: Secure Shell Access Controls</a> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.networkworld.com/article/2164048/tech-primers/ssh-key-mismanagement-and-how-to-solve-it.html" target="_blank">Networkworld: SSH key mismanagement and how to solve it</a> </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0Boston, MA, USA42.3584308 -71.059773242.170560800000004 -71.38249669999999 42.5463008 -70.7370497tag:blogger.com,1999:blog-6954236093826966251.post-56698329643734690332014-10-18T20:35:00.001-04:002014-11-17T14:40:04.824-05:00Know Your Threat Landscape - Standardized Security Threat Information (STIX & TAXII)<span style="font-family: "Trebuchet MS",sans-serif;">Over the years, many <a href="http://en.wikipedia.org/wiki/Managed_security_service" target="_blank">managed security service providers</a> have been publishing variants of an external Threat Analysis in one form or another. Annual, Quarterly, Weekly, Daily, and live feeds are regular deliverables now from anyone who is anyone in the Security Industry.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<b><span style="font-family: "Trebuchet MS",sans-serif;">Great news, right? Well... sort of...</span></b><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">The fact is, that each of these service providers had their own proprietary naming conventions and threat report formats. This made it difficult for the consumer of these reports and feeds to understand what information was redundant, and what was really important. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Recently, however, many of these providers have banded together at the influence of the <a href="http://www.dhs.gov/" target="_blank">U.S. Department of Homeland Security (DHS)</a> and <a href="http://mitre.org/" target="_blank">Mitre Corporation</a>. A community has formed, intent on standardizing not only the language used to to represent structured cyber threat information - <b><a href="http://stix.mitre.org/" target="_blank">Structured Threat Information Expression (STIX™)</a></b> - but the transport mechanism used to distribute this cyber threat information as well, called <b><a href="http://taxii.mitre.org/" target="_blank">Trusted Automated Exchange of Indicator Information (TAXII™)</a></b>.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">By standardizing on the language and delivery of cyber threat information, clear and expeditious remediation can be put in place without wasting time wading through multiple vendor notifications. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>Links to the various Managed Security Service Providers Threat Intelligence.</b></span></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www-03.ibm.com/security/xforce/" target="_blank">IBM has X-Force</a> </span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">IBM X-Force security professionals monitor and analyze security issues
from a variety of sources, including its database of more than <b>76,000
computer security vulnerabilities</b>, its global web crawler and its
international spam collectors.</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.symantec.com/deepsight-products" target="_blank">Symantec has DeepSight</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">Symantec has established some of the most comprehensive sources of
Internet threat data in the world through the Symantec™ Global
Intelligence Network, which is made up of approximately <b>69 million
attack sensors</b> which record thousands of events per second. </span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://www.checkpoint.com/product/threatcloud/" target="_blank">CheckPoint has Threatcloud</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">ThreatCloud, the first collaborative security infrastructure to fight
cybercrime. ThreatCloud dynamically reinforces Check Point Threat
Prevention Software Blades with real-time threat intelligence derived
from Check Point research, global sensors data, industry feeds and
specialized intelligence feeds from the ThreatCloud IntelliStore.</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://www.paloaltonetworks.com/products/technologies/wildfire.html" target="_blank">Paolo Alto has Wildfire</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">WildFire offers a completely new approach to Cybersecurity, through native integration with Palo Alto Networks <a href="https://www.paloaltonetworks.com/products/platforms.html">Enterprise Security Platform</a>,
the service brings advanced threat detection and prevention to every
security platform deployed throughout the network, automatically sharing
protections with all WildFire subscribers in about 15 minutes.</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.mcafee.com/ca/threat-center/technology/global-threat-intelligence-technology.aspx" target="_blank">McAffee has GTI (Global Threat Intelligence)</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">McAfee Global Threat Intelligence (GTI) notices the anomalous behavior
and predictively adjusts the website’s reputation so McAfee web security
products can block access and protect customers. Then McAfee GTI looks
out across its broad network of sensors and connects the dots between
the website and associated malware, email messages, IP addresses, and
other associations, adjusting the reputation of each related entity</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.radware.com/Partners/TechnologyPartners/Lancope/" target="_blank">Radware has Lancope StealthWatch</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">Lancope Inc. is a leading provider of network visibility and security
intelligence to defend enterprises against today’s top threats. By
collecting and analyzing NetFlow, IPFIX and other types of flow data,
Lancope’s StealthWatch® System helps organizations quickly detect a wide
range of attacks from APTs and DDoS to zero-day malware and insider
threats. </span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf" target="_blank">F5 has IP Intelligence</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">F5® IP Intelligence incorporates external, intelligent services to enhance automated<br />application delivery with better IP intelligence and stronger, context-based security. By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the F5 BIG-IP® platform, adding context to policy decisions. IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic. </span></li>
</ul>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.sourcefire.com/solutions/research" target="_blank">Cisco-Sourcefire has Talos</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">The Cisco Talos Security Intelligence and Research Group (Talos) is a
group of elite cyber security experts whose threat intelligence detects,
analyzes and protects against both known and emerging threats by
aggregating and analyzing Cisco’s unrivaled telemetry data of billions
of web requests and emails, millions of malware samples, open source
data sets and millions of network intrusions. More than just a
traditional response organization, Talos is a proactive member of your
security ecosystem, working around the clock to proactively discover,
assess, and respond to the latest trends in hacking activities,
intrusion attempts, malware and vulnerabilities with new rules,
signatures, file analysis and security tools to better protect your
organization.</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.trendmicro.com/us/security-intelligence/" target="_blank">Trend Micro - Security Intelligence</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">With Trend Micro at your side, you can safely navigate the changing
cyber security landscape. We defend tens of millions of customers around
the clock through a worldwide network of 1000+ threat researchers and
support engineers committed to 24x7 threat surveillance and analysis,
attack prevention and remediation, and educational tools to help you
secure your data against cyber crime in this ever-changing digital
world.</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://media.kaspersky.com/en/business-security/kaspersky-threat-data-feeds-whitepaper.pdf" target="_blank">Kaspersky Labs -Threat Intelligence</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;">Kaspersky Lab’s Security Intelligence Services constantly monitor the
threat landscape, identifying emerging dangers and taking steps to
defend and eradicate. Combining our world-leading knowledge of malware
and cybercrime with a detailed understanding of our clients’ operations,
we create bespoke reports that provide actionable intelligence for an
enterprise’s specific needs. Our intelligence services range from
subscriptions to our global network insights, monthly threat analysis
specific to your organisation, through to bespoke training and education
programmes.
</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<a href="http://www8.hp.com/ca/en/software-solutions/software.html?compURI=1342819#.VEMGZhbTlUg" target="_blank"><span style="font-family: "Trebuchet MS",sans-serif;">Arcsight has Reputation Security Monitor</span></a><br />
<ul>
<li>Actively enforce and manage reputation-based security policies to help
focus on those threats with most risk. By using frequently scheduled
updates of reputation data, vetted by a global cadre of experts, HP
RepSM detects communication with sites known to have bad
reputations-preventing exfiltration of intellectual property and
reducing business risk. In addition, you can proactively monitor and
protect the reputation of your own enterprise by making sure company and
partner web sites and assets are not found on the bad reputation list.</li>
</ul>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx" target="_blank">Microsoft is soon announcing Interflow</a></span><br />
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"> The new <a href="http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx" target="new">Interflow</a>
platform, based on Microsoft's Azure cloud service, is geared for
incident responders and security researchers. "We needed a better and
more automated way to exchange information with incident responders.
That's how we started on a path developing this platform," says Jerry
Bryant, lead senior security strategist with Microsoft Trustworthy
Computing. "This allows for automated knowledge exchange."</span></li>
</ul>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b>Note: </b> Apologies if I've missed your favorite Internet Threat Analysis feed or report. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">Add a quick comment below, and I'll update this list if appropriate.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://stix.mitre.org/" target="_blank">https://stix.mitre.org</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://taxii.mitre.org/" target="_blank">https://taxii.mitre.org</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.networkworld.com/article/2225414/cisco-subnet/the-international-security-community-should-embrace-the-stix-and-taxii-standards.html" target="_blank">NetworkWorld: The International Security Community Should Embrace the STIX and TAXII Standards</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.networkworld.com/article/2360226/network-security/symantec-rolls-out-threat-intelligence-sharing-with-cisco-check-point-palo-alto.html" target="_blank">Networkworld: Symantec rolls out threat-intelligence sharing with Cisco, Check Point, Palo Alto Networks</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity" target="_blank">US-CERT: Information Sharing Specifications for Cybersecurity</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www-03.ibm.com/security/xforce/" target="_blank">IBM X-Force Threat Intelligence</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://resources.infosecinstitute.com/reinventing-threat-intelligence/" target="_blank">Infosec Institute: Reinventing Threat Intelligence</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.esg-global.com/blogs/large-organizations-needs-open-security-intelligence-standards-and-technologies/" target="_blank">Large Organizations Need Open Security Intelligence Standards and Technologies</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="https://files.sans.org/summit/cyberdefense2014/PDFs/Developing%20Cyber%20Threat%20Intelligence%20-%20deBeaupre.pdf" target="_blank">SANS.org: Developing Cyber Threat Intelligence...</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.brightcloud.com/pdf/CyberEdge-2014-CDR.pdf" target="_blank">BrightCloud: 2014 CYBERTHREAT DEFENSE REPORT</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><a href="http://www.networkworld.com/article/2453932/cisco-subnet/threat-intelligence-lifecycle-maturation-in-the-enterprise-market.html" target="_blank">Threat intelligence lifecycle maturation in the enterprise market</a> </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com1Bowmanville, ON L1C, Canada43.913042999999988 -78.68961718.391008499999987 -119.998211 69.435077499999991 -37.381023tag:blogger.com,1999:blog-6954236093826966251.post-51592709469500391552014-10-10T15:00:00.004-04:002014-10-10T15:00:52.840-04:00Toronto based PCI Compliance upstart brings single solution to Voice-Web-POS<span style="font-family: "Trebuchet MS",sans-serif; font-size: large;">As published in <a href="http://itworldcanada.com/" target="_blank">ITWorldCanada.com</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;">(<a href="http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109" target="_blank">http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109</a>)</span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">The standard Information Security mantra is to <a href="http://security-musings.blogspot.ca/2013/02/manage-security-where-data-resides.html" target="_blank"><b>Protect Sensitive Data Where It Resides</b></a>, but I posit that with the number of <a href="http://www.itworldcanada.com/article/pointing-the-blame-for-data-breaches/97853" target="_blank">Security Breaches</a> being publicized these days, we should quickly move to <a href="http://www.cybersource.com/resources/collateral/Resource_Center/whitepapers_and_reports/Reduce_PCI_Scope_Tokenization.pdf" target="_blank"><b>Remove Sensitive Data Where Not Required</b></a>.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">I know that I'm not new to <a href="http://www.cybersource.com/resources/collateral/Resource_Center/whitepapers_and_reports/Reduce_PCI_Scope_Tokenization.pdf" target="_blank">this train-of-thought</a>, but the cost of non-compliance is growing exponentially. <b>Financial Damage can be insured against... Reputational damage cannot.</b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">In a <a href="http://www.itworldcanada.com/blog/augment-encryption-with-tokenization/97358" target="_blank">previous article</a>, I spoke about the need for complementing industry standard <a href="http://en.wikipedia.org/wiki/Encryption" target="_blank">Encryption</a> with a process called <a href="http://en.wikipedia.org/wiki/Tokenization_%28data_security%29" target="_blank">Tokenization</a>.
While encryption is intended to hide the actual data in a manner that is reversible, tokenization replaces the sensitive data with a tag or
token, preserving only the format or schema of the data.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">The <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf" target="_blank">Payment Card Industry</a> has clearly stated that any piece of infrastructure that is accessible by network to those systems that either process or store PCI (Credit Card) Data are<b> "in scope" </b>for PCI compliance. <b>This means that the scope an an annual compliance audit could essentially include every device on your network.... </b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b><br /></b></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKXcAMh8h6s8qC8FjnAtvmfbpDLpOoBydXn-j9X4NiXZY13rr5rkKJRVcTJQD71aFGB37MF0cooRXu94Zk4zcsW0iVd2f0zRLI_lbek5Ylb2Tkz8uHQOxI4UasI-Bak2ahBTKa2KUvd1El/s1600/pci_scope_no_tokenization.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKXcAMh8h6s8qC8FjnAtvmfbpDLpOoBydXn-j9X4NiXZY13rr5rkKJRVcTJQD71aFGB37MF0cooRXu94Zk4zcsW0iVd2f0zRLI_lbek5Ylb2Tkz8uHQOxI4UasI-Bak2ahBTKa2KUvd1El/s1600/pci_scope_no_tokenization.jpg" height="165" width="400" /></a></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Many software companies have taken on portions of the tokenization challenge. Originally, they provided API's and libraries for developers to embed tokenization into applications, or bootstrap tokenization onto existing applications. These did little though to reduce the scope of your PCI compliance, and in many cases raised the complexity of the environment.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">Next came the tokenization broker appliances, which were housed in your data center to communicate with your Point Of Sale and payment processing systems. Although this reduces scope and complexity of your PCI environment, it still leaves a large amount of your environment "in scope" for PCI, and the "crown jewels" were still onsite, albeit in a very robust data vault.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9mRXXElDRzFtMNysyDO6T0oWEnXYucl852-P7Y-CNb5T9p6tV-YXXTxj2SLN-t9r_mjNptUlKnwx1_Bv7L4gLrqCuRYcm_0q8zdSX8eHcXdy1uiILV9JnKATHE0lsMzZY2FBacMRlTB1I/s1600/pci_scope_local_tokenization.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9mRXXElDRzFtMNysyDO6T0oWEnXYucl852-P7Y-CNb5T9p6tV-YXXTxj2SLN-t9r_mjNptUlKnwx1_Bv7L4gLrqCuRYcm_0q8zdSX8eHcXdy1uiILV9JnKATHE0lsMzZY2FBacMRlTB1I/s1600/pci_scope_local_tokenization.jpg" height="183" width="400" /></a></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;">With a tokenization solution outsourced via a SaaS model, sensitive data such as credit card numbers are not stored in your system. There is nothing to obtain during a breach. Full stop. Let
someone else take on the burden of PCI compliance. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSXZJ2bdTUqHJoTT7qqgN_ewW1achY6FYTiinZvWO8WFwrT9ebYQofEXV6SczC7RfIm-3t6uJe3-9UVO2d3BXNGf8R4korbRO7L2I_ReS4JRvEzwM8qFaEp802f697YX7VPRg2SC1pW93U/s1600/pci_scope_saas_tokenization.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSXZJ2bdTUqHJoTT7qqgN_ewW1achY6FYTiinZvWO8WFwrT9ebYQofEXV6SczC7RfIm-3t6uJe3-9UVO2d3BXNGf8R4korbRO7L2I_ReS4JRvEzwM8qFaEp802f697YX7VPRg2SC1pW93U/s1600/pci_scope_saas_tokenization.jpg" height="202" width="400" /></a></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">Toronto's own <a href="http://www.bluelinex.com/" target="_blank">Blueline Data</a></span> has taken on the challenge, by creating a novel tokenization gateway solution that not only covers your Web and Point Of Sale transaction systems, but your <a href="http://bluelinex.com/strategy_voip.html" target="_blank">Telephony and Unified Communications Infrastructure</a> as well. In fact, you can define any type of digital data sequence to be protected for <b>SOX / HIPAA / OSFI </b> or any other regulatory requirement and tokenize it as well. They call their strategy "<b>Assurance through Deterrence</b>". By removing the sensitive data from your environment, they deter would-be attackers from investing in Advanced Persistent Attacks to breach your environment. </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7de6l2gE3NC1td7OwI4ieZVbLXLlSgsliZcU_jzfhOEIxrdLox-s7wtT2GhyqM7n02DdAfaHf0h4bSaAxzN_21ZB6lOZpOckgyWFzCUp6oTgnKplHFMPRpIPGxlj5OMr63KJ76pcyXZ6R/s1600/pci_scope_UC_tokenization.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7de6l2gE3NC1td7OwI4ieZVbLXLlSgsliZcU_jzfhOEIxrdLox-s7wtT2GhyqM7n02DdAfaHf0h4bSaAxzN_21ZB6lOZpOckgyWFzCUp6oTgnKplHFMPRpIPGxlj5OMr63KJ76pcyXZ6R/s1600/pci_scope_UC_tokenization.jpg" height="227" width="400" /></a></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">The PCI-DSS covers 6 areas of protection with 12 Specific Requirements. Blueline's unique offering <a href="http://bluelinex.com/resources/blp204_pci_compliance_sheet.pdf" target="_blank">covers 7 of these requirements, across 5 areas!</a></span></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS",sans-serif;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dzHTE2iCdQwJqWGI-WWwNh7_yMBjVCOEbPdRh77NcXQ50YhUkpu-lZTbjfGG_-d7QXe8L3TECwkNpa88nuNUg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">The Blueline environment itself, subject to PCI audit, complies with the DSS 3.0 requirements. It offers a unique and low-risk approach to protect your IT assets, such as financial records, intellectual property, employee details and data entrusted to you by customers or third parties. The combined benefit is the highest security and the lowest cost.</span></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Their approach to format preserving and <a href="http://www.bluelinex.com/resources/blc204_solution_dt.pdf" target="_blank"><b>diskless tokenization</b></a> at the perimeter, essentially creates a <a href="http://bluelinex.com/resources/bls204_model_summary.pdf" target="_blank"><b>Zero Vector of Attack™</b></a> computing environment, which is easy to operate but not feasible to exploit.</span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>I believe</b> that their forward thinking initiative of providing tokenization services to non-traditional channels of data flow sets them aside from the competitors in this market. I'm anxious to watch this company flourish amid the weekly disclosures of Sensitive Data Breaches.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">From the <a href="http://www.bluelinex.com/" target="_blank">Blueline Data</a> Website:</span></b></span><br />
<blockquote class="tr_bq">
<span style="font-family: "Trebuchet MS",sans-serif; font-size: small;"><b>Blueline Data Products and Services</b></span></blockquote>
<blockquote>
<ul>
</ul>
<ul>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Strategic Assessment – </b>a review with your team to determine what Blueline Solutions would be most impactful with your business requirements and technology investments</span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Solution Services</b> <b>–</b> compliance delivery guidance and market insight (call center, financial services, healthcare, retail, etc.)</span><span style="font-family: "Trebuchet MS",sans-serif;"> </span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Voice Gateway - </b>encompasses security encryption around voice channels that send and receive sensitive data, to eliminate fraud by capturing, masking and encrypting confidential signaling information on the path. The encrypted sensitive datagrams are securely rendered to allow fully protected processing, eliminating the possibility of a call to get compromised.</span></li>
<li><b><span style="font-family: "Trebuchet MS",sans-serif;">Retail Gateway </span></b><span style="font-family: "Trebuchet MS",sans-serif;"><b>- </b>offers integration with any point-of-sale (POS) device in a secure and compliant manner, and allows point-to-point encryption of client's personal information from any payment media. This applies to any transaction or function where a client is required to use a payment terminal for credit or debit card processing expected to integrate with the backend data repository. There is no need for manual card data entry for proof of identity, payment guarantee or other purposes.</span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Data Gateway -</b> provides organizations with a single access point-of-presence to transaction services, such as secure banking and financial networks, mobile application payment delivery, or secure web bill presentment. It allows you centrally and uniformly govern all traffic of financial interest, whether it is exchanged between your partner organizations or with your clientele involved in the transaction flow. Sensitive data transfer is fully protected to meet the highest security and privacy standards.</span></li>
<li><span style="font-family: "Trebuchet MS",sans-serif;"><b>Data Vault - </b>presents a conversion engine that takes any sensitive data element – whether it is SSN or SIN number, driver's license, credit or debit card, or patient record – and encrypts such information in a format-preserving manner. The data is tokenized and optionally stored in a secure "digital vault" that you can access as you need, provided that sufficient privileges are presented. It fully removes sensitive payment and personal information from your computing systems and digital media.</span></li>
</ul>
</blockquote>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: large;">References:</span></b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf" target="_blank">PCI Security Standards: Information Supplement: PCI DSS Tokenization Guidelines</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.sans.org/reading-room/whitepapers/bestprac/ways-reduce-pci-dss-audit-scope-tokenizing-cardholder-data-33194" target="_blank">SANS: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://bluelinex.com/resources/blp204_pci_compliance_sheet.pdf">http://bluelinex.com/resources/blp204_pci_compliance_sheet.pdf</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.bluelinex.com/resources/blc204_solution_dt.pdf" target="_blank">Blueline Services: Data Tokenization</a> </span> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://securosis.com/assets/library/reports/Securosis_Understanding_Tokenization_V.1_.0_.pdf" target="_blank">Securosis: Understanding and Selecting a Tokenization Solution</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.shift4.com/pdf/s4-wp0806_tokenization-in-depth.pdf" target="_blank">Shift4: A detailed look at tokenization and it's Advantages over Encryption</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://tokenex.com/outsourcingtokenization/" target="_blank">TokenEX: Outsourcing Tokenization vs. On-Premise Data Security</a> </span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.mashery.com/api-gateway/tokenization">http://www.mashery.com/api-gateway/tokenization</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.bankinfosecurity.com/whitepapers/using-pci-dss-criteria-for-pii-protection-w-947" target="_blank">http://www.bankinfosecurity.com/whitepapers/using-pci-dss-criteria-for-pii-protection-w-947</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf" target="_blank">Payment Card Industry (PCI) Data Security Standard</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.protegrity.com/wp-content/uploads/2011/04/Protegrity-Tokenization-Whitepaper-3_2011.pdf" target="_blank">Protegrity Tokenization Securing Sensitive Data for PCI, HIPAA and Other Data Security Initiatives</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.protegrity.com/2011/08/protegrity-tokenization/" target="_blank">Protegrity: Vaultless Tokenization</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.protegrity.com/2013/04/protegrity-data-tokenization/" target="_blank">Protegrity: Vaultless Tokenization Fact Sheet.</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://www.cybersource.com/resources/collateral/Resource_Center/whitepapers_and_reports/Reduce_PCI_Scope_Tokenization.pdf" target="_blank">Cybersource: Reducing PCI Compliance Scope: Take the Data Out</a></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://info.intel.com/rs/intel/images/Tokenization-Buyers-Guide.pdf" target="_blank">Intel: PCI DSS Tokenization Buyer’s Guide</a> </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com0tag:blogger.com,1999:blog-6954236093826966251.post-65312010949663508782014-10-04T11:25:00.001-04:002014-10-04T11:25:24.416-04:00The Demise of Excess Access - A eulogy for traditional VPN<span style="font-family: "Trebuchet MS",sans-serif; font-size: x-small;">(as published in <a href="http://itworldcanada.ca/" target="_blank">Itworldcanada.ca</a>) </span><br />
<a href="http://www.itworldcanada.com/blog/the-demise-of-excess-access-a-eulogy-for-traditional-vpn/96655" target="_blank"><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: x-small;">http://www.itworldcanada.com/blog/the-demise-of-excess-access-a-eulogy-for-traditional-vpn/96655</span></span></span></span></a><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: x-small;"> </span></span></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;">Once upon a time</span>, in a world where mobile meant "laptop" or "remote home PC", Corporate network connectivity came in two flavours: 1) <a href="http://en.wikipedia.org/wiki/Modem" target="_blank">Dial-up modem</a>, with it's clunky protocols and achingly slow speeds, and 2) <a href="http://en.wikipedia.org/wiki/Vpn_client" target="_blank">Corporate VPN client</a> over Internet. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;">Internet VPN</span> seemed like a godsend in comparison to Dial-up. Basically it's purpose was to provide a secure network connection between your remote PC/Laptop (the entire device) and your Corporate network. Whether old-school <a href="http://en.wikipedia.org/wiki/Ipsec" target="_blank">IPSec</a> or the more recent <a href="http://searchsecurity.techtarget.com/definition/SSL-VPN" target="_blank">SSL encapulation</a>, the transport was secured. Username/password, and optionally a <a href="http://en.wikipedia.org/wiki/One-time_password" target="_blank">One Time password</a> or <a href="http://en.wikipedia.org/wiki/Security_token" target="_blank">Security Token</a> would be used to provide <a href="http://en.wikipedia.org/wiki/Two_Factor_Authentication" target="_blank">Two Factor Authentication</a> (2fa). </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>Seems secure? Right?</b> I mean, authentication and transport security are covered.. what else is there?</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/ravpnpag.html" target="_blank"><span style="font-size: large;">Dynamic Access Policies</span></a> were then created to define a set of rules, similar to firewall rules, that describe what applications (port/protocol) on the remote users PC could talk to what servers/services in the data center. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: small;">In general, this worked fine if there were less than a hundred employees in the company, you had no third party users, no application was ever upgraded, and nobody changed roles.</span></b></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">In practice, policies are defined loosely to allow for<a href="http://windowsitpro.com/blog/your-biggest-security-threats-are-convenience-and-ignorance" target="_blank"> Convenience rather than Security</a>. Realistically, large numbers of PC's have unfettered access to the corporate network, as if they were sitting at their desk. (We'll get into THAT issue in a future blog.) </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Well then we started worrying about Viruses, worms, trojans... basically Malware residing on the remote PC. What stops them from propagating into the corporate network? How do we know the end user has applied all the appropriate patches, and is running the most current <a href="http://en.wikipedia.org/wiki/AntiMalware" target="_blank">AntiMalware</a> (And that it's signatures are up to date!)?</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://searchnetworking.techtarget.com/definition/network-access-control" target="_blank"><span style="font-size: large;">Network Access Control</span></a> was added to the VPN client to assess the endpoint (laptop or PC) and determine it's "<a href="http://en.wikipedia.org/wiki/Network_Admission_Control#Posture_assessment" target="_blank">security posture</a>" based on patch status and running AntiMalware applications.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">But this wasn't enough to satisfy the Audit or Risk departments, so you had to install <a href="http://en.wikipedia.org/wiki/Intrusion_prevention_system" target="_blank">Intrusion prevention appliances</a> and <a href="http://en.wikipedia.org/wiki/Fireeye" target="_blank">network anti-malware</a> inside the network to remediate anything that was missed on the endpoint... </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">AND... we still have all those remote endpoints, with pretty much open access to our entire corporate network...</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;"></span></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><span style="font-size: large;">In the meantime</span>...</span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">As a result of the explosion of Tablets and smart phones, alternate solutions arose for many of the very services we require daily as part of our VPN dependency. An entire industry arose to service <a href="http://en.wikipedia.org/wiki/BYOD" target="_blank">BYOD</a> or <a href="http://www.itworldcanada.com/sponsored/embracing-byod-with-mobile-device-management" target="_blank">Bring Your Own Device</a>. Tablets and Smart phones are <a href="http://en.wikipedia.org/wiki/Mobile_device_management" target="_blank">managed through various means</a>, but typically now applications running on those devices are segregated or "<a href="http://en.wikipedia.org/wiki/Mobile_application_management" target="_blank">sandboxed</a>" from one another to reduce the risk of eavesdropping and data capture.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"> </span></span><br />
<br />
<b><span style="font-family: "Trebuchet MS",sans-serif; font-size: large;">The Future of Enterprise Remote Connectivity:</span></b><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Today, there is absolutely NO REASON to use VPN for your Corporate Email service. All enterprise grade email clients utilize strong local authentication, integrate with industry standard Single Sign On, and use strong transport encryption. Whether you are an <a href="http://en.wikipedia.org/wiki/Microsoft_Exchange_Server" target="_blank">Exchange</a>/<a href="http://en.wikipedia.org/wiki/Microsoft_outlook" target="_blank">Outlook</a> or <a href="http://en.wikipedia.org/wiki/IBM_Domino" target="_blank">Domino/Notes</a> user, for this use case, VPN is merely a hindrance to productivity, and a complexity that costs your company both in Capex and Opex.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Similarly, there is absolutely NO REASON to use VPN for your Corporate VOIP or Instant messaging. These services also integrate cleanly into <a href="http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations" target="_blank">Enterprise Single Sign On</a>, and provide for secured, encrypted transport.</span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">If you NEED, and I stress <b>NEED</b>, a corporate desktop, then there are many highly secure NON VPN solutions available, such as Microsoft's </span><span style="font-size: small;"><a href="http://technet.microsoft.com/en-us/library/cc731150.aspx" target="_blank">Remote Desktop Gateway</a>, <a href="http://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-access-gateway/Citrix_Access_Gateway_VPX.pdf" target="_blank">Citrix Access Gateway</a>, or VDI via <a href="http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-security.pdf" target="_blank">VMWare's Horizon View</a>. Some <a href="http://en.wikipedia.org/wiki/Legacy_system" target="_blank">Legacy Applications</a> may still require this model for a few years to come. </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<b><span style="font-family: "Trebuchet MS",sans-serif; font-size: large;"></span></b><br />
<b><span style="font-family: "Trebuchet MS",sans-serif; font-size: large;"></span></b>
<b><span style="font-family: "Trebuchet MS",sans-serif; font-size: large;"> </span></b><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-family: "Trebuchet MS",sans-serif;">Are you using Cloud Services through VPN?</span></b><span style="font-size: small;"><b> </b>If you are using VPN to get to your corporate Cloud applications like <a href="http://salesforce.com/" target="_blank">SalesForce</a>, <a href="http://www.sap.com/pc/tech/cloud.html" target="_blank">SAP</a>, <a href="http://concur.com/" target="_blank">Concur</a>,<a href="http://servicenow.com/" target="_blank">ServiceNow</a>, <a href="http://office.microsoft.com/en-ca/business/what-is-office-365-for-business-FX102997580.aspx" target="_blank">Microsoft Office 365</a>, or <a href="http://www.oracle.com/us/products/applications/taleo/overview/index.html" target="_blank">Taleo</a>, you are simply adding an extra network loop to an already secured connection. These services already use </span></span><span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations" target="_blank">Enterprise Single Sign On</a>, and provide for secured, encrypted transport.</span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">Containerization technologies </span>like <a href="http://www.bromium.com/" target="_blank">Bromium</a> will transform application development for the laptop environment, and allow Laptops to join the realm of Managed Devices in a Mobile Device Strategy. Soon your Enterprise Mobile Application Management suite will package and manage apps for Windows and OSX as well as iOS, Blackberry and Android. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><a href="http://en.wikipedia.org/wiki/Write_once,_run_anywhere" target="_blank">Write Once, Run Anywhere</a></span> has been a mantra used by vendors such as Oracle for well over a decade. It is finally approaching a maturity level that will see it in action everywhere. Most large applications today are being developed using frameworks that abstract the presentation layer, and allow the designers to write various "front ends" specific to the device, while the rest of the application is identical across platforms.</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;">So aren't you just</span> replacing one remote access solution with several niche appliances?</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">In a quick answer, sort of... Service specific appliances, such as SIP gateways provide a much more robust and secure means on managing this specific traffic, and many companies already have them in place for internal branch to branch connectivity.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">I'm not suggesting that the future of remote connectivity is free and unfettered access to your Corporate Network. Quite the opposite in fact. I'm suggesting that 2/3 of what employees access today via traditional VPN, already has BETTER and MORE SECURE means of connectivity through their native infrastructure, and that the remaining 1/3 is on track to be replaced with technologies that will allow the remote applications to be secured on any device from phone to tablet to laptop.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><b>In today's world of high profile <a href="http://www.itworldcanada.com/post/early-lessons-from-the-target-breach" target="_blank">Data Breaches</a>, <a href="http://www.itworldcanada.com/article/global-elderwood-attacks-in-2014-suggest-deeper-threat/93363" target="_blank">Zero Day Attacks</a>, and <a href="http://www.itworldcanada.com/article/microsoft-issues-five-bulletins-on-windows-flaws/18099" target="_blank">Significant Operating System vulnerabilities</a>, we cannot allow the Excess Access that traditional VPN affords.</b></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: large;"><b>References:</b></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.windowsecurity.com/articles-tutorials/firewalls_and_VPN/Death-VPN.html" target="_blank">WindowsSecurity.com: Death of VPN</a></span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.dome9.com/blog/vpn-clients-are-dead-in-the-cloud" target="_blank">VPN Clients are Dead in the Cloud</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.egnyte.com/blog/2014/01/the-evolution-and-death-of-the-vpn/" target="_blank">The Evolution …. and Death of the VPN</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://andrewjprokop.wordpress.com/2014/02/18/the-death-of-the-vpn/" target="_blank">The Death of the VPN</a> </span></span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://technet.microsoft.com/en-us/library/cc731150.aspx" target="_blank">Microsoft Technet: Overview of Remote Desktop Gateway</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://www.apperian.com/app-wrapping-is-a-form-of-containerization/" target="_blank">App Wrapping is A Form of Containerization</a> </span></span><br />
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://blogs.forrester.com/tyler_shields/14-05-15-containerization_vs_app_wrapping_the_tale_of_the_tape" target="_blank">Forrester: Containerization Vs. App Wrapping - The Tale Of The Tape</a> </span></span><br />
<br />
<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><br /></span>
<span style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br /></span></span>security-musingshttp://www.blogger.com/profile/08314220993941772374noreply@blogger.com6