Search This Blog

Monday, 13 June 2016

Securing the Internet of Things - Developer's Guidance

The "Internet of Things" or "IoT" as it's affectionately known, has become one of the most prevalent buzzwords of 2016.  Almost everything you touch today is somehow associated with it. Everything from smart thermostats, security systems, refrigerators and baby monitors in your home, to fitness bracelets and watches on your wrist, are connected to the Internet now.  From clothing that use coloured LEDs to reflect your mood, to children's educational toys, all have connectivity to "enhance your life experiences".
With the race to bring new products to this evolving market, issues of both Security and Privacy are raised for consumers. At the low end of the spectrum, an attached IoT device could expose your WiFi configuration.  On the high end of the spectrum, your personal banking, and health information could be exposed. 


Depending on who you listen to, the analysts are saying that there will be between 25-30 BILLION Internet connected devices by the year 2020... just a short 4 years from now. (Cisco says 50 Billion!)

 
http://hpe-enterpriseforward.com/eiu-securing-iot/
Each one of these devices is a potential
Security or Privacy liability.
  • only 33% of organizations believe their IoT products are “highly resilient” against any future cyber security threats,
  • 48% of companies focus on securing their IoT products from the beginning of the product development phase.


http://hpe-enterpriseforward.com/eiu-securing-iot/


In the past year, we have seen:


Cisco: IoT Security Timeline

Who are these "Malicious People" and why do they want to wreak havoc with our Inventions?


IoT devices and systems are typically remote sensors or controls involved in managing a process of some sort. Whether it be collecting weather information for crop management, to sensor data for proper maintenance of an automobile, temperature and humidity information for building climate control, or bio sensors for monitoring a patients health, IoT devices manage a large amount of critical information.  Critical information that could potentially be considered Private and/or Confidential in nature. 

IoT PenguinBot
By the remote nature of these devices, they are also typically designed to be "low cost" and "low energy" battery operated systems.  Function and performance are the critical design success factors, while Security has not played a significant development role to date.  MOST current IoT devices are readily exploitable through several means. 

Oh, and did I mention that most IoT devices are connected (and trusted) in some way to logging, monitoring, and analysis tools deep within the corporate infrastructure?  Find a kink in this light armour, and you can sail right past the corporate security systems in place.

What type of attacker is interested in exploiting IoT devices?  We are finding that the IoT Threat Landscape is quite varied.  Everyone from cybercriminals to government entities, hacktivists, and even insiders have shown up to the game. It's apparently hard to resist the low hanging fruit of an easily exploitable system, that could lead directly into the corporate infrastructure.  
From stealing sensitive data by hacking IoT devices, to facilitating denial of service against a third-party entity, there are plenty of reasons and opportunities to exploit a connected Internet of Things device.


 

So, as developers, what are we to do? 

How can we ensure that our products are secure from the beginning?  What aids do we have to guide us in creating a more secure, more private consumer product?


I'm glad you asked!  There are many initiatives currently to define the obstacles and opportunities to creating a secure Internet of Things ecosystem, but there ARE some guideline that you can follow.
First, from Cyber Security company I am the Cavalry, here is a snippet of sage advice:

 Security:

  1. Secure by Default
    1. No default passwords shared between devices, or weak out of the box passwords.
    2. All passwords should be randomly created using a high quality random password generator.
    3. Advanced features used by small percentage of users should be turned off by default(VPN,Remote Administration, etc...)
  2. Secure by Design
    1. Firmware should be locked down so serial access is not available.
    2. Secure Ethernet (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.
    3. All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
    4. NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removedand dumped), or other methods to prevent physical attack. 
  3. Self Contained Security
    1. The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised, and still maintain protection methods. This can be done with prompts to the user to accept handshakes between devices trying to access other devices on their networks.
    2. Communication between devices should be encrypted to prevent MiTM attacks and sniffing/snooping.
Privacy:
  1. Consumer PII not shared with manufacturers or partners.
  2. Usage data on individual consumer is never shared with partners or advertisers.
  3. Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to no be traceable back to an individual consumer.
  4. Data collection policy, type of data collected and usage of data is clearly documented on site.



As well, I am the Cavalry has published the Five Star Automotive Cyber Safety Program, with the purpose of bringing the industry together to standardize on a security framework for connected devices.

According to their website:  
The OWASP Internet of Things Project provides information on:

Of interest in this discussion is the topic of "IoT Attack Surface Areas". Each one of these boxes identifies specific threat vectors to IoT product development, as well as guidance and recommendations on remediating these concerns early in the development cycle.


Ecosystem Access Control Device
Memory		 Device Physical
Interfaces		 Device Web
Interface
Device
Firmware		 Device Network
Services		 Administrative
Interface		 Local
Data Store
Cloud Web
Interface		 Ecosystem
Communications		 Vendor Backend
APIs		 Third Party
Backend API's
Update
Mechanism		 Mobile
Application		 Network
Traffic


 IoT Security != Device Security
Attack Surface Vulnerability
Ecosystem Access Control
  • Implicit trust between components
  • Enrollment security
  • Decommissioning system
  • Lost access procedures
Device Memory
  • Cleartext usernames
  • Cleartext passwords
  • Third-party credentials
  • Encryption keys
Device Physical Interfaces
  • Firmware extraction
  • User CLI
  • Admin CLI
  • Privilege escalation
  • Reset to insecure state
  • Removal of storage media
Device Web Interface
  • SQL injection
  • Cross-site scripting
  • Cross-site Request Forgery
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known default credentials
Device Firmware
  • Hardcoded credentials
  • Sensitive information disclosure
  • Sensitive URL disclosure
  • Encryption keys
  • Firmware version display and/or last update date
Device Network Services
  • Information disclosure
  • User CLI
  • Administrative CLI
  • Injection
  • Denial of Service
  • Unencrypted Services
  • Poorly implemented encryption
  • Test/Development Services
  • Buffer Overflow
  • UPnP
  • Vulnerable UDP Services
  • DoS
Administrative Interface
  • SQL injection
  • Cross-site scripting
  • Cross-site Request Forgery
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known default credentials
  • Security/encryption options
  • Logging options
  • Two-factor authentication
  • Inability to wipe device
Local Data Storage
  • Unencrypted data
  • Data encrypted with discovered keys
  • Lack of data integrity checks
Cloud Web Interface
  • SQL injection
  • Cross-site scripting
  • Cross-site Request Forgery
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known default credentials
  • Transport encryption
  • Insecure password recovery mechanism
  • Two-factor authentication
Third-party Backend APIs
  • Unencrypted PII sent
  • Encrypted PII sent
  • Device information leaked
  • Location leaked
Update Mechanism
  • Update sent without encryption
  • Updates not signed
  • Update location writable
  • Update verification
  • Malicious update
  • Missing update mechanism
  • No manual update mechanism
Mobile Application
  • Implicitly trusted by device or cloud
  • Username enumeration
  • Account lockout
  • Known default credentials
  • Weak passwords
  • Insecure data storage
  • Transport encryption
  • Insecure password recovery mechanism
  • Two-factor authentication
Vendor Backend APIs
  • Inherent trust of cloud or mobile application
  • Weak authentication
  • Weak access controls
  • Injection attacks
Ecosystem Communication
  • Health checks
  • Heartbeats
  • Ecosystem commands
  • Deprovisioning
  • Pushing updates
Network Traffic
  • LAN
  • LAN to Internet
  • Short range
  • Non-standard



As stated earlier, this is starting guidance on what to look for when building out your Internet of Things Security Framework.  For further ideas and guidance, please read the references below. 

Good luck, and happy coding.




Resources:

OWASP: Top 10 IoT Security Issues
OWASP Top Ten IoT Security - Infographic
OWASP: IoT Security Guidance
RSA Conf: Mapping the IoT Attach Surface Areas
ARSTechnica: “Internet of Things” security is hilariously broken and getting worse
ARSTechnica: Police body cams found pre-installed with notorious Conficker worm
ARM.COM: From Sensor to Server, ARM drives the Internet of Things 
Texas Instruments: Internet of Things - Opportunities and Challenges 
DEFCON 23: IoT Attack Surface Mapping
HPE: Securing the IoT
Capgemini: Securing the Internet of Things
Globe and Mail: Internet of Things a playground for hackers
Globe and Mail: The Future is Smart - Why privacy must be baked into the Internet of Things
https://www.iamthecavalry.org/
IamtheCavalry: Five Star Automotive Cyber Safety Program
https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html
https://www.exploitee.rs/index.php/Exploiting_Nest_Thermostats
http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/
Embedded: Security framework for IoT devices
NIST Releases Draft Framework on the Internet of Things
Online Trust Alliance: IoT Trust Framework
WolfSSL: Embedded SSL Library for Applications, Devices, IoT, and the Cloud
http://www.bankingexchange.com/news-feed/item/5770-5-hacks-into-your-internet-of-things-devices
https://www.helpnetsecurity.com/2016/05/09/internet-of-fail/
Cisco: IoT Threat Environment
https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable
http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/



Posted by at No comments:
Labels: , , , , , ,
Location: Toronto, ON, Canada

Tuesday, 17 May 2016

CSIRT: Classifying the Severity of a Breach


We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data.  (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").


One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.  

I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.

I was told to constrain my scope to a High, Medium, Low classification model.

Using their own Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.


Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.



Information Security Breach Impact Classification

ABSTRACT: 
This document, based upon  's Information Classification Policy, provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring CyberSecurity Insurance. 

Significance of Breach: - High Level Breaches
                                          - Medium Level Breaches
                                          - Low Level Breaches

A High level Breach would be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to either  or it’s Partners/Clients/Vendors
RESTRICTED  

The ‘RESTRICTED’ classification is assigned to data that, if corrupted, disclosed without authority or lost, might result in a critical loss to .
Example:
‘RESTRICTED’ information includes but is not limited to personal identifiable information (PII), employees’ medical history, Credit Card information, Bank account information, and encryption keys and passwords.

A Medium level Breach would be considered any breach that exposed Corporate Confidential Information, but not PII, PCI, PHI, or Corporate Restricted Information pertaining to either   or it’s Partners/Clients/Vendors
Confidential  

The ‘CONFIDENTIAL’ classification for information is assigned to data that, if corrupted, lost or disclosed without authority, might result in important or significant loss to  .
Example:
‘CONFIDENTIAL’ information includes confidential business proposals, customer information, HR information such as employment contracts and compensation, and general financial data.

A Low level Breach would be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level Breach does not expose Corporate Restricted or Confidential Information, PII, PCI, or PHI Information pertaining to either  or it’s Partners/Clients/Vendors. 
Internal 

The ‘INTERNAL’ classification is used to denote information that may be shared within   but is restricted from general release to the public.
Example:
‘Examples include training manuals, procedures and communications to all employees.

Definitions:
Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in Canadian, US, and European privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
The Payment Card Industry (PCI) Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Protected Health Information (PII), generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.



References:

 SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication
iso27001security.com:Information Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
http://www.databreachtoday.com/blogs/importance-data-classification-p-1153
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance
Posted by at No comments:
Labels: , , ,

Monday, 7 March 2016

Selling Myself - Michael Ball Consulting Inc.


As of July 2015, I have been providing Information Security Consulting Services on a contract Basis. 
If interested in hiring me for consulting or a speaking engagement, please contact me at the following:
Michael Ball Consulting Inc. 
61 Baxter St. Bowmanville Ontario, L1C 5P8 Cell: (647) 458-5064
Email: unix_guru at Hotmail dot com or @unix_guru on Twitter

Information Security Consulting and Architecture

Over 25 years Information Security Operations and Governance in the Finance and Insurance Sectors.

Finance Sector:
  • AGF Mutual Funds, Toronto (Jan 2016 – Present), Acting CISO
  • CIBC, Toronto (Feb 2016), Application Threat/Risk Analysis –Mobile Money Manager App.
  • Dundee Capital Markets, Toronto (Oct  2015), Information Security Maturity Model (Cobit / ISO 27001 based)
  • Dundee Capital Markets, Toronto (Nov  2015), Information Security Architectural gap analysis and Roadmap
  • HPE/TD, Toronto (Mar 2016) PCI QSA Self Assessment consulting and review

Health Sector:
  • William Osler Health Institute, Brampton (Aug 2015), Privacy Impact Assessment for Patient Record Viewing Application.
  • William Osler Health Institute, Brampton (Sept 2015), Information Security Threat/Risk Analysis for Patient Record Viewing Application.
  • Trillium Health, Toronto (Mar 2016), SIEM Infrastructure Migration and Governance Review

Transportation Sector:
  • Air Canada, Montreal (Nov 2015), Privileged Password Management Architectural Review (CyberArk).
  • Metrolinx, Toronto (Feb 2016), Privileged Password Management Architectural Design (CyberArk). 
  • Teranet, Toronto (Sept 2016), Active Directory Risk Assessment and roadmap.
  • Teranet, Toronto (Oct 2016), Privileged Password Management Architectural Design (CyberArk).  
  • Teranet, Toronto (Nov 2016), Web Application Threat/Risk Analysis.

Industrial Supply:
  • Wajax, Mississauga (Sept 2015), Information Security Maturity Model (Cobit / ISO 27001 based)
  • Wajax, Mississauga (Oct 2015), Information Security Threat/Risk Assessment (ISO 27002 based)

 Speaking Engagements:
  • CIO Innovation Summit 2016 – Top CISO Concerns 2016
  • SC Congress 2016 – Top 4 CISO concerns
  • Sector  2015 – Cloud Security Access Brokers
  • DCD Converged Canada (Nov 2015)  - Cloud Security
  • SC Congress 2015 – Cloud Access Security Brokers
  • SC Congress 2015 – The Role of the CISO
  • CIO Innovation Summit 2015 – Identifying Corporate IS Risk
  • SC Congress 2014 – Privileged Identity Access
  • CyberArk Customer Event 2014 – Corporate Use Cases
  • CIO Innovation Summit 2014 – Cloud Security
  • Symantec Vision 2014 – Enterprise Single Sign-On
  • Symantec Vision 2014 – Enterprise Host Based Security
 Video:

 Services:
  • Office of the CISO - Consulting/Augmentation
  • Privacy Impact Assessment.
  • Information Security Program Threat/Risk Assessment.
  • Information Security Governance Maturity Model Assessment.
  • Application Threat/Risk Assessment.
  • Network Vulnerability Assessment.
  • Cloud Security Consultation and Architecture.
  • Cloud Provider Access Review.
  • SIEM Governance Review.
  • Perimeter Security Review and Architecture.
  • Network Security Zoning Review and Architecture.

The demise of excess access: A eulogy for traditional VPN
Specialty retail stores not safe from POS attacks

Posted by at No comments:
Labels: , , , , , , , , ,

Thursday, 12 November 2015

Toronto's 2015 SecTor Conference.

I feel utterly privileged to have attended this years SecTor Conference at the Metro Toronto Convention Center a few weeks ago now.

For those of you unaware of what Sector is, it is Toronto's pre-eminent Information Security Conference.  Anybody and everybody associated with IT Security is here. SecTor is not only an educational event, but a social one as well.  It is one of the annual events where Security Professionals congregate from around the province and indeed across the country. 


The schedule is hectic, with multiple tracks of discussion panels suited to a variety of current topics. 
Although the main conference is two days in length, there is a third day just before the conference for those who wish to participate in various Infosec educational courses. 
This years daily Infosec sessions can be found here: http://www.sector.ca/Program/Sessions

 Over the two days, there were four Keynotes:
All four of these speakers bring with them a wealth of experience and skill.  I was riveted to my seat the entire time.  

As for the actual Infosec discussions themselves, they were very wisely organized into a Technology track, a Management track, a Security Fundamentals track, and a Sponsor track.  Again, see http://www.sector.ca/Program/Sessions  for a drill down on the actual discussion topics for each. 

I wish I could tell you I saw them all, I *had* planned on jumping between several presentations, but each one I attended had me fully engaged. I can honestly say that SecTor went out of it's way to select exceptional topics and speakers for this event.
Part of the problem with committing to a track as an attendee is that the CSO Summit is co-hosted alongside SecTor!  The CSO Summit is co-sponsored by KPMG, and this year featured discussions by Kris Lovejoy, the former Global CISO if IBM, and Tim Rains, Chief Security Advisor, Microsoft.


The Expo Hall itself was huge, with a broad cross section of Infosec vendors from Educational Institutions, Compliance and Governance bodies, to Appliance and Software Vendors.  Securesense and  Fortinet showed off their "Forti-Express" a state-of-the-art rolling Briefing and Demo center. 

 Two things that grabbed my attention among all of the commotion in the Expo Hall were the "Lockpick Village" and the "Internet of Things Hack Lab".


The Lockpick Village has been a mainstay of SecTor for the past several years now. It's a free, full participation, workshop in using the standard tools of the trade to learn how to pick physical locks! Attendee times are recorded, with a prise at the end for the quickest time. The people sitting at these seats are among the happiest at the entire event. 

 

This year Tripwire introduced the Internet of Things Hack Lab. Employees from Tripwire, as well as one of their previous hackathon winners were onsite to  guide attendees into the world of IoT hacking. They brought samples of common IoT devices with them, and were willing to educate anyone who wanted to sit for a while and get an understanding of the security (or specifically lack thereof) of the Internet of Things.

SecTor was an overall success in my books.  They brought the right people to discuss relevant topics, the vendor space was very well represented, and the social quality was outstanding.  Thank you SecTor for once again putting on a remarkable event.

 

 




Posted by at No comments:
Labels: , , , ,
Location: Bowmanville, ON L1C 5P8, Canada

Wednesday, 14 October 2015

What is a Security Governance Review, and why do I need one?

Regardless of what service or product your company produces, Information is your most critical asset. The organization, management, and protection of that data could make or break your ability to stay operational in today's corporate environment.

 Many high-profile organizational failures over the past several years have driven home the requirement to adopt appropriate Information Systems policies, processes, and standards.

 Privacy requirements, regulatory compliance, shareholder and customer transparency are all mandating a more mature approach to Information Security.

 Your corporate reputation and well being depend on your ability to manage, organize, and protect your Information Assets.




This article, and the next few, will try at a high level to explain the various tools we can use to assess and document your roadmap to Information Security Maturity.


Let's start with the definition of an Information Security Governance Maturity Model:
An Information Security Governance Maturity Model is a representation of how well your company understands, organizes, manages, and maintains security controls and processes specific to your Corporate Information assets.

 There are a few models to chose from, but the Industry accepted standard is the 6-level COBIT maturity model, which is based on work pioneered at the Software Engineering Institute at Carnegie Mellon, to evaluate each of the ISO 27002:2013 security control groups.   

 That said, the ISO 27002:2013 security control groups, in and of themselves are the Industry Standard set of controls - based on 18 specific sections - that provide guidance in protecting your corporate assets.

 The COBIT definitions for the 6 levels of maturity are:

0 – Non-existent – Management processes are nonexistent or not applied

  • Complete lack of any recognizable processes. The organization has not even recognized that there is an issue to be addressed.

1 – Initial – Processes are ad hoc and disorganized

  • There is evidence that the organization has recognized that the issues exist and need to be addressed. There are, however, no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.

2 – Repeatable – Processes follow a regular pattern
  • Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 – Defined – Processes are documented and communicated
  • Procedures have been standardized and documented, and communicated through training. However, it is left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 – Managed – Processes are monitored and measured
  • It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 – Optimized – Best practices are followed and automated
  • Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. Information technology is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

 To understand where your company sits with respect to each of the ISO 27002:2013 security control groups, you would engage a non-biased 3rd party to conduct a Security Governance Review. This review would be an immersive engagement between the Security Assessors and various members of your organization. Everyone from Human Resources, Privacy, IT administrators, Network Administrators, Database Administrators, Software Developers, Project and Change Managers, Internal Auditors, and Corporate Executive.
A Security Governance Review  (SGR) provides guidance for Corporate Executives and Board of Directors in establishing and maintaining an appropriate Information Security programme within your company.

A Security Governance Review provides critical feedback regarding the adequacy of existing controls and safeguards in maintaining your security posture.  This feedback can provide guidance in the reduction and/or mitigation of Information Security risks within the company.

Typically, this report would consist of a high level executive summary of your organization's maturity levelsacross the ISO security domains, compared to peers in your particular industry.  Remediation recommendations and a roadmap to completion would usually be included.  Most Security assessors would also deliver the detailed ISO27002:2013 working sheets with which the domains have been assessed.

 The Radar Map to the right represents a sample posture map compared to a baseline of your industry.

This chart illustrates, by ISO 27002:2013 control area, the areas which Acme Widgets Inc. is performing at a evaluated level to its industry peers (yellow within the red boundary), and the areas which Acme Widgets Inc. is evaluated to be performing at a level below its industry peers (yellow outside the red boundary), as along with the relative degree of effort required to accomplish improvements (more yellow exposed = more effort).
You will want to periodically (annually?) review this maturity model to ensure that you are on track as things change both outside and within your organization. This periodic review will allow you to show metrics regarding your security governance programme growth.



In future posts, we will be discussing the following:
  • What is a Threat Risk Assessment?
  • What is a Privacy Impact Assessment?
  • What is a Vulnerability Assessment?
  • What is a Penetration Test?



Sections of the ISO27002:2013 
 5. Security Policy Management
 6. Corporate Security Management
 7. Personnel Security Management
 8. Organizational Asset Management
 9. Information Access Management
10. Cryptography Policy Management
11. Physical Security Management
12. Operational Security Management
13. Network Security Management
14. System Security Management
15. Supplier Relationship Management
16. Security Incident Management
17. Security Continuity Management
18. Security Compliance Management
References:
ISACA: Information Security Governance Guidance for Boards of Directors and Executive Management
Comparing different information security standards: COBIT vs. ISO 27001  
ISACA: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile 
ISO 27002:2013 in plain English.
ISO/IEC 27002:2013 Information technology — Security techniques -Code of practice for information security controls 
Wikipedia: ISO27002 
http://www.securityprocedure.com/control-objectives-information-and-related- technology-cobit 

Posted by at 1 comment:
Labels: , , , ,
Location: Bowmanville, ON L1C 5P8, Canada

Friday, 25 September 2015

From Blueline to BlueZone - PCI Tokenization Matures

Last year, I wrote about a new Canadian company that had entered the Compliance Appliance market space.  Blueline Data had developed a tokenization gateway that would help you define and isolate your PCI compliance scope boundary.  This isolation was not only for Point Of Sale and Web Merchant portals (Shopping portal), but for Telephony and Unified Communications traffic as well!  This was a revolutionary step in this industry. Several other companies had tokenization systems available for structured and/or unstructured data, however no one had a viable solution that would also cover voice and unified communications. 


A lot has gone on in the past year, and I decided to revisit them, to see where their technology has progressed...

 

Last year, Forrester issued a paper defining the requirements necessary to secure data into the future, and discussing the technologies that will get us there. The Document titled "TechRadar™: Data Security, Q2 2014", states clearly that you need to:
  • Restrict and strictly enforce access control to data. This includes denying access to unauthorized persons or blocking their attempts to gain access.
  • Monitor and identify abnormal patterns of network or user behavior. This includes tools that analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (e.g., improper or excessive use of entitlements such as bulk downloads of sensitive customer information).
  • Block exfiltration of sensitive data. These are tools or features of tools that detect, and optionally prevent, violations to policies regarding the use, storage, and transmission of sensitive data.
  • Render successful theft of data harmless. Once you’ve identified your most sensitive data, the best way to protect it is to “kill” it.6 “Killing” data through encryption, tokenization, and other means renders the data unreadable and useless to would-be cybercriminals who want to sell it on the underground market.
The first three have been the bread and butter of the Information Security industry for the past 20 years or so.  From firewalls and both signature and heuristics based Intrusion Detection/Prevention, to Data Loss Prevention systems, the industry has been diligently protecting our perimeters.


It's that fourth one that I'm interested in here.  "Render successful theft of data harmless."  In other words, replace any valuable data such as Payment Card Info, Personal Health Info, Social Insurance Numbers, etc... with a "token" that has no value to would be thieves. These tokens can be made to preserve the format requirements of the original data, so as not to break backend processing, as well as including search/index criteria. 
To properly provide security through tokenization, one must be able to implement it not only on the server side for data at rest, but also for data in transit, as well as at the client side, such that the relevant sensitive data never even leaves the client's network.
What if, there was a service... APIs that could provide tokenization either at the client browser, or as data is passed to cloud apps?



I know that I'm not new to this train-of-thought, but the cost of non-compliance is growing exponentially. 
Financial Damage can be insured against... Reputational damage cannot.


As I said... a lot has gone on in the past year.  Blueline has matured from just providing on-premise gateway appliances, to hosting Compliance Services in the cloud.  

Blueline is about to introduce several hosting options.  You can still get on-premise control if that is what you desire, but that has been augmented with  co-located gateway services as well as true Cloud based "Compliance as a Service"  Tokenization/Encryption through APIs. 

Another move that Blueline has made it to provide "Diskless Tokenization".  Typically, tokenization services keep a very secure database in a cryptographic vault.  This database would include a table of  sensitive data to token pairs that are used to index and manage the tokens.  Across the industry,  customers have expressed concern over having this database, even though it is protected in a vault.  Complaints from too much residual risk, to database latency in very large token pair tables (tens or hundreds of millions of pairs) have driven out an alternate solution.

Blueline has introduce a diskless solution that creates a "derived" token using a one time pad, without the need for the data/token pairs to be stored. These derived tokens, can be recalculated from some secret value that do not need to be stored in a database.


Blueline has created two new offerings:

bluegrid™ is a turnkey solution for  "Compliance in a Box".  It is a standard 19" cabinet, consisting of a series of redundant "bluenodes™" that provide the various security, and compliance services required for a self contained Compliance DMZ. It can be installed in your own data center, or hosted externally for you.  Applying the "Zero Trust" model, bluegrid™ encapsulates your sensitive application environment and provides a full security stack to protect that environment, from firewall, IPS, authentication store, tokenization, encryption, logging and storage.


A standard bluegrid™ rack would consist of a mix of the following bluenode™ appliances:

bluenode tx - Traffic Manager (zero-impact deployment)
bluenode dx - Data Gateway (financial network integration)
bluenode cx - Cyber Vault (diskless tokenization, encryption)
bluenode ix - Identity Manager (device and service access)
bluenode ex - Event Manager (logging and event analytics)
bluenode sx - Storage Block (low-latency shared storage)


bluegrid™ can centralize and limit most of your PCI compliance scope to a single rack in the data center. (Point-of-Sale systems excluded)


bluezone™ takes this one step further, providing a Cloud based Security Infrastructure - leveraging APIs to isolate the sensitive data outside of your IT environment and enabling secure financial or other confidential data processing and exposing the following security services: 
  • Tokenization–replacement of the original sensitive data with a risk-free replica for secure transmission, processing or storage
  • Encryption–military-grade cryptographic protection of digital content
  • Key Management–cryptographic key storage and lifecycle control
  • Payment Gateway–secure real-time and offline merchant acquirer processing of tokenized e-commerce and m-commerce transactions
  • Credit Scoring–secure personal or commercial credit check against a credit bureau, reference agency or central bank
  • Address Verification–secure cardholder address validation
  • Issuer Reconciliation–transaction batch transfer to issuer bank
  • Digital Wallet–secure checkout for merchant commerce sites and mobile applications with the e-wallet payment method
bluezone™ can effectively remove most of your PCI compliance scope from your environment altogether.(Point-of-Sale systems excluded)



Forrester TechRadar report on Data Security Q2 2014 clearly shows Tokenization having "Significant Success" in securing sensitive data.






Resources:

http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html
http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109
https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547
http://www.mashery.com/blog/tokenization-and-api-gateways-future-mobile-commerce
http://www.mastercard.com/gateway/payment-processing/tokenization.html
https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/
http://www.protegrity.com/2012/02/differences-between-vault-based-tokenization-and-vaultless-tokenization/
http://www.protegrity.com/wp-content/uploads/2013/04/Protegrity-Vaultless-Tokenization-Fact-Sheet.pdf
https://securosis.com/blog/token-vaults-and-token-storage-tradeoffs
https://en.wikipedia.org/wiki/One-time_pad
https://en.wikipedia.org/wiki/Tokenization_(data_security)
https://www.voltage.com/technology/tokenization-and-key-management/hp-secure-stateless-tokenization/
http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf
http://www.bluelinex.com/trends.html
http://www.bluelinex.com/resources/blp204_osfi_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_pci_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_hipaa_compliance_sheet.pdf
http://searchcloudsecurity.techtarget.com/tutorial/PCI-and-cloud-computing-Cloud-computing-compliance-guide
http://www.crn.com/news/managed-services/300075263/2015s-big-opportunity-for-msps-compliance-as-a-service.htm
http://www.infoworld.com/article/2622986/risk-management/the-case-for-compliance-as-a-cloud-service.html




Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)