Documente Academic
Documente Profesional
Documente Cultură
In this issue:
How the Cloud and Mobile Ruined Your Security Plan Understanding the Connection Between Security and Compliance The Essential Steps to Comprehensive Security
Issue 2, 2012
Contents
Security for a Faster World
2 5
[SEE] How the Cloud and Mobile Ruined Your Security Plan [UNDERSTAND] Understanding the Connection Between
Security and Compliance
SEE
and IP range of the services concerned at the corporate firewall. Next-generation firewalls like HP TippingPoints can also ban some services by identifying their traffic signatures. Cloud services aimed at enterprises, such as those offering sales force automation and customer relationship management applications, are usually built with corporate security in mind and pose less of a security risk. But to get the benefits of cloud computing while minimizing security risk, many companies choose to run enterprise applications in their own private cloud using virtualization and cloud offerings from vendors like VMware. Securing a private cloud environment requires a comprehensive security suite like HPs Enterprise Security, which combines its ArcSight, Fortify and TippingPoint security products with VMwares cloud
Cloud Risks
Cloud-based consumer services, such as those that offer email or data storage, can pose a serious risk to your companys security because these services allow employees to store data including confidential information outside of your network, beyond the reaches of your security measures. Clouds are aimed at the consumer market, and thus rarely offer enterprise-grade security. For this reason, many enterprises ban employee use of services like Dropbox and Gmail from devices connected to their networks. These bans can be enforced by blocking the domains
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
infrastructure. This type of unified approach provides comprehensive protection, context and visibility for securing cloud environments. In particular, HP TippingPoints Secure Virtualization Framework (SVF) is designed specifically to provide threat protection in virtualized environments. It extends HP TippingPoints proven physical data center processes, methodologies, tools and knowledge, and it leverages its industry-leading Next Generation IPS, threat research capabilities, breadth of protection, ease-of-use and automation to secure private cloud operations.
Device Risks
To get an idea of what device risk means, consider an employee who uses a smartphone whether its her own or one issued by the corporate IT department to access her corporate email account and store confidential documents. If the employees device is lost or stolen, all the data it contains could be compromised. Likewise, if the employee uses an app provided by a cloud-based storage service to access a file over an unsecured Wi-Fi network thats being monitored by a malicious hacker, that file (and potentially all the others stored in that cloud storage account) could be accessed by the hacker. And what if an app, or an email downloaded to the device, contains a virus? Few mobile device users bother with anti-virus solutions, so when the user walks in through the door of your offices with that device and connects to the corporate network, he could easily be introducing malware on to your network.
Mobile Risks
The new risks that mobile devices introduce into your business fall under two broad categories: device risks and application risks.
Application Risks
Theres an additional problem posed by mobile apps themselves. Malicious apps may have the ability to access sensitive data, such as contact information or emails stored on the mobile device, and to send this information to a third party. In theory, this type of unexpected behavior should not be possible using Apples iOS-based devices, since every app is vetted before being made available in the App Store. However, in practice this vetting may be no more than cursory. Apps made for other mobile
If the employee uses an app provided by a cloud-based storage service to access a file over an unsecured Wi-Fi network thats being monitored by a malicious hacker, that file could be accessed by the hacker.
3
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
operating systems, such as Android, undergo no such vetting procedure. That means a user could easily and unwittingly install a rogue app that poses as a game, but which is designed to steal data, such as corporate email and attachments from devices. But theres another type of app risk. Any apps whether downloaded from third-party sources or developed in-house to allow your staff or customers to access your backend systems can contain vulnerabilities that could be exploited by hackers to compromise your security. Commonly seen mobile vulnerabilities include:
It also supports secure application development by automating the management, tracking, remediation and governance of enterprise software risk. In addition, Fortify Software Security Center can be used to help ensure that every single line of code your in-house developers write for iOS or Android applications whether for staff or customer use is secure.
In Summary
Mobile devices and cloud services fundamentally change the way your enterprise network and the data stored on it need to be protected. Securing the perimeter is no longer sufficient. You must take specific steps like the ones outlined above to mitigate the new risks they introduce. At the same time, you cant ignore the traditional risks. Its still necessary to ensure that your network perimeter is protected by a firewall, an intrusion prevention system, and a security information and event management (SIEM) solution like HPs ArcSight for collecting, analyzing and assessing security events as they occur. Using a combination of ArcSight, Tipping Point and Fortify, it is possible to focus on fundamental security concepts when addressing the new security challenges of cloud and mobile. The solid fundamentals covered by HPs security suite can help ensure an acceptable level of risk is maintained across your organization.
Insecure data storage Insufficient transport layer protection Weak server side controls Client side injection Poor authorization and authentication Broken cryptography
A sensible solution is to require employees to download apps to their devices from a single, trusted source your own corporate app store if they want to be able to use the devices on your network. A corporate app store can include publicly available apps, which would normally be downloaded from sites such as Apples iTunes store or Google Play, as well as corporate apps developed inhouse. Only applications that have been vetted by your own security staff are then offered in this app store. An effective way to carry out this vetting procedure is to use a security solution like HPs Fortify Software Security Center. This is a suite of tightly integrated solutions for detecting, fixing and preventing security vulnerabilities in applications. Fortify Software Security Center helps detect vulnerabilities in existing applications, whether developed in-house or supplied by an external developer, using security testing that identifies vulnerabilities throughout the application lifecycle with static, dynamic and integrated application testing.
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
UNDERSTAND
advancements and greater penalties for breaches, says Naveen Hegde, Senior Market Analyst, IDC Asia/Pacific in Bangalore, India. Organizations need to realize that having a policy or being compliant is not enough to make an organization secure. It just means that they are following certain best practices, trying to be one step ahead of those who seek to attack them.
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Compliance usually does not encompass all that is needed to be considered secure, says Chris Hadnagy, author of Social Engineering: The Art of Human Hacking and Chief Human Hacker for the social engineering penetration testing and training firm, Social-Engineer. com. Although it is a good start it is not the reality of the matter when it comes to security. There are several factors that limit the effectiveness of security regulations. Regulations tend to be backward, rather than forward looking. Just as generals are known to fight the last war, regulations are often passed to deal with a problem that no longer exists. For example, in the United States, the Sarbanes-Oxley Act of 2002 was passed in response to the October 2001 collapse of the energy firm Enron Corp. The law was designed to improve the control over and transparency of public corporations finances, but because compliance costs can run into the millions of dollars for a single corporation, some corporations went private to avoid having to comply and new, small companies would list on the London rather than New York stock exchange. In addition to the high costs of compliance, a major part of the problem was that executives faced jail time if errors were later found in the financial statements. Sometimes regulations are strong enough that complying with them gives you all the security you need, says security technologist and author, Bruce
Schneier, Chief Security Technology Officer of BT. And sometimes regulations are severe enough that the risk of non-compliance is greater than whatever risk the regulation is supposed to mitigate. In addition, regulatory and standards processes are slow. It can take years for a law or standard to be promulgated, debated, modified, passed and enforced. New security threats appear on a daily basis, too fast for regulations and standards to keep up, and hackers rapidly respond to new security measures with new attack techniques. Schneier cites the example of two-factor authentication, which not long ago was touted as a solution to identity theft. The argument was that if stealing passwords was no longer a useful attack tool, then identity theft would stop, he says. Of course this didnt happen. Instead, the rise of two-factor authentication simply forced the criminals to change their attack tactics. So now, instead of passive eavesdropping and offline password guessing attacks, were seeing more man-in-the-middle and Trojan attacks. Then there are the related matters of specificity and applicability. No two organizations have the exact same IT systems or business needs. Since regulations need to take a one-size-fits-all approach, they need to either be too strict, limiting the ability of companies to innovate, or too broad and providing limited guidance.
Regulations tend to be backward, rather than forward looking. Just as generals are known to fight the last war, regulations are often passed to deal with a problem that no longer exists.
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
HP also has a comprehensive portfolio of products to eliminate the threats that are found. HP Fortify Software Security Center tests software to identify the weak points and then tracks their resolution. HP TippingPoint Next Generation Intrusion Protection Systems provide up-tothe minute protection against the latest threats. They can block attacks by geographical source or destination at the application layer, rather than port or protocol. HP ArcSight Security Intelligence platform collects, analyzes and assesses security events both outside and inside attacks can be rapidly identified, prioritized and addressed. With such tools, together with knowledgeable staff, compliance becomes a baseline activity not to fall below rather than an upper bound to reach. The organization will have the flexibility and agility to rapidly respond to changing business needs while maintaining and improving security. Many organizations are just worried about meeting the growing number of regulations governing the security of data, says IDCs Hegde. But they fail to realize that this is not a one-time effort, but a continuous cycle. It is important to keep security up-to-date and risk assessment exercises ongoing, from time to time, to avoid security lapse.
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
ACT
percent of cyber attacks were criminally motivated, 42 percent had an activist motivation (such as the DDoS attacks against major U.S. banking websites), 3 percent were espionage and 1 percent were cyber warfare. While no type of entity was exempt from attack, governmental, industry and financial institutions were prime targets. SQL Injection and DDoS were the most common techniques used that month, followed by defacement, targeted attack, DNS hijack and password cracking. But to be secure, one needs to look much broader. Other techniques he lists include: account hijacking, Java vulnerability, Shamoon Malware, social engineering, Advanced Persistent Threat (APT) attacks, key loggers, Man-in-The-Browser (MiTB) trojans, Remote Access Trojans (RAT), WordPress vulnerability, spam, Trojans, Spear Phishing, application vulnerabilities, DNS poisoning and XSS.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Of course, simply guarding against the latest attacks is not going to protect you from what comes next. To take an obvious physical analogy, says Schneier, if you spend all your time studying the mechanics of door locks, you will be taken by surprise when a burglar kicks the door down. If there is a way to attack, it will be found and used. And, as the list above shows, it is not enough to have tools in place to detect and block malware or attacks. Your weakest link is still your personnel. There is no easier way to get into the network or building or the account than social engineering, says Chris Hadnagy, author of Social Engineering: The Art of Human Hacking and Chief Human Hacker for the social engineering penetration testing and training firm, Social-Engineer.com. And it works. Hackers used social engineering in almost every attack we read about last year. Hadnagy runs the Capture the Flag (CTF) social engineering contest at the annual Def Con hackers conference. At Def Con 20, held in Las Vegas in September 2012, 20 participants were given 20 minutes each to contact major companies such as FedEx, AT&T, Shell and Wal-Mart to obtain information. Since this was a game not a criminal operation, the participants
did not try to obtain information such as bank accounts or passwords, but they did manage to find out data concerning disk encryption, website blocking, antivirus software, browser versions, mail client versions and OS service packs.The final reports detailing the results of this and earlier CTF contests can be found on the SocialEngineer.org website and make interesting reading. Whereas virus scanners and IDS systems can fix some problems, they cannot combat social engineering attacks, says Hadnagy. It is a true blend of security services that will make the difference and create an atmosphere of security.
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
the task easier for its clients, HP has been assembling through development and acquisition a comprehensive set of security tools that work together as an integrated whole. In 2010, HP acquired network security firm TippingPoint, adding TippingPoints intrusion prevention systems software to the HP portfolio. Headquartered in Austin, Texas, DVLabs (Digital Vaccine Laboratories), which joined HP as part of the TippingPoint acquisition, is a premier security research organization ensuring customers receive preemptive protection for vulnerabilities, including zero-day issues. But networks arent the only part of the IT enterprise requiring protection, so that same year, HP also acquired Fortify Software. The HP Fortify Software Security Center is a suite of integrated solutions for detecting, preventing and fixing application security vulnerabilities.These tools cover the entire software lifecycle, beginning with ongoing testing and remediation tracking during the development process. Then, for a high level, business-centric view of IT risk management, there is HP EnterpriseView, which
conducts automated security audits, generates weighted vulnerability assessments and presents the Chief Information Security Officer with a real-time graphical and report-based identification of risks. EnterpriseView maps the risk data to the business services, providing a common framework that makes sense to both the security experts and business executives. Then it is a matter of prioritizing the risks and, one by one, shutting down the vulnerabilities. In todays digital economies, you are under great pressure to innovate, and innovation on any technology also innovates the threats, says Richard Zaluski, President and CEO of the Center for Strategic Cyberspace and Security Science (CSCSS) in London. Some are known, some are unknown and may lie dormant, but they are there. Employing a comprehensive security strategy wont make those threats go away, but it will lower the risk and make it easier to respond when they come out of their dormancy.
In todays digital economies, you are under great pressure to innovate, and innovation on any technology also innovates the threats.
10
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.