Security for a Faster World

In this issue:

How the Cloud and Mobile Ruined Your Security Plan Understanding the Connection Between Security and Compliance The Essential Steps to Comprehensive Security

Issue 2, 2012

Contents
Security for a Faster World

Contributors: Drew Robb and Paul Rubens.

2 5

[SEE] How the Cloud and Mobile Ruined Your Security Plan [UNDERSTAND] Understanding the Connection Between
Security and Compliance

[ACT] The Essential Steps to Comprehensive Security

Security for a Faster World

How the Cloud and Mobile Ruined Your Security Plan

By Paul Rubens
nterprise IT security was once largely a matter of securing the perimeter of your enterprise infrastructure and maintaining tight control over what went in or out, but that kind of approach to security is simply no longer effective. Thats because it was never designed to cope with todays plethora of tablets, smartphones and other mobile devices or with the increasing number of applications that are running in the cloud. Bring your own device (BYOD) initiatives and the consumerization of business tools means that your organizations employees can now browse the Internet, access cloud-based services, download and store information, and carry out business wherever they are and none of these activities is protected by traditional perimeter defenses.

SEE

and IP range of the services concerned at the corporate firewall. Next-generation firewalls like HP TippingPoints can also ban some services by identifying their traffic signatures. Cloud services aimed at enterprises, such as those offering sales force automation and customer relationship management applications, are usually built with corporate security in mind and pose less of a security risk. But to get the benefits of cloud computing while minimizing security risk, many companies choose to run enterprise applications in their own private cloud using virtualization and cloud offerings from vendors like VMware. Securing a private cloud environment requires a comprehensive security suite like HPs Enterprise Security, which combines its ArcSight, Fortify and TippingPoint security products with VMwares cloud

Cloud Risks
Cloud-based consumer services, such as those that offer email or data storage, can pose a serious risk to your companys security because these services allow employees to store data including confidential information outside of your network, beyond the reaches of your security measures. Clouds are aimed at the consumer market, and thus rarely offer enterprise-grade security. For this reason, many enterprises ban employee use of services like Dropbox and Gmail from devices connected to their networks. These bans can be enforced by blocking the domains

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

infrastructure. This type of unified approach provides comprehensive protection, context and visibility for securing cloud environments. In particular, HP TippingPoints Secure Virtualization Framework (SVF) is designed specifically to provide threat protection in virtualized environments. It extends HP TippingPoints proven physical data center processes, methodologies, tools and knowledge, and it leverages its industry-leading Next Generation IPS, threat research capabilities, breadth of protection, ease-of-use and automation to secure private cloud operations.

Device Risks
To get an idea of what device risk means, consider an employee who uses a smartphone whether its her own or one issued by the corporate IT department to access her corporate email account and store confidential documents. If the employees device is lost or stolen, all the data it contains could be compromised. Likewise, if the employee uses an app provided by a cloud-based storage service to access a file over an unsecured Wi-Fi network thats being monitored by a malicious hacker, that file (and potentially all the others stored in that cloud storage account) could be accessed by the hacker. And what if an app, or an email downloaded to the device, contains a virus? Few mobile device users bother with anti-virus solutions, so when the user walks in through the door of your offices with that device and connects to the corporate network, he could easily be introducing malware on to your network.

Mobile Risks
The new risks that mobile devices introduce into your business fall under two broad categories: device risks and application risks.

Device risks stem from the fact that corporate or

employee-owned mobile devices are a new class of powerful computer, over which the organization has far less control compared to desktop machines or corporate-controlled laptops.

Application Risks
Theres an additional problem posed by mobile apps themselves. Malicious apps may have the ability to access sensitive data, such as contact information or emails stored on the mobile device, and to send this information to a third party. In theory, this type of unexpected behavior should not be possible using Apples iOS-based devices, since every app is vetted before being made available in the App Store. However, in practice this vetting may be no more than cursory. Apps made for other mobile

Application risks result from your employees

installing and running apps (over which you may also have little or no control) on their mobile devices, but which may interact with corporate data stored on the devices or with your corporate applications. There are also application risks if you develop your own mobile apps for employees or customers, as security flaws may lead to these apps compromising your network and corporate or customer data.

If the employee uses an app provided by a cloud-based storage service to access a file over an unsecured Wi-Fi network thats being monitored by a malicious hacker, that file could be accessed by the hacker.
3
Back to Contents
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

operating systems, such as Android, undergo no such vetting procedure. That means a user could easily and unwittingly install a rogue app that poses as a game, but which is designed to steal data, such as corporate email and attachments from devices. But theres another type of app risk. Any apps whether downloaded from third-party sources or developed in-house to allow your staff or customers to access your backend systems can contain vulnerabilities that could be exploited by hackers to compromise your security. Commonly seen mobile vulnerabilities include:

It also supports secure application development by automating the management, tracking, remediation and governance of enterprise software risk. In addition, Fortify Software Security Center can be used to help ensure that every single line of code your in-house developers write for iOS or Android applications whether for staff or customer use is secure.

In Summary
Mobile devices and cloud services fundamentally change the way your enterprise network and the data stored on it need to be protected. Securing the perimeter is no longer sufficient. You must take specific steps like the ones outlined above to mitigate the new risks they introduce. At the same time, you cant ignore the traditional risks. Its still necessary to ensure that your network perimeter is protected by a firewall, an intrusion prevention system, and a security information and event management (SIEM) solution like HPs ArcSight for collecting, analyzing and assessing security events as they occur. Using a combination of ArcSight, Tipping Point and Fortify, it is possible to focus on fundamental security concepts when addressing the new security challenges of cloud and mobile. The solid fundamentals covered by HPs security suite can help ensure an acceptable level of risk is maintained across your organization.

Insecure data storage Insufficient transport layer protection Weak server side controls Client side injection Poor authorization and authentication Broken cryptography

A sensible solution is to require employees to download apps to their devices from a single, trusted source your own corporate app store if they want to be able to use the devices on your network. A corporate app store can include publicly available apps, which would normally be downloaded from sites such as Apples iTunes store or Google Play, as well as corporate apps developed inhouse. Only applications that have been vetted by your own security staff are then offered in this app store. An effective way to carry out this vetting procedure is to use a security solution like HPs Fortify Software Security Center. This is a suite of tightly integrated solutions for detecting, fixing and preventing security vulnerabilities in applications. Fortify Software Security Center helps detect vulnerabilities in existing applications, whether developed in-house or supplied by an external developer, using security testing that identifies vulnerabilities throughout the application lifecycle with static, dynamic and integrated application testing.

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

UNDERSTAND

Understanding the Connection Between Security and Compliance

By Drew Robb
T operates under an everexpanding array of laws regulating its conduct. In the United States, corporations need to comply with Sarbanes-Oxley, government agencies with the Federal Information Security Management Act (FISMA), financial firms with Gramm-LeachBliley, colleges with the Family Educational Rights and Privacy Act (FERPA), healthcare providers with the Health Insurance Portability and Accountability Act (HIPAA) and publicly accessible websites with the Americans with Disabilities Act (ADA). Its a worldwide concern. The U.K. has its Data Protection Act 1998, Argentina its Personal Data Protection Act, Australia its Privacy Act, Japan its Act on the Protection of Personal Information and the EU its Data Protection Directive. India has its IT Security Act and Singapore a Computer Misuse Act. Then there are all the security standards issued by organizations such as the National Institute of Standards and Technology (NIST) and the ISO 27000 series of information security standards. Failing to comply with a security law can result in financial penalties or even jail time, and such regulations should be followed. However, just as someone complying with the laws governing driving speed can still get in a serious accident, so can a company in compliance with security regulations still suffer a security breach. Compliance does not equal security. Many Asian countries seek to enact new laws or amendments which supplement the Personal Data Privacy with specific focus on technological

advancements and greater penalties for breaches, says Naveen Hegde, Senior Market Analyst, IDC Asia/Pacific in Bangalore, India. Organizations need to realize that having a policy or being compliant is not enough to make an organization secure. It just means that they are following certain best practices, trying to be one step ahead of those who seek to attack them.

The Shortcomings of Regulation

Theoretically, following regulations and guidelines should provide a good method for achieving a secure computing environment. But theory is not practice, and using compliance as the security standard is destined for failure.

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

Compliance usually does not encompass all that is needed to be considered secure, says Chris Hadnagy, author of Social Engineering: The Art of Human Hacking and Chief Human Hacker for the social engineering penetration testing and training firm, Social-Engineer. com. Although it is a good start it is not the reality of the matter when it comes to security. There are several factors that limit the effectiveness of security regulations. Regulations tend to be backward, rather than forward looking. Just as generals are known to fight the last war, regulations are often passed to deal with a problem that no longer exists. For example, in the United States, the Sarbanes-Oxley Act of 2002 was passed in response to the October 2001 collapse of the energy firm Enron Corp. The law was designed to improve the control over and transparency of public corporations finances, but because compliance costs can run into the millions of dollars for a single corporation, some corporations went private to avoid having to comply and new, small companies would list on the London rather than New York stock exchange. In addition to the high costs of compliance, a major part of the problem was that executives faced jail time if errors were later found in the financial statements. Sometimes regulations are strong enough that complying with them gives you all the security you need, says security technologist and author, Bruce

Schneier, Chief Security Technology Officer of BT. And sometimes regulations are severe enough that the risk of non-compliance is greater than whatever risk the regulation is supposed to mitigate. In addition, regulatory and standards processes are slow. It can take years for a law or standard to be promulgated, debated, modified, passed and enforced. New security threats appear on a daily basis, too fast for regulations and standards to keep up, and hackers rapidly respond to new security measures with new attack techniques. Schneier cites the example of two-factor authentication, which not long ago was touted as a solution to identity theft. The argument was that if stealing passwords was no longer a useful attack tool, then identity theft would stop, he says. Of course this didnt happen. Instead, the rise of two-factor authentication simply forced the criminals to change their attack tactics. So now, instead of passive eavesdropping and offline password guessing attacks, were seeing more man-in-the-middle and Trojan attacks. Then there are the related matters of specificity and applicability. No two organizations have the exact same IT systems or business needs. Since regulations need to take a one-size-fits-all approach, they need to either be too strict, limiting the ability of companies to innovate, or too broad and providing limited guidance.

Regulations tend to be backward, rather than forward looking. Just as generals are known to fight the last war, regulations are often passed to deal with a problem that no longer exists.

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

Moving Beyond Compliance

Given its shortcomings, compliance must be viewed in its proper role, as a jumping-off point, not a final destination. By all means, start with an assessment of what is needed to achieve compliance. The security standards often provide a good security framework and failure to comply itself poses a threat to the company. The effect of non-compliance is only seen when these are breached and will cost organizations both financial and reputation damage, says Kevin Bailey, Londonbased Research Director - European Security Software for IDC. Its a bit like an insurance policy that you hope will never need to be enforced. But then, within the framework provided by regulations and standards, one can start to establish the full systems and processes needed to fully secure the IT systems. This starts with analyzing the business processes, the infrastructure that supports them and the potential risk vectors. A good way to do this is through using tools like HP EnterpriseView, which audits the IT systems security controls and provides real-time reporting of those risks, how they relate to the business processes and provides weighted vulnerability assessments so that so that those items that pose the greatest threat to the company can be addressed first.

HP also has a comprehensive portfolio of products to eliminate the threats that are found. HP Fortify Software Security Center tests software to identify the weak points and then tracks their resolution. HP TippingPoint Next Generation Intrusion Protection Systems provide up-tothe minute protection against the latest threats. They can block attacks by geographical source or destination at the application layer, rather than port or protocol. HP ArcSight Security Intelligence platform collects, analyzes and assesses security events both outside and inside attacks can be rapidly identified, prioritized and addressed. With such tools, together with knowledgeable staff, compliance becomes a baseline activity not to fall below rather than an upper bound to reach. The organization will have the flexibility and agility to rapidly respond to changing business needs while maintaining and improving security. Many organizations are just worried about meeting the growing number of regulations governing the security of data, says IDCs Hegde. But they fail to realize that this is not a one-time effort, but a continuous cycle. It is important to keep security up-to-date and risk assessment exercises ongoing, from time to time, to avoid security lapse.

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

ACT

The Essential Steps to Comprehensive Security

By Drew Robb
he first antivirus software and firewalls (or at least their predecessors, packet filters), were written in the 1980s and still comprise an essential part of any security strategy. Since that time, however, weve seen the rise of Windows, OSX and Linux; portable storage, laptops, smartphones and tablets; telecommuters, the Internet and WLANs. As the complexity of computing systems has grown, so has the number and variety of potential attack vectors. The number of attack points wouldnt matter so much if the value of the data and systems hadnt also grown during that time. IT forms the brains and nervous system of business enterprises the business falls into a coma without them. As such one needs to take a comprehensive approach to security, looking at the full impact of attacks. Security is fundamentally about people, and people have the ability to learn and to think creatively, says security technologist and author, Bruce Schneier, Chief Security Technology Officer of BT. The attacker is thinking about your system as a whole: what the weak spots are, whats the most profitable avenue of attack, and so on. If youre not thinking that way as well, you are at a profound disadvantage.

percent of cyber attacks were criminally motivated, 42 percent had an activist motivation (such as the DDoS attacks against major U.S. banking websites), 3 percent were espionage and 1 percent were cyber warfare. While no type of entity was exempt from attack, governmental, industry and financial institutions were prime targets. SQL Injection and DDoS were the most common techniques used that month, followed by defacement, targeted attack, DNS hijack and password cracking. But to be secure, one needs to look much broader. Other techniques he lists include: account hijacking, Java vulnerability, Shamoon Malware, social engineering, Advanced Persistent Threat (APT) attacks, key loggers, Man-in-The-Browser (MiTB) trojans, Remote Access Trojans (RAT), WordPress vulnerability, spam, Trojans, Spear Phishing, application vulnerabilities, DNS poisoning and XSS.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Identifying Attack Vectors

Designing an effective security strategy requires one to think like an attacker. This starts with determining what are the organizations key assets that require protection; what are the motivations of the attackers and what are the potential attack routes. These will vary from one organization to the next. Italian network security expert, Paolo Passeri (hackmageddon.com), says that in September 2012, 55 8
Back to Contents

Security for a Faster World

Of course, simply guarding against the latest attacks is not going to protect you from what comes next. To take an obvious physical analogy, says Schneier, if you spend all your time studying the mechanics of door locks, you will be taken by surprise when a burglar kicks the door down. If there is a way to attack, it will be found and used. And, as the list above shows, it is not enough to have tools in place to detect and block malware or attacks. Your weakest link is still your personnel. There is no easier way to get into the network or building or the account than social engineering, says Chris Hadnagy, author of Social Engineering: The Art of Human Hacking and Chief Human Hacker for the social engineering penetration testing and training firm, Social-Engineer.com. And it works. Hackers used social engineering in almost every attack we read about last year. Hadnagy runs the Capture the Flag (CTF) social engineering contest at the annual Def Con hackers conference. At Def Con 20, held in Las Vegas in September 2012, 20 participants were given 20 minutes each to contact major companies such as FedEx, AT&T, Shell and Wal-Mart to obtain information. Since this was a game not a criminal operation, the participants

did not try to obtain information such as bank accounts or passwords, but they did manage to find out data concerning disk encryption, website blocking, antivirus software, browser versions, mail client versions and OS service packs.The final reports detailing the results of this and earlier CTF contests can be found on the SocialEngineer.org website and make interesting reading. Whereas virus scanners and IDS systems can fix some problems, they cannot combat social engineering attacks, says Hadnagy. It is a true blend of security services that will make the difference and create an atmosphere of security.

Designing a Comprehensive Security Strategy

To maintain security, it is not enough to adopt a few point solutions. It requires a comprehensive look at the entire IT infrastructure, careful evaluation of threats and an effective strategy to bolster any weak points. The complexity of malware and advanced persistent attacks (APTs) has increased over the past two to three years, where hacktivists and cybercriminals have extended their focus externally and internally of target organizations, says Kevin Bailey, London-based Research Director - European Security Software for IDC. Organizations need to have fully integrated security solutions installed, so that malware detection at the endpoint can be contextualized in case of possible breaches in other elements of the infrastructure, such as Web, network or mobile devices. Although an initial security evaluation may turn up risks that need to be plugged immediately, Bailey says that the initial plan will then have to evolve from departmental or functional security silos into an integrated approach to security that addresses both current and future potential threats. Once in place, these should be regularly reviewed and audited to minimize possible policy and data breaches, he says. Now, it can be quite a task to select, assemble and integrate all the necessary security components. To make

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.

Security for a Faster World

the task easier for its clients, HP has been assembling through development and acquisition a comprehensive set of security tools that work together as an integrated whole. In 2010, HP acquired network security firm TippingPoint, adding TippingPoints intrusion prevention systems software to the HP portfolio. Headquartered in Austin, Texas, DVLabs (Digital Vaccine Laboratories), which joined HP as part of the TippingPoint acquisition, is a premier security research organization ensuring customers receive preemptive protection for vulnerabilities, including zero-day issues. But networks arent the only part of the IT enterprise requiring protection, so that same year, HP also acquired Fortify Software. The HP Fortify Software Security Center is a suite of integrated solutions for detecting, preventing and fixing application security vulnerabilities.These tools cover the entire software lifecycle, beginning with ongoing testing and remediation tracking during the development process. Then, for a high level, business-centric view of IT risk management, there is HP EnterpriseView, which

conducts automated security audits, generates weighted vulnerability assessments and presents the Chief Information Security Officer with a real-time graphical and report-based identification of risks. EnterpriseView maps the risk data to the business services, providing a common framework that makes sense to both the security experts and business executives. Then it is a matter of prioritizing the risks and, one by one, shutting down the vulnerabilities. In todays digital economies, you are under great pressure to innovate, and innovation on any technology also innovates the threats, says Richard Zaluski, President and CEO of the Center for Strategic Cyberspace and Security Science (CSCSS) in London. Some are known, some are unknown and may lie dormant, but they are there. Employing a comprehensive security strategy wont make those threats go away, but it will lower the risk and make it easier to respond when they come out of their dormancy.

In todays digital economies, you are under great pressure to innovate, and innovation on any technology also innovates the threats.

10

Back to Contents

Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.