January 21st, 2010 by peter.bassill

Andrew W Morse, Founder, Digital Tsunami “Communications Evolution” recently asked the question; “With the increased complexity of polymorphic malware and the increased use of social platforms, do you have concerns for increased network intrusion via ever-increasing corporate cloud computing?” on Linkedin. It gave a fair amount to think about so I thought I would share my opinions with you all.

What a great question, thank you for asking it. Ok, do you have more or less security by renting a 1U server from a server farm in a datacenter? Do you have more or less security when rather than rent that server from a server farm you physically house it in your datacenter? There are a number of players out there in the market that would have you beleive that a server in the “cloud” is vulnerable to attack but the truth is that any server with a connection to a public facing network is going to be attacked at some point in time.

From my point of view, the biggest security concern is one I am not hearing about much and that is the disk. Say you rent a cloud server with 100gig and you then use this for some data processing and once you have finished, you close down your server and remove it from the system. That disk is still there.

In my opinion, it would be possible to rent a single cloud server and get this up and running. Once done, add a few cloud disks to it and run standard forensics recovery tools over the disks you have provisioned from the pool. What are the odds of successfully recovering someone’s information? During my research on this, 80% of disks I provisions I successfully recovered a previsous tenants data from.

Still worried about network intrusion? Have your admins build and secure your cloud servers properly and maintain a good patching program alongside good security practises for access control.

Worried about a disk recovery attack? Encyrpt your data in the cloud and then carry out a DoD standard 7 pass wipe of your data areas prior to deprovisioning your server.

January 13th, 2010 by peter.bassill

Disclaimer: All views expressed in this posting are mine and mine alone and do not represent those of my employers.

I recently heard the excellent phrase “Fear the Auditor more than the Attacker” (check out the podcast as csoonline.com) and it led me to some thinking. Do we really fear the auditor more than the attacker?

In an age where regulation and compliance rule almost everything we do in Information Security, have we lost sight of what our job really is? Surely we are here to protect the brand and the image of the businesses we work for, ensuring the continual cycle of business without interruption. Listening to the podcast, there was a lot of things I agreed with and a fair amount I disagreed with.

Today, it was sited, we have reached a completely unacceptable and unsustainable level of cost and complexity which is driven mainly from the frequency of constant and turbulent change within environments. There are five main drivers for change;

• threat evolution in the attacker space
• compliance & regulatory markets
• technology changes
• economic changes
• business needs

What interested me here is the order in which the speaker listed the drivers for change were listed. While I agree with the drivers, many organisations would almost reverse the list to;

• compliance & regulatory markets
• economic changes
• threat evolution in the attacker space
• business needs
• technology changes

While I would see the list as

• threat evolution in the attacker space
• business needs
• economic changes
• technology changes
• compliance & regulatory markets

While I agree that in many organisations, the main stay for change should be to keep up with the threat evolution from the attacker space, more and more time and valuable budget is being spent on ensuring tick box compliance is maintained, observing that the level required is the minimum for compliance. Again, I see compliance as the foundation level for good security, not a ceiling. Compliance is something to be used as a baseline, something to be surpassed, exceeded.  Compliance and regulation is a party to supporting the need for change, but it is not the reason for change. Change should occur to make the business better, to re-enforce the businesses underlying operation and to ensure it remains safe.

Last year, it was suggested, Information Security had around 4% of the IT budget while now being more around 13%. This is something I would rather take with some more context. Is it that the budget for Information Security has indeed increased or is it (more likely) that the budget for Information Security has remained the same while the overall IT budget had decreased? More and more I am seeing businesses sweat thier assets more aggressivley, looking for ways to use what already exists in a more productive way rather than bringing in new technologies to achieve what could be done with assets already in place. It was suggested that this change in budgeting has led to a view of “if it is mandated I will spend it, if its not I wont”. This then leads to an abandonment of the more logical risk led approach and the adoption of bad risk management.

So who is watching the attackers? Within the PCI-DSS standard, there is a requirement for centralised log management and daily log reviews. Many organisations, quite rightly, use automated tools such as Splunk or RSA Envision to carry out these daily log review functions, but who is looking at the output? In the ideal world, a human but in the real world are these outputs there purely for the auditor? After all, the auditor is a known known, something we know how to handle. The attacker is the known unknown, we know we know very little about them and that makes it harder to secure budget for mitigation. Would you be able to get budget to fix something you know is going to happen and can prove it? Or do you work in an organisation so dynamic and leading in its security that it allows budget to fix something you know is going to happen on day but can not prove it will happen anytime soon?

The podcast gave me a lot of things to think about and two of the best quotes I have heard to date:

Fear the Auditor more than the Attacker!

Security is reactionary, what we are up against is dynamic!

January 12th, 2010 by peter.bassill

Having spent some time during the evening creating a script to map the attackers from the logs within Splunk, the end result was a moderate success.

Combining some perl and GeoIP.dat

 Making a bit more use of this, suppose I had a list of countries who were not supposed to be accessing my systems. Having an image such as the one below makes log analysis a lot easier.

January 11th, 2010 by peter.bassill

Having just migrated my current Nessus server up to the latest thread on 4.2.0, I must say I am impressed. A very neat and slick web front end making it a much more user friendly solution.

January 10th, 2010 by peter.bassill

Often, within the corporate role of an Information Security Officer, you will come across auditors who really know what they are talking about. Recently, I had the joy to experiance one of those rare moments when I crossed swords with a technical financial auditor. Over a couple of excellent coffees, we discussed PCI compliance in the cloud.

There has been a lot of hype over the whole use of the “cloud” buzzword, but in this case, “cloud” was being used to describe a server that is not on your premises that you are able to access the terminal remotely via IP.

The basis of the server must be security robust. This we agreed on. Where we disagreed was the level of security robustness required and the practicality of level of the security.

Looking at the foundation build, we both agreed on the OpenBSD model of building a server. Only build what you actually require. For example, you need a web server then make sure that is the only service compiled.  Another area we agreed on was the need to remove all non required binaries. With the intial build in mind, my thoughts lead to encryption. Should you encrypt the disk, the swap space, and the memory? While the auditor thought that it was overkill and I agree that there would be a performance impact, when you dont physically possess the machine is it prudent?

When we talked about terminal access, we both agreed that two factor authentication to the terminal was essential as was reducing the number of terminal sessions available to two and it was only natural that we then looked at the process of user management. Linking the cloud server to a centrally management user management system such as Active Directory has many advantages and allows easy management of articles such as password lifecycles.

In all, we agreed that encryption is good, two factor authentication against an offboard user management system is a definate and off system logging is essential. The server footprint should be as small as possible and internal integrity monitoring, firewalling, malware/rootkit checking are very important.

Now, to build the server…