Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Crowd Funding Website Breached! Access to Development Server To Blame Thu, 08 Oct 2015 10:26:00 -0500 ‘Yesterday I learned that there was unauthorized access to a Patreon database containing user information.’ - Jack Conte, CEO Patreon

Patreon, the crowd funding website, suffered a breach late last month. The cause was an unguarded development server, which was left online. According to Patreon’s CEO, Jack Conte, the development server was accessed by a third party, and customer contact information was stolen.

Unfortunately for Patreon and its customers, the development server housed a snapshotted version of one of Patreon’s main databases, which stored the leaked customer information.

To the best of Conte’s knowledge, no passwords were leaked:

We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.

Development servers may not seem like an attack vector. However, the Las Vegas Sands Corp suffered a catastrophic breach in 2014; Iranian hackers broke into the network using an unguarded development server.

Breaches like these are indicative of a larger issue facing security organizations -- vulnerabilities in third-party cloud services that are used by departments outside of IT to stand up corporate digital assets. According to studies,30% of IT spending occurs outside the IT department.

The root of the problem is that most enterprises espouse a ‘siloed mentality’. Inter-departmental cooperation is largely nonexistent and often discouraged. The meetup point for IT used to be the data center, but that is no longer the case.

Security has a real problem. It's increasingly left in the dark until an incident occurs. This trend is proliferating across enterprises of all sizes. Moving forward, CISOs will increasingly be forced to address security incidents occurring outside their perimeter.

Conventional wisdom would suggest that more stringent policy and enforcement of internal IT practices would prevent these problems. However, it just isn’t that simple any longer.

These developments have led to the rise of digital footprint security, this approach is designed to lower an organization’s exposure to external threats that reside outside the firewall. 

Copyright 2010 Respective Author at Infosec Island]]>
How Well Do You Really Know Your Network? Tue, 06 Oct 2015 15:50:00 -0500 So you think you know your enterprise IT infrastructure pretty well. Really? Are you sure about that?

Time for a pop quiz. Don’t worry, there are only three questions, but with multiple parts to each question:

1) How many devices do you have on your agency and enterprise networks?

a. Can you name them with IP address, basic function and applications running?

b. How many devices connect via wireless access points?

c. What do you do when you discover an unknown or unauthorized connection or app running?

d. Who reports when operational systems go down? How? To whom?

2) Do you have an accurate network diagram showing all infrastructure connectivity?

a. What systems or functions are permitted to communicate with other systems by policy?

b. Where is your policy? Do you train employees to follow policies and procedures?

c. Is your policy enforced? How?

d. How do you authorize and manage exceptions to policy?


3) How do know when someone (or something) gains unauthorized access to data?

a. What data is most sensitive and how is it protected?

b. How do you manage identities and provision system access across disparate networks?

c. Who is looking at the logs, monitoring traffic and managing security alarms?

d. What processes and procedures explain how to declare that a security incident has occurred that needs to be investigated? Who owns these functions (name a person or two)?

e. Can you account for 100 percent of the network traffic? If not, how do you resolve the traffic not accounted for?

All done. So how did you do?

If you answered all these questions successfully, you can take the rest of the day off. 

Yep. You can go home right now – but only if you have complete, correct answers for all of these questions for the entire enterprise and not just your small piece of your department’s network.

Oh, and you need your management team as well as external and internal auditors to agree and sign-off that everything is in good shape and consistently updated perfectly.

Dreaded Risk Assessments, E-Discovery and Enterprisewide Audits of IT

The truth is that no large public- or private-sector enterprise can answer these questions accurately 100 percent of the time for every one of their networks, systems, people, processes and all data. The questions may even seem like an unfair anchor around the necks of CxOs nationwide, and just going through the questions may bring back negative memories.

If these questions look familiar, that's not surprising. I basically summarized key audit questions along with the typical opening checklist to enterprise-wide risk assessments that CIOs and CISOs see in your traditional “As Is, To Be, Gap Analysis” sessions every few years.

In my experience, your team is above average if you can answer more than 80 percent of these questions accurately. The Deloitte-NASCIO Cybersecurity Study published last year identified major gaps in knowledge about network and security protections in place with many government leaders feeling uncomfortable in offering specific numbers.

Another difficulty to overcome is that hardware, firmware and application software is changing constantly in large complex networks that are evolving. Answers are given for a moment in time, but gaining a true picture of all the moving parts is very difficult – even for the best technology teams with years of experience.

Exceptional network management requires a robust ITIL framework that is working well, along with pros that really understand their strengths and weaknesses in each core discipline. For example, you need database experts, network experts, system administration experts, security experts, great project managers, programmers who test code well, secure applications, tools from competing vendors that all work together as a united team.

In addition, the security implications are huge. If you don’t know “what is normal” how can you possibly identify dangerous hackers, unauthorized applications or concerning behaviors of insiders? How can your team restore systems or get data back to “normal” after system or network outages like the big halt experienced on Wall Street earlier this year?

The challenge is immense, especially when you consider that a hacker only needs to be right once.

Three Red Flags to Watch Out For

There are some recent warning signs that raise additional red flags. Sadly, these challenges are increasing the network management stakes to even higher levels in mid-2015, whereas the items spoken up to this point can be traced back decades. Nevertheless, it is true these items have always been with us – especially in hot tech markets with skills shortages.

1) Staff turnover problem is getting worse amongst technology staff. While every organization needs fresh blood and young talent, the number of veteran technology professional changing jobs, leaving companies and governments or retiring right now is a major concern. In this hot security job market, many experts are looking for greener pastures. Also, baby boomers are seeking second careers and taking their years of experience with them.

TIP: Make sure that cross-training occurs and clear roles and responsibilities are documented – along with clear policies and operational procedures.

2) Shadow IT is growing along with rogue cloud computing usage that the tech team knows little about and may be out of control.

TIP: Solutions to this issue include increasing visibility with a cloud access security broker (CASB).

3) Excellent vendor and contract management skills are lacking in government. Government CxOs who face extreme challenges in these infrastructure areas often like to bring in private-sector partners as an "easy fix." Of course, there’s nothing wrong with the expert from out of town coming in to help or using contractors.

But while partnering with external solution providers can certainly help, remember that accountability and responsibility for results and outcomes always live with the data owners and CxO involved.

Simply put: You can outsource the function but not the responsibility.

Final Thoughts

While all of this may seem rather depressing, there certainly is hope for the future.

Recent breaches, and the international emphasis on critical infrastructure protection, are helping raise awareness of the importance of technology infrastructure improvements. Many organizations are currently building “next-generation” networks with new projects that are well funded.

There are numerous frameworks, checklists and solution providers to help. The recent OPM breaches in the federal government are causing new thinking and a higher priority to these essential network architecture topics.

What’s my main point? Don’t waste any opportunity to reinvent your network or infrastructure when you get the chance.

In the meantime, get to know your network a little better – right now.

Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, author and CSO of Security Mentor, a pioneer of innovative security awareness training that drives real behavior change by combining engaging, highly interactive training with content-rich lessons that convey critical security information.  

Note: An earlier version of this article published on Government Technology.

Copyright 2010 Respective Author at Infosec Island]]>
NSA Cyber Chief to Keynote 2015 ICS Cyber Security Conference in Atlanta Tue, 06 Oct 2015 08:57:31 -0500 SecurityWeek is proud to announce that Philip D. Quade, Chief of the NSA Cyber Task Force and Special Assistant to the Director National Security Agency for Cyber, will deliver a keynote address at the 2015 ICS Cyber Security Conference, taking place Oct. 26-29 in Atlanta, Georgia.

On the morning of Oct. 27, Mr. Quade will deliver a keynote address titled “Protecting the Infrastructures on Which We Depend”.

Philip Quade - NSA

As industrial control systems start looking more like IT systems, and as our everyday environment starts looking more like ICS architectures, Mr. Quade will explain why stakeholders need to re-evaluate their strategies for ensuring that ICS continues to reliably underpin the missions and services on which we depend. With the ICS 'attack surface' growing substantially, Mr. Quade will address the roles we each of us might take to leverage each other's unique insights and capabilities.

Now in its 13th year, SecurityWeek’s ICS Cyber Security Conference is the foremost and longest-running cyber security-focused event series for the industrial control systems sectors. The conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

Immediately prior to his current role at the National Security Agency, Mr. Quade served the Chief Operating Officer of the Information Assurance Directorate at NSA, managing day-to-day operations, strategy, planning, integration, and relationships, in cybersecurity and related disciplines. He also served external to NSA as head of the Information Operations Technology Center’s Advanced Technology Group, as a Professional Staffer at the US Senate, and at the Office of the Director of National Intelligence for a cross-discipline intelligence effort. Previous assignments at NSA include serving as a computer scientist, cryptanalyst, computer & network security evaluator, and a variety of policy, program management, and resource jobs.

ICS Cyber Security ConferenceRegistration is $1895 ($1695 Gov/Mil) and includes a full day of workshops and training and a total of four days of content. Registration and additional information is available online

Since 2002, the ICS Cyber Security Conference has gathered ICS cyber security stakeholders across various industries and attracts operations and control engineers, IT, government, vendors and academics. The conference will address the myriad cyber threats facing operators of ICS around the world, with topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

2015 Sponsors Include: Lockheed Martin, Symantec, Waterfall Security, Bedrock Automation, Honeywell, NexDefense, ThreatStream, Intel Security, Cybereason, Cisco, Veracity, Darktrace, Peach Fuzzer, Check Point Software Technologies, and FireEye.

SecurityWeek has also formed a strategic alliance with the Industrial Control System Information Sharing and Analysis Center for the 2015 conference.

Copyright 2010 Respective Author at Infosec Island]]>
The Necessity of Cloud Delivered Integrated Security Platforms Mon, 28 Sep 2015 13:02:24 -0500 Webcast: The Necessity of Cloud Delivered Integrated Security Platforms -Register Now

Live - Sept. 30 at 1:00PM ET

A May 2015 commissioned study conducted by Forrester Consulting on behalf of Zscaler highlighted that CISO’s face three key challenges in their quest to keep their employees safe in the current threat landscape:

Leveraging Cloud for Enterprise Cyber Defense• A plethora of legacy point solutions and appliances in their environment
• Significant volumes of security alerts being triggered without any analysis or effective response mechanisms
• Security data being generated across multiple vendor technologies, increasing costs and exacerbating the overall problem.

Forrester Consulting conducted an assessment of both integrated security platforms, as well as cloud computing/software-as-a-service (SaaS)-based delivery models. This in-depth evaluation targeted 130 US IT security or strategy decision makers. The results were astonishing.

Join SecurityWeek and Zscaler for a compelling webcast full of key insights and findings from this research, including:

• 98% of decision makers acknowledge that integrated platforms deliver better security
• Reductions in complexity and costs are the primary benefits of cloud security
• 82% of decision makers require advanced security functionality now

Register Now

Copyright 2010 Respective Author at Infosec Island]]>
A Sharing Economy for Security Fri, 25 Sep 2015 07:50:15 -0500 Hackers trade information to make their attacks more effective. If organizations want to beat back the bad guys, they must also learn to share.

The security industry is falling short. While companies are spending more and more money on security solutions, many of these solutions aren’t doing the job. Gartner reports global spending on security rose to $71 billion in 2014, an increase of 7.9 percent over 2013. Yet PwC says security incidents over that same period surged 48 percent—and that’s just the incidents that were detected (or reported?  So detected and actual would be even higher).

Why the disconnect? Because the current security model is broken. Companies are trying to protect themselves by building higher walls and wider moats. They’re trying to plug an always-shifting range of entry points. It is reactionary and always a step behind.

Worse, they’re trying to go it alone. They don’t collaborate with other organizations. That would defy security’s foundational rule: secrecy. Security people are hardwired not to share information, not to show their hand, not to reveal potential security holes. They fear that if they admit to any weakness it will be used against them, either by competitors or by the government, because they’ve fallen short of some security compliance requirement.

This is the wrong approach to security in today’s changing cybersecurity landscape. Companies now need to protect themselves not only with walls but also with intelligence. They need to work together and share information to protect the community, not just a single enterprise.

Why are the bad guys so successful? In part because they trade information with each other. They’ve built a hacker economy, in which intelligence about vulnerabilities is constantly passed around. Cybercriminal communities share techniques and tools and join forces to conduct attacks. They maintain an underground marketplace where they buy and sell information.

We need to deploy this strategy on our side. We need to collaborate and share intelligence to beat back the bad guys. We need to open up about the indicators of compromise we are noticing to alert communities who may be experiencing them too.  Is anyone else dealing with this or that anomaly? Is it a legitimate threat?

Responsive, effective security is a process of discerning the real risks in a sea of data, so learning the context around a particular threat—its velocity and breadth of penetration—is vital to defending against it. But this requires intelligence sharing among organizations. Who else is under assault and what do they know about the nature of the attack? Armed with that information, organizations can better defend themselves. And when you’re attacked, you can help others defend themselves by sharing your experience. Before long, every company in your community is protecting itself and each other better.

The good news is that this is starting to happen. Take health insurer Anthem, for example. After it was ruthlessly ransacked by hackers, Anthem began to share its indicators of compromise with other healthcare organizations, enabling them to take steps to proactively block a similar attack. This has improved security throughout the healthcare field.

But this sort of intelligence sharing is not yet happening on a broad scale because the mindset of collaboration has not been fully embraced. Most companies are not sharing what they learn, even though they know they should. A new study by Enterprise Strategy Group found that, while 94 percent of respondents see the value of sharing threat intelligence, only 37 percent of respondents’ organizations regularly share internally driven threat intelligence with other organizations or industry groups.

So what’s holding them back? Organizations want to be sure they can share threat intelligence in a manner that is secure, anonymous, non-attributed and standards-based; to avoid risk of opening themselves up to backlash or losing their company’s crown jewels.

Fortunately, the technology exists today. There are now standards-based mechanisms in place to share threat intelligence anonymously, without fear of attribution and without fear of tripping some compliance alarm somewhere.

With the advance of data analytics and cloud computing, companies have the power to process massive amounts of data within their perimeters and share findings anonymously. They can learn the context and relevance around security threats. They can glean threat actor data to identify who is related to what attack patterns, and the geographical source of attacks. They can conduct search and indicator tagging, and analyze and score incidents for prioritization. And they can go to trusted venues and platforms to anonymously and securely share their threat intelligence.

The onus here is on the C-suite to take advantage of these new technologies and platforms. C-level executives need to lead the way to better security by sharing what their companies know. They cannot plead ignorance.

More than 80 percent of directors say security breaches are discussed at nearly every board meeting, according to the ESG study. A PwC survey of more than 1,300 CEOs earlier this year found that 87 percent of them are “concerned”about cyberattacks, while nearly half go so far as to say they’re “extremely concerned.”

So it’s time to do something about it. This is not the time to cling to old models of security, building walls, hunkering down and keeping secrets. Leaders need to lead. They need to share their knowledge with each other and work together as a community against the cyberthugs. Then everyone will benefit from better security.

About the AuthorAnne Bonaparte is the president and chief executive officer of BrightPoint Security. Known for leading security companies through high-growth stages to become businesses that endure, Anne has also served as the CEO of Solidcore Systems, Tablus, and MailFrontier, and vice president of international at VeriSign. Anne holds an MBA from Harvard University and a BS in industrial engineering from Stanford University.

Related: Learn About Threat Sharing at the 2015 ICS Cyber Security Conference

Copyright 2010 Respective Author at Infosec Island]]>
Can CTF Players Replace Professional Penetration Testers? Wed, 23 Sep 2015 07:10:00 -0500 I have been asked by several friends who are CISOs within different organizations if Capture the Flag (CTF) experience makes any difference in how I evaluate incoming CVs for internal IT security auditor or similar positions. This complicated question is also one that I ask myself each time I consider incoming CVs for new penetration tester vacancies that we have.

According to ISACA’s State of Cybersecurity: Implications for 2015 report, 72.33% of respondents said that the biggest skill gap in today’s security professionals is ability to understand the business. Another interesting fact from the survey is that the majority of respondents found that less than 25% of applicants were qualified for a cybersecurity position. These numbers highlight a very serious gap between people looking for an infosec job and modern businesses. A similar gap also exists between CTF contests and professional penetration testing.

Unlike when I was a student, today one can easily find a great variety of CTF events of all sorts and types, from the easiest tasks to complicated reverse and crypto challenges. However, many CTFs are organized by security enthusiasts and their main audience are students or newbies who want to try their offensive security skills in the wild without breaking the law. Even at famous CTF events, usually organized in parallel with various conferences, many CTF players are students or have just started their first infosec job. Sadly, quite often prominent teams of young but talented players fail to participate in a CTF due to the high price of travel and the events being held in venues they simply cannot afford. This is why online CTFs have become more and more popular. Many security companies of different sizes organize or sponsor CTFs in order to attract media attention and recruit the most prominent players. Let’s try to understand what impact CTF experience may have on one’s habitudes, technical skills and cybersecurity career.

During weekends, I like reading CTF write-ups from time to time, especially those that cover web security challenges. However, I remember very few of them covered real business case scenarios that professional penetration testers face every day. I obviously omit sophisticated crypto challenges, car hacking, phreaking, ATM hacking and non-security challenges that CTF organizers set up to bring some fun to the event. But even the remaining part is still pretty far from daily reality. So, what is the practical difference between CTF and penetration testing, and what impact can it have on a business?

The first issue with the majority of CTFs is that they focus on single result (flag), rather than a process of comprehensive consecutive security testing. I saw many cases when a penetration test, conducted by CTF players, consisted of exploiting one single vulnerability to facilitate exploitation of all others. The upcoming report contained quite irrelevant information, such as demonstration of web application source code and databases obtained via brute-forced FTP password or arbitrary file upload vulnerability. At the same time simple SQL injection vulnerabilities in web services were not even mentioned in the report, as penetration testers considered that ‘capturing the flag’ via getting all confidential information from the server is enough to impress the customer. In reality, very few customers are ready to pay for such service, as it has very low (if any) value from the business’ point of view.

The second concern is that very few CTFs offer technical infrastructure similar to a real business environment. CTF is about hacking a deliberately insecure system intentionally left vulnerable, while a penetration test is about testing a complicated system that a team of cybersecurity professionals tries to keep secure. The way of thinking during a CTF and a penetration test is totally different. Being in a ‘pentest mode’ you will hardly solve even the easiest CTF challenge and vice-versa: during a CTF you usually look for direct or indirect hints as to the logic of the task’s creator, while during a penetration test you need to entirely understand the business’ logic and global cybersecurity vision, and the strategy of your customer.

The next problem one may face is the security tester’s responsibility when selecting attack methodologies and techniques. What would happen during a CTF if you suddenly or deliberately crashed the system, making others unable to test it? In the worst case, your team would lose some scoring points. During a penetration test, such imprudence may cost your customer millions of dollars. A similar problem also exists in some car racing games that provoke imprudent driving in reality.

Scope of testing is also very important: at High-Tech Bridge for almost every penetration test, we have some special business requirements in terms of scope and perimeter of testing. A penetration test is process oriented, while CTF is mainly result oriented. Customers are usually aware that, for various business and operational reasons, some components of their IT infrastructure are vulnerable, and they are not ready to pay to have that fact reported on paper. Instead,- they hire us to test the resistance of the secure part of their infrastructure, while patching or migrating the vulnerable ones. For a penetration test, it is very important to clearly define what to test and how to test, otherwise you will likely just irritate your customer. I saw several cases when professional CTF players were not able to control their behavior during a penetration test, as they used to have ‘no limits’ taking the entire process as a game. Despite the “got root” results they had, their customers were about to sue them for attacking wrong systems.

Yan Borboën, Partner at PwC Switzerland, MSc, CISA, CRISC, shared his opinion about the subject: “With the increasing number of attacks in the world, companies need to recruit well trained people. CTF is an extraordinary game field for people to train and to demonstrate their motivation.

At PwC, we sponsor security competition as Swiss Cyber Storm Security challenge because it is clearly an opportunity to identify and recruit talent. However, technical capabilities is only one aspect of a penetration test and will provide assurance against common everyday attacks, they do not provide assurance against more sophisticated and persistent attacks.

To provide real value to our client, we would rather recommend intelligence led security testing (e.g. CREST STAR), which incorporates threat intelligence and penetration testing to replicate accurately a full scenario of a targeted attack against an entire organisation including people, processes and technologies.”

Therefore, when hiring a new team player, I would definitely prefer an experienced penetration tester to a CTF champion. However, with all other equals, a CTF experience may definitely be a good added-value. CTF helps to develop and to perfect stand-alone technical skills and exploitation techniques. A CTF player can also bring some useful insights to your team and a vision from a different angle that others will probably not have.

Nevertheless, we should always keep in mind that CTF is a game, while penetration testing is a business. Don’t confuse the two. 

About the AuthorIlia Kolochenko is CEO & President at High-Tech Bridge and and Chief Architect of ImmuniWeb. Hehas a university degree with honors in Mathematics and Computer Science from Geneva, his city of origin. Ilia Kolochenko started his career as a penetration tester, he also was a security expert and team leader working for various financial institutions and large companies in Switzerland and abroad. His military service in artillery troops took place in Frauenfeld, Switzerland. At the end of 2007 he founded High-Tech Bridge, aiming to deliver efficient and effective penetration testing to companies of all sizes. In 2010 Ilia Kolochenko created a concept of hybrid security assessment of web applications, called ImmuniWeb, that was globally launched in 2014. Being web application security expert and chief architect of ImmuniWeb, he is personally involved into ImmuniWeb’s daily operations, implementing new features and functions.

Copyright 2010 Respective Author at Infosec Island]]>
3 out of 4 Consumers Will Leave your Websites Because of Security Concerns Tue, 22 Sep 2015 22:29:38 -0500 As part of the ongoing battle for eyeballs, marketing departments implement tracking technologies that encroach on customer privacy, while digital assets are cobbled together from third-party technology to accelerate time-to-market.

There are hundreds of companies providing website testing, engagement tracking, social tracking, content creation, etc. Most of them are startups that rely on Amazon Web Services (AWS) for IT, or have outsourced the creation of some, if not all, of their production code. These companies invest heavily in engineering, marketing and sales – and know little about security.

For instance, hundreds of leading online brands use a social engagement tracking service called Gigya, which suffered a breach in 2014 that gave hackers access to their DNS. Instantly, thousands of sites connecting to Gigya, including and, were temporarily under control of the Syrian Electronic Army (SEA).

The downstream effect of these types of breaches, which can impact tens, hundreds, or even thousands of web properties, can be devastating from both a reputational and liability standpoint if they result in monetary fraud or leaked personal information.

According to a recent Ponemon report, almost 69% of consumers have left a website because of security concerns.

In fact, two-thirds of the time, consumers blamed security when they had a poor experience on a brand’s website. Specifically, 67 percent said they lose trust in a site when pages load slowly, and 3 out of 4 worry about security when site performance is sluggish.

The bottom-line for website operators is clear, consumers measure a brand’s online presence based on the performance and safety they experience, even though third-party providers like Gigya may be the source of problems that affect consumers.

While responsibility for protecting corporate digital assets falls squarely on the shoulders of IT security teams, their control and administration falls in a grey area. Marketing generates digital assets, but is not responsible for the security behind campaigns, lead gen, tracking, etc.

The challenge for IT security is ensuring that digital assets including websites and apps, even those that use third party services, are safe for consumers to visit and download. This is a new and more difficult mission, and one that greatly impacts the bottom line of any business.

Cross Posted With Permission from RiskIQ

Copyright 2010 Respective Author at Infosec Island]]>
Red Hat Warns of Ceph Website Breach Sat, 19 Sep 2015 10:39:03 -0500 Red Hat warned users on Thursday that it detected an intrusion on two websites related to Ceph, the company’s open source distributed storage platform.

According to the open source giant, which acquired Ceph developer Inktank in April 2014, the breach affects the websites and offers downloads for Ceph community versions, while provided releases of the Red Hat Ceph product for Ubuntu and CentOS.

The company has pointed out that the affected websites are hosted on a server outside of the Red Hat infrastructure. The investigation is ongoing, but so far there is no evidence that the code and binaries offered on the impacted websites have been compromised.

On the other hand, Red Hat says it cannot fully rule out the possibility that the files available for download at some point in the past had been altered. The company also believes the signing keys for Inktank and can no longer be trusted. As a result, the Ceph signing key has been replaced, and the Red Hat Ceph Storage products have been re-signed with standard Red Hat release keys.

“This intrusion did not affect other Ceph sites such as (which contained some Ceph downloads) or (which mirrors various source repositories), and is not known to have affected any other Ceph community infrastructure. There is no evidence that build systems or the Ceph github source repository were compromised,” reads a security notice posted on the Ceph website.

Customers of Red Hat Ceph Storage versions for CentOS and Ubuntu have been advised to download the newly signed product versions. Customers of Red Hat Ceph Storage for RHEL and other Red Hat products are not affected by the incident.

The and websites have been rebuilt and all the content hosted on them has been verified. Red Hat customers have been notified that the host has been retired following the breach.

Red Hat noted that while the compromised system did not store customer data, it did hold usernames and password hashes used by customers for authenticating downloads.




Copyright 2010 Respective Author at Infosec Island]]>
The 2015 ICS Cyber Security Conference Fri, 18 Sep 2015 10:11:00 -0500 The 2015 ICS Cyber Security Conference will be October 26-29 at the Georgia Tech Hotel and Conference Center in Atlanta ( ). This will be the 15th in a series that began in 2002. Because the Conference focuses on timely ICS cyber security issues, the agenda is now being finalized.

The Conference will have some new twists, but will also stay true to its roots - ICS cyber security and what makes ICS cyber security different. Specifically, there will be:

  • Keynote by Philip D. Quade, Chief of the NSA Cyber Task Force and Special Assistant to the Director of the National Security Agency.
  • Discussions by control system engineers of actual field experience (people talk about information sharing – this is it)
  • A session devoted to safety (reliability and safety are THE reasons to care about ICS cyber security),
  • A breakdown of the 700+ ACTUAL ICS cyber incidents to date (yes it is real)
  • What should vendors include ICS cyber security in new plants or plant upgrades (security is not automatically included yet)
  • Full day of training and workshops (included)
  • Live Attack Demonstration of Cyberattacks on a Utility from A Hacker’s Perspective
  • Many more technical sessions and actionable information that can be leveraged to better protect your organization

As the longest-running cyber security-focused conference for the industrial control systems sector, the event will cater to the energy, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations. Produced by SecurityWeek, the conference will address topics covering ICSs, including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

Registration is available online at:

I hope to see you in Atlanta!

Joe Weiss

Copyright 2010 Respective Author at Infosec Island]]>
FS-ISAC to Share Threat Intelligence With Federal Reserve Banks Wed, 16 Sep 2015 19:16:17 -0500 The Financial Services Information Sharing and Analysis Center (FS-ISAC) today announced an arrangement with the Federal Reserve Banks to provide direct access to FS-ISAC security threat information to over 10,000 of their financial institution customers.

Under the terms of the agreement, FS-ISAC will allow the Federal Reserve Banks to provide their customers with access to the Weekly Risk Summary report, designed for community institutions and delivering timely and actionable information on significant security threats to board and Clevel personnel. The report provides a high level summary of threats, identifies the risk to community institutions and suggests actions that these organizations can take to remediate the risks.

“Over the past 18 months, FS-ISAC has made a substantial investment in staff, programs and services designed specifically for community institutions. Some of these include our Community Institution Council, Payments Risk Council, Broker Dealer Council, risk reports, crisis playbooks, simulation exercises, workshops and of course the platforms and processes to enable member to member information sharing,“ said Bill Nelson, president and CEO, FS-ISAC. “This arrangement with the Federal Reserve Banks broadens the reach of FS-ISAC and will enable thousands of community and regional institutions to experience how valuable the latest information sharing tools can be.”

About FS-ISAC The Financial Services Information Sharing and Analysis Center (FS-ISAC) is a non-profit corporation that was established in 1999 and is funded by its member firms. The FS-ISAC is a member-driven organization whose mission is to help assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector’s ability to provide services critical to the orderly function of the global economy. The FS-ISAC shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with and among other key sectors and government agencies.


Copyright 2010 Respective Author at Infosec Island]]>
BYOx: Developing and Deploying Effective Strategies to Safeguard Data Wed, 16 Sep 2015 17:00:00 -0500 The pace and scale of cyber security threats continues to accelerate, endangering the integrity and reputation of today’s most trusted organizations. It’s clear that attackers have become more organized, attacks are more refined, and threats are more dangerous, than ever before. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners have become targets for cybercriminals and hacktivists. 

According to the Ponemon Institute’s 2014 Cost of Data Breach Study: United States, the average cost for each lost or stolen record containing sensitive and confidential information increased from $188 to $201. Overall, the total average cost paid by organizations has also grown to $5.9 million, up from $5.4 million. In addition to the rise in cost, the Ponemon Institute found that companies are losing more customers following a data breach.

In today’s global, connected society, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, organizations need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact both business reputation and shareholder value.

Today’s Mobile Landscape

The surge in personal mobile devices being used in the workplace – Bring Your Own Device (BYOD) and Bring Your Own Everything (BYOx) – has been widely documented. Gartner predicts that by 2016, two-thirds of the mobile workforce will own a smartphone and 40 percent of the workforce will be mobile. Furthermore, the variety of connected devices (tablets, phablets, wearables, etc…), usage contexts, mobile applications and cloud computing services add even more complexity.

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

BYOx initiatives present considerable challenges, as does the widespread adoption of social media. Today’s Chief Information Security Officer (CISO) must embrace these technologies or risk being sidelined by those more agile. While safeguarding your organization’s data is of paramount importance, empowering employees to use their own devices, applications and cloud-based storage safely and flexibly is essential to better workplace productivity, competitiveness, as well as keeping workforce morale and talent retention high. 

Cyber Insecurity

PwC recently highlighted a number of cyber security issues that should be of concern moving forward in today’s connected society. One that I’d like to highlight involves business partners and a lack of process for evaluating third party providers before the launch of business operations.

In today’s global business environment, it’s essential that organizations address third-party security. The lack of understanding of where data is flowing, plus the fact it can be accessed from BYOx devices across the supply chain, is a major issue for organizations of all sizes. At the Information Security Forum (ISF), we’ve underscored three key reasons organizations may find they are vulnerable due to information sharing across their supply chain:

  1. Lack of awareness of the sensitive information being shared in contracts
  2. Too many contracts to assess individually
  3. Lack of visibility and controls as information is shared in the supply chain

Some organizations focus on the first reason, and assess the information risk for each contract. This approach does not address the second issue, as it is not scalable for organizations with thousands of contracts. The third vulnerability, the most challenging and urgent for many businesses, is even more complex to address. Organizations typically have no relationship with their suppliers’ suppliers, so the risk increases as visibility and influence decrease upstream.

As the PwC study suggests, even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your organization, especially with the growing mobility aspect of business operations. A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components. This method should be information-driven (not supplier-centric) so it is scalable and repeatable across the enterprise.

Managing BYOx Risks

Clearly, an information-centric approach to managing risk is essential; devices that have not been issued by the company are too numerous, varied, and vulnerable to be effectively managed. Focusing on protecting information and meeting compliance requirements will keep your BYOx program usable and scalable.

Businesses need to determine their requirements and understand the risks associated with connecting employees’ devices to the organization’s infrastructure and allowing personal applications and cloud storage to co-exist with corporate data. This information risk assessment approach for the management of mobile solutions should be regularly updated, as hardware and software change.

Organizations should also determine and communicate the intended and acceptable use of privately owned devices, specify which devices and operating systems are supported, and when new ones will be added. Staff must be assigned to manage the technical infrastructure and provide support to employees.

Finally, organizations need to shift from promoting awareness of the BYOx problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.

Our members recognize that knowledge on its own is no longer enough. Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture.

Responsibility and Regulation

We’ve touched upon a number of areas concerning BYOD and BYOx policies which we have traditionally covered, but let’s shift for a moment to some of the areas that are changing.

As anyone who watches the news can tell you, the number of data breaches continues to grow along with the volume of compromised records. These breaches are becoming far more expensive for organizations of all sizes. Moving forward, costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Angry customers will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs.

Lastly, the resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers.

EU Data Protection Regulation

In a response to these global BYOx trends, we’re seeing far more focus from a regulatory standpoint on management, storage and protection of data. This emphasizes the need to understand where your data is at any single point in time.

The forthcoming EU Regulation aims to establish the same data protection levels for all EU residents and clarify blurred lines of responsibility. It will have a strong focus on how organizations handle personal data. Organizations face several challenges in preparing for the reform, including a lack of awareness among major internal stakeholders. To be brutally honest, many organizations are simply not prepared for the Regulation.

The final draft of the Regulation is still being discussed, but it is expected to be ratified early next year. Once approved, organizations will have a two-year transition period to adapt to the new rules. To build and maintain popular support for this reform, the EU has emphasized the following benefits to individuals:

  • A Right to be Forgotten
  • Easier Access to Data
  • Allowing Residents to Decide How Their Data is Used
  • The Right for Residents to Know When Their Data Has Been Hacked
  • Data Protection First, Not an Afterthought

These benefits will create numerous compliance requirements, from which few organizations will completely escape. However, organizations will benefit from the EU-wide consistency introduced by the reform and will avoid having to navigate the current array of often-contradictory national data protection laws. There will also be international benefits as countries in other regions are devoting more attention to data protection. The Regulation has the potential to serve as a robust, scalable and exportable regime that could become a global benchmark.

Organizations must consider the steps they should take to prepare in advance. The resources that may be needed, including time, people, policy and governance structures, will take time to agree and fund. There are actions that can help organizations quickly get up to speed which will be beneficial regardless of any last minute amendments.

The Regulation will impose new safeguards for data handling and the resource requirements for doing this will increase along with the sanctions and fines for noncompliance. Knowing how data are handled is an essential part of risk management.

Organizations can begin by asking these questions:

  • What data are collected on EU residents?
  • Where does it come from?
  • What is it being used for?
  • Where and how is it stored?
  • Who is responsible for it and who has access to it?
  • How much of the data held are still needed?
  • Is it being passed on to any third parties?  

Finding the answers to these questions will reveal a great deal about how an organization uses data and the extent to which it permeates its business.

Safeguarding Your Data

With an increase in the number of consumer-based devices, as well as an increase in the amount of data being shifted against multiple borders, organizations need to be on their toes in terms of safeguarding sensitive data. Since BYOx will be the device of choice for most users moving forward, organizations need to wise up and fix some of the issues that have been there for quite some time now by investing the appropriate time and resources in managing this core critical business component. 

It goes without saying that business leaders recognize the enormous benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do in this day and age is ensure they have standard security measures in place.

The ISF has designed its tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an “out of the box” approach to address a wide range of challenges – whether they are strategic, compliance-driven, or process-related. For example, the ISF recently released Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.

As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.

Additionally, the ISF has introduced a practical approach for creating key performance indicators (KPIs) and key risk indicators (KRIs) that support informed decision-making. This offers businesses of all sizes with the assurance that the CISO and the information security function are responding proactively to priorities and other needs of the business.

The ISF approach encourages CISOs to forge a path to having the right conversations with the right people. It has been designed to be applied at all levels of an organization, and consists of four phases:

  1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPIs and KRIs
  2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
  3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
  4. Learn and improve by engaging to develop learning and improvement plans

This approach will provide a way for CISOs to succeed by engaging with audiences to identify common interests, determine relevant data, generate reliable insights and create impact supported by the right KPIs and KRIs. This, in turn, supports informed decision-making.

The Time is Now

Time is critical and businesses need to formulate a response to the growing trend of mobile devices in the workplace with a sense of urgency. Focusing on the organization’s information as a guiding principle for considering risk as part of a BYOx program can bring a great deal of clarity to decision-making as it facilitates the definition of device-agnostic solutions which could be re-used for other BYOx deployments. This approach must be tempered against the willingness of executives to increase their risk appetite to enable BYOx.

An information-centric perspective is key to managing BYOx risk, keeping the focus where it should be rather than on the technical details. The proliferation of new devices and applications means that organizing a BYOx risk management plan around a single technical solution can be restrictive. A focus on information is more likely to result in an agile and adaptable program.

In closing, there are a few risk-based requirements that I want to leave you with:

  • Highlight the issues associated with storing and processing private information on mobile and virtual devices
  • Provide clarity about which privacy rules apply, and specifically how they are affected by cross border movement of data and the multi-tier nature of the service providers
  • Include a high level examination of the different legal requirements of different jurisdictions
  • Identify the roles and responsibilities that apply for sensitive information
  • Define an approach for managing private data accessed on mobile devices and in the cloud
  • Help organization understand how to respond to regulators and data subjects

Organizations can’t afford to stand still and allow mobile device adoption to run its own course as it will create new attack vectors and potential vulnerabilities in corporate networks.  They need to stay one step ahead on the latest trends, mobile devices and related security risks. By putting in place the right working practices, usage policies and management tools, organizations of all sizes can benefit from the advantages that these devices can bring to the workplace while minimizing exposure to potential security risks.

Copyright 2010 Respective Author at Infosec Island]]>
Beware of the Imitations Wed, 16 Sep 2015 07:52:10 -0500 There have been reports of compromised Cisco IOS files being run in the wild.  There have also been warnings about reversed engineered IOS images been detected.

The article seems to point at an attempt to remove functions that the NSA uses but does not identify the actors involved in the replaced software.  This would be compared to an Apple IOS jailbreak and one would never know what functions are replaced and who is monitoring or have access to the replace images or files.

I would never recommend going away from the original vendor to another without knowing where the software came from or who is controlling it.  It would be hard to find out and technicians, feeling insecure about the original watched features, may feel less monitored if they use another that is available.

The darker side of this is that cyber actors are finding vulnerabilities to be able to remotely inject different code.  This would allow them wide range of actions and access and actions leaving the equipment and the networks they are in compromised.

Network Security Engineers should always feel compelled to be able to upgrade to the latest Cisco IOS for the devices they manage.  It is sometimes a difficult and nerve-racking process but allows them to remove known flaws. Smartnet is required to be purchased for an organization to be able to access the latest images for their devices.

This ongoing service could be abstained from by an organization and other means to grab available images from th Internet sources.  Technicians beware! A like filename could be used with malicious images and leave your network wide open.

Proper access to images provided by Cisco will have an MD5 string that validates the file identified.  This string could be used to ensure validation during the download process but is also something that can be used to verify an image on a device.

There doesn’t seem to be a widespread infection acknowledged or seen but it is recommended that the images be obtained from a valid source and for organizations to involve their technicians in a manual process of checking the validity.

Large organizations that use a management system like Ciscoworks can group like devices and run a script to verify proper images are loaded and being used.  It may also be possible to run a telnet script.

The important thing to know is that proper vendor obtained Cisco IOS images should be used, secured (If available) and verified until this function is built into future IOS functions on startup.  The would be best to check validity, staff alerted and have an FTP server update the image automatically when an improper image is detected.

Copyright 2010 Respective Author at Infosec Island]]>
Similar Threats, Different Reponses: Report Tue, 15 Sep 2015 11:28:41 -0500 Large and Medium Companies Face Similar Cyber Threats: Report   Both large and medium size businesses face many of the same security threats—but often respond to them differently, a recent study conducted by Bitdefender and market research agency Millward Brown in the United States reveals.   

According to the study, large and medium businesses are focused on security breaches, and review potential breach activity often. When it comes to large business managers, 46.1 percent of them review these activities every three months, but only 39.4 percent of medium businesses managers do the same.   

One of the attacks that these companies have experienced most recently is password cracking, with 24.7 percent of respondents revealing that they were targeted by such attacks in the past six months or less. These attacks tend to affect medium businesses the most, and 26.8 percent of CIOs confirmed this, while only 20.6 percent of large businesses CIOs claiming the same.  

Businesses are also targeted by man-in-the middle attacks at a high rate, with 21.2 percent of medium business revealing that they have experienced such attacks in the past six months or less. Only 11.8 percent of large businesses have reported similar attacks recently, the study showed.  

When it comes to the protection measures employed by large and medium businesses, 30.7 percent of them rely on firewall technologies (29.8 percent of medium businesses and 32.4 percent of large businesses), while 26.7 percent of them use anti-malware solutions (24.2 percent of medium businesses, compared to 31.4 percent of large companies).  

The study also shows that both medium and large businesses try to improve their effectiveness in preventing malware breaches (47.3 percent of CIOs) and are looking to minimized the impact attacks have on system performance and user productivity (37.3 percent of respondents).   

When it comes to timely customer support, 37.2 percent of large companies are interested in such activities, compared to only 23.2 percent of medium businesses, the study also revealed.  

“We’ve intuitively known that medium business tend to be more lax with security practices, as their immediate goals are to focus on growth and business development, rather than allocating large budgets for security, ” said Liviu Arsene, Senior E-Threat Analyst at Bitdefender. ”However, this makes them likely targets for cyber-attacks, as they usually work with large companies and attackers can leverage this to penetrate security defenses of larger companies that have granted medium businesses access to some of parts of their infrastructure or data.”

Copyright 2010 Respective Author at Infosec Island]]>
Wireless Security 101 Wed, 09 Sep 2015 06:16:37 -0500 I read a recent article of an intrusion into a star’s home wireless security reflects the importance of security of home wireless.

Not everyone is technology savvy and push to get something to function verses securing it to the extent that it should be.  Even though the latest wireless routers will use the more up-to-date security configurations, there are older setups that may not be adequate.

WEP, WPA or WPA2 can be used on most routers. A WEP password can be obtained in short time.  Never use WEP if all devices can negotiate a more secure method.  WPA and WPA2 have both personal and enterprise configurations. Enterprise is the most secure but requires a certificate to be used.

A simple password may be easier to use when setting up you end point or to give out to visitors but this means that a cyber surveyor would find it more accessible when trying to grab access to your network.  It is important to create a complex password for both the wireless network and the administration of the device.

A few tricks to implementing initial protection would be to create internal an HTTPS only administrative connection.  It is preferred to use a LAN only administrative connection. Always browse through the configurations when setting the point’s security.  This allows familiarization with the settings and the ability to use the full functionality.

More recent routers have a Guest access partition.  The Guest network can give access to HTTP and HTTPS protocols without having direct access to the local network.  This doesn’t mean the security should be open or have simple security criteria.

Most modern routers have MAC address filtering and this is highly recommended.  It requires a little more effort but controls the devices that can connect to the network from the administrative port.  Potential intruders will not be able to connect even if the password is determined.  Some recommend not broadcasting the network but it can be picked up from an AP scanner anyway.

IP routers can use IPv4 or v6 addressing.  I disable the v6 function but if the v6 firewall should be specified when using the addressing.  AT&T Universe Routers have a highly configurable firewall and can augment security by not allowing different routes between the LAN and WAN ports.

Make sure you enable logging and back up the configuration if possible.  Maintain record of the device MACs that are connecting and let someone know if you suspect someone of jacking your router for nefarious purposes. Do your best to keep your wireless reuter's firmware up to date to address any security vulnerabilities.

Copyright 2010 Respective Author at Infosec Island]]>
Webcast: Segmentation Beyond VLANs, Subnets, and Zones Tue, 01 Sep 2015 10:31:39 -0500 Live Webcast: Wednesday, Sept. 2nd, 2015 at 1:00 pm ET

You already know the power of application segmentation to deliver data center and cloud security—now you can take segmentation to the next level. Nano-segmentation is finally a reality.

Illumio WebcastIn 15 minutes, we’ll show you how nano-segmentation delivers the most granular, adaptive security across your data centers and public clouds.

Join Illumio and SecurityWeek for this interactive webcast to find out how to:

- Reduce your data center and cloud attack surface by 99%

- Quarantine compromised servers in seconds

- Achieve compliance in hours

Register Now

Can't Make the Live Event? Register now and we'll email you a link to watch on demand.

Copyright 2010 Respective Author at Infosec Island]]>
A Guide to AWS Security Thu, 20 Aug 2015 09:30:17 -0500 If you’re looking to migrate your business applications to a public cloud, the chances are that you’ve looked into Amazon Web Services. With its higher capacity and wide range of cloud services, AWS has become the most popular choice for businesses looking for the scalability and cost-effective storage that cloud computing offers.

Security in AWS is based on a shared responsibility model:  Amazon provides and secures the infrastructure, and you are responsible for securing what you run on it.  This provides you with greater control over your traffic and data, and encourages you to be proactive. However, before you go ahead and migrate your applications to AWS, here are some tips on how to manage and enforce security for maximum protection across your AWS and on-premise environment

Understanding security groups

Amazon offers a virtual firewall facility for filtering the traffic that crosses your cloud network segment; but the way that AWS firewalls are managed differs slightly from the approach used by traditional firewalls.  The central component of AWS firewalls is the ‘security group’, which is essentially what other firewall vendors would call a policy, i.e. a collection of rules.  However, there are key differences between security groups and traditional firewall policies that need to be understood.

First, in AWS, there is no ‘action’ in the rule stating whether the traffic is allowed or dropped.  This is because all rules in AWS are positive and always allow the specified traffic – unlike traditional firewall rules. 

Second, AWS rules let you specify the traffic source, or the traffic destination – but not both on the same rule. For Inbound rules, there is a source that states where the traffic comes from, but no destination telling it where to go.  For Outbound rules it the other way around: you can specify the destination but not the source. The reason for this is that the AWS security group always sets the unspecified side (source or destination, as the case may be) as the instance to which the security group is applied.

AWS is flexible in how it allows you to apply these rules. Single security groups can be applied to multiple instances, in the same way that you can apply a traditional security policy to multiple firewalls.  AWS also allows you to do the reverse: apply multiple security groups to a single instance, meaning that the instance inherits the rules from all the security groups that are associated with it.  This is one of the unique features of the Amazon offering, allowing you to create security groups for specific functions or operating systems, and then mix and match them to suit your business’ needs.

Managing outbound traffic

AWS does manage outbound traffic, but there are some differences in how it does this compared to conventional approaches that you need to be aware of.  With AWS, the user is not automatically guided through the settings for outbound traffic during the initial setup process.  The default setting is that all outbound traffic is allowed, in contrast to the default setting for inbound traffic which denies all traffic until rules are created.

Clearly, this is an insecure setting which can leave your organisation vulnerable to data loss, so it’s advisable to create rules that allow only specific outbound traffic, and protect data that is truly critical.  Because the AWS setup wizard doesn’t automatically take you through the outbound settings, you will need to create these rules manually and apply them. 

Auditing and compliance

Once you start using AWS in production, you need to remember that these applications are now subject to regulatory compliance and internal audits. Amazon does offer a couple of built-in features that help with this: Amazon CloudWatch, which acts as a health monitor and log server for your instances, and Amazon CloudTrail, which records and audits your API calls. However, if you are running a hybrid data centre environment, you will require additional compliance and auditing tools.

Depending on which industry you’re in and what type of data you handle, your business will be subject to different regulations – for example, if you process credit card information, you will be subject to PCI. So if you want to use your AWS cloud platform for this sensitive data, then you will need the right third-party security management products in place to provide you with the same reporting facilities that you would get with a conventional firewall.

The most important thing you need from a third-party solution is visibility of the policies from all security groups and of your whole hybrid estate, together with the same analysis and auditing capabilities as an on-site infrastructure, to give you a holistic view and management of your security environment.

Ultimately, it is your responsibility to secure everything that you put onto an AWS environment.  Considering these points and following the steps I’ve outlined will help to ensure that you protect your data and comply with regulatory requirements when migrating to AWS.

About the Author: Professor Avishai Wool is CTO of security policy management provider AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>