Security Bytes

May 30, 2012  3:10 PM

Patriot Act cloud study debunks idea that location can protect cloud data from government

Marcia Savage Marcia Savage Profile: Marcia Savage

A bane for U.S.-based cloud providers for several months now has been the assumption among cloud customers and service providers outside the U.S. – especially in Europe – that the Patriot Act gives the U.S. more access to cloud data than other governments. The idea, then, is that it’s safer to store your data with a cloud provider in a location free from such governmental access. A recent study debunked this Patriot Act cloud notion by showing that, in fact, other governments have just as much access as the U.S. for national security or law enforcement reasons.

The study, published by the global law firm Hogan Lovells (.pdf), looked at the laws of ten countries, including the U.S., France, Germany, Canada and Japan, and found each one vested authority in the government to require a cloud service provider to disclose customer data. The study showed that even countries with strict privacy laws have anti-terrorism laws that allow for expedited government access to cloud data.

“On the fundamental question of governmental access to data in the cloud, we conclude …that it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities,” wrote Christopher Wolf, co-director of Hogan Lovells’ privacy and information practice, and Winston Maxwell, a partner in the firm’s Paris office.

In a blog post, Dave Asprey, vice president of cloud security at Trend Micro, said the research “proves a bigger point; that your data will be disclosed with or without your permission, and with or without your knowledge, if you’re in one of the 10 countries covered.”

The only solution to this problem, he added, is encryption. But how encryption keys are handled is critical; encryption keys need to be on a policy-based management server at another cloud provider or under your own control, Asprey wrote. Now, Trend Micro has a vested interest here since it provides encryption key management, but it’s a point worth noting for organizations concerned about protecting cloud data not just from governments, but from cybercriminals.

For another examination of the Patriot Act’s impact on cloud computing, check out the article by contributor Francoise Gilbert. She looks at the rules for the federal government to access data and how they undercut concerns about the Patriot Act and cloud providers based in the U.S.

May 24, 2012  1:24 PM

Lookingglass’ ScoutVision adds visibility in managing partner security risks

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

For years, the mantra of the security industry has been to get enterprises to look internally for weaknesses and activity that can raise a red flag to a malware-infected machine or an employee with malicious intentions. But how do you know how secure your partners and clients are?

It’s not difficult to see the security risks posed by a contractor taking care of payroll, a managed services provider, or the string of businesses that make up the supply chain. A breach at any of those businesses could have a serious impact your company’s security. An enterprise CISO or IT director has little control over the security of their partner networks. Managing business partner security risks has been left to putting in protections in service-level agreements. From a technology perspective, enterprises can review the logs to look for suspicious behavior if partners are given access to company resources.

Derek Gabbard and his team at Lookingglass Cyber Solutions aim to change all that. The company’s technology, which is being used by a variety of government and financial organizations, can map out the networks of partners and clients and apply a layer of threat intelligence data to determine if there are any potential compromises. The technology provides companies with third-party risk management capabilities.

Called ScoutVision, the technology can get information about a company’s business partner networks once the partner’s IP address range is fed into it. It bases its threat analysis on security vendor intelligence feeds licensed by Lookingglass, honeypots and other proprietary threat intelligence data.Lookingglass monitors communication in cybercriminal networks. It ties intelligence on botnets and malware attacks to trace a threat back to a network that has been penetrated.

The company boasts that nearly 40 separate distinct sources of threat intelligence data are used in the analysis. It looks at dark IP space and passive DNS data globally. The service can provide all the threat intelligence data it has about the entire network and describe, for example, if it has 20 to 30 bad hosts, Gabbard said. For example, if any Microsoft IP addresses have been communicating directly with a darknet, the company can characterize the nature of the communication to determine the nature of the threat.

Gabbard was CTO of network traffic analysis firm Soteria Network Technologies, a firm that appears to be synonymous with Lookingglass. Soteria has had a number of contracts with the Department of Homeland Security. He served as senior member of the technical staff at Carnegie Mellon University’s CERT Coordination Center. Gabbard told me that up until now companies have been focusing internally with little regard to the security of their partner systems.

I can’t find a company that is taking Lookingglass’ approach. SIEM systems such as HP Arcsight, and network appliances like RSA Netwitness or Solera Networks, don’t provide external network visibility in the same context, Gabbard said. The technology could eventually be integrated with a network appliance, he said. As CEO of Lookingglass, Gabbard is looking to extend ScoutVision to a broader set of customers.

So what does a company do with the threat data provided by Lookingglass?

Gabbard said he believes the information gleaned by the service can be actionable. The first commercial customers consisted of pilot projects conducted in 2010. So far the service has resulted in mainly reporting and phone calls to third parties. Some early adopters create reports and inform their partners of the potential security issues. Depending on their relationship, they’ll say “hey, your network’s messed up,” he said. “Clean it up or we’ll have to restrict access.”

The firm is gaining interest. In January, the fledgling company received $5 million in funding from Alsop Louie Partners, a firm that includes Gilman Louie, the founder and former CEO of In-Q-Tel – the investment arm of the Central Intelligence Agency. It will be interesting to watch if other security vendors attempt to take a similar approach with existing security appliances. The potential exists to apply the technology to companies with an extensive supply chain.

May 24, 2012  12:27 PM

A bold view on prioritizing computer security laws

Jane Wright Jane Wright Profile: Jane Wright

Ethical hackers hired by an organization to assess its vulnerabilities must always be careful to not “cross the line” and get themselves into trouble with the law. With all the computer security laws in the U.S., it can be a challenge for ethical hackers to ensure they are obeying all the laws.

But according to David Snead, an attorney in Washington D.C. who frequently represents IT security providers and consultants, it is possible to focus on just a handful of laws to avoid lawsuits and stay out of jail.

During a session at the Source Conference in Boston last month, Snead listed the overwhelming number of laws related to IT security in the U.S. But ethical hackers can focus on just three laws that are most likely to lead to litigation, according to Snead:

Computer Fraud and Abuse Act (CFAA), which makes it illegal to access a computer or network without proper authorization.
• Wiretap Act, which can be applied to packet sniffing.
• Stored Communications Act (SCA), which can be applied to any email that was meant to be confidential.

Similarly, each state has different laws, and few organizations have the time or resources to ensure they are compliant in all 50 states. Snead recommended ethical hackers and security consultant assist their client organizations by ensuring they are compliant in just three states, at least initially. The three states should be:

• The organization’s own headquarter state;
• The state where most of the organization’s employees work;
• The state where most of the organization’s customers live or work.

In some cases, these three scenarios may point to just one or two states, making the consultant’s job that much easier.

In my view, Snead was bold to make these recommendations. Many lawyers, when asked which IT security laws their clients should obey, would probably say, “All of them.” But Snead’s advice comes from a real-world perspective, and it’s this kind of realistic advice that’s greatly appreciated by security practitioners — especially the many independent penetration testers out there — who are often grappling with their budgets.

Still, security pros must understand the risks of following this advice. As Snead explained, triaging the laws this way will avert most legal problems. But the pen tester’s client organization could still get tripped up by a lesser-known law if a creative prosecutor convinces the court it applies to the organization’s security practices.

May 23, 2012  1:49 PM

Officials name FedRAMP cloud security assessors

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

It’s anyone’s guess how the FedRAMP cloud security initiative will pan out, but the pieces are coming together. Last week, the U.S. General Services Administration released an initial list of approved third-party assessment organizations (3PAOs).

Launched by the Obama administration in December, the Federal Risk and Authorization Management Program (FedRAMP) aims to set a standard approach for assessing the security of cloud services. The goal is to cut the cost and time spent on agency cloud assessments and authorizations.

3PAOs will assess cloud service providers’ security controls to validate they meet FedRAMP requirements. Their assessments will be reviewed by the FedRAMP Joint Authorization Board, which can grant provisional authorizations that federal agencies can use.

Here’s the list of accredited 3PAOs: COACT, Department of Transportation Enterprise Service Center, Dynamics Research Corp., J.D. Biggs and Associates, Knowledge Consulting Group, Logyx,  Lunarline, SRA International and Veris Group.

If you’re wondering how these companies became 3PAOs, they had to submit an application demonstrating technical competence in assessing security of cloud-based systems, according to the GSA. They also had to meet ISO/IEC 17020:1998 requirements for companies performing assessments.

When I wrote about FedRAMP earlier this year, the program drew praise, criticism and cautious optimism. Will it get bogged down in bureaucracy? Will it become simply another paper-pushing compliance exercise? Will it help advance cloud security standards for the private sector? Hard to say how long it will take until we know those answers, but at least FedRAMP appears to be on schedule.  With the release of the 3PAOs, the program moves closer its target of becoming operational next month.

I’m planning to speak with one of the 3PAOs tomorrow; hopefully I’ll have some additional information from that interview about the 3PAO process and FedRAMP in general. If I do, I’ll post it on

May 17, 2012  1:02 PM

Division of CISO responsibilities may prevent burnout

Jane Wright Jane Wright Profile: Jane Wright

Chief information security officers have a lot on their plate. Between data protection, malware detection, compliance regulations, social media security, mobile device management (MDM) and many more areas that fall into the realm of the security team, the chief information security officer (CISO) is obliged to wear many hats each day.

A recent survey by IBM highlighted this multitude of CISO responsibilities. In the report, Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer assessment(.pdf), IBM said the ideal CISO must “assume a business leadership position and dispel the idea that information security is a technology support function. Their purview must encompass education and cultural change, not just security technology and processes. Leaders will need to reorient their security organizations around proactive risk management rather than crisis response and compliance. And the management of information security must migrate from discrete and fragmented initiatives to an integrated, systemic approach.” 

That’s a tall order, and trying to accomplish it all could lead to CISO burnout. It’s not so much that there’s too much to do (although there is). The real problem causing CISOs to reach for the Pepto Bismol is there are too many conflicting demands coming at them from different angles.

But changes to the CISO role may be on the way, according to Jon Olstik, a security analyst at research firm Enterprise Strategy Group. Olstik believes the CISO function will naturally and of necessity divide into two roles: CSO and CISTO.

The chief security officer (CSO) will focus on the intersection of risk and business. The CSO will deal with compliance and legal issues, and be the person who goes before the board of directors to explain the expected return on a $1 million security investment.

The chief information security technology office (CISTO) will focus on IT security architecture and infrastructure. The CISTO will handle security controls, including monitoring and reporting the company’s defenses.

Olstik sums it up like this: CSOs create cybersecurity policies; CISTOs enforce them.

Allocating responsibilities in this way will probably be greatly appreciated by today’s overburdened CISOs. Training programs could focus on the two different career paths, and security professionals could aspire in the direction that best suits their personalities and skills. 


May 16, 2012  9:27 PM

Peter Kuper: VCs renewing their love affair with security companies

Michael Mimoso Profile: maxsteel

Information security spending is thought to be recession proof, but does it have the legs to outrun the current downturn? In-Q-Tel partner Peter Kuper thinks so, but there are still some rough times ahead.

Kuper, who has handled some high-profile IPOs in the security market, told Information Security Decisions 2012 attendees this week in New York City to stop spending on technology that doesn’t work. Investments in legacy security standbys (hello AV, firewalls et. al.) need to be tempered. Maybe Kuper has a vested interest in his remarks, but he’s also right. Signature-based defenses don’t work anymore. Kuper said it; analysts tell you the same thing and so do research firms. The Verizon Data Breach Investigations Report is probably the most sobering barometer of the ineffectiveness of today’s security technology: 96% of the attacks behind the breaches Verizon investigated were not complicated attacks; 97% could have been prevented with rudimentary controls; 92% of incidents were discovered by a third party, and only after months of constant infection.

Checkbox security ran by PCI and other mandates is heavily to blame here as well. Security managers are using compliance as a life preserver and to beg for budget. Budgets, meanwhile, are largely flat to slightly up, yet companies are nearly 100% owned.

“Where is the ROI there?” Kuper asked. “You’re asking for increased budget, yet three-quarters of you get your butt handed to you in minutes or less. How is that a good ROI for a CFO? Try explaining that to someone that doesn’t understand security.”

Couple that with some weak economic indicators that foreshadow another downturn-despite the market being back to pre-recession 2007 levels-and you’ve got a rocky road ahead friends.

Looking for a silver lining? OK. Venture capital firms are looking at security companies, and acquisitions are still happening in security, which are indications of innovation and some areas of strength. SIM vendors were the last market segment in play with Q1 Labs (IBM), Nitro Security (McAfee), LogLogic (Tibco) and ArcSight (HP) getting scooped up by larger vendors. Palo Alto, meanwhile, is going public soon, Kuper said, after booking $200 million last summer alone. Qualys is also perpetually in the IPO conversation. Sourcefire has been public since 2007, and after a rocky start, is trading 113% higher than last year.

“VCs were not investing much in security for a long while,” Kuper said. “But security is looking good again. I know a lot of VCs and they’re starting to call back. VCs are making money in security investing in innovative technology. It’s a good sign VCs are investing. Innovation cycles are up and a lot of good companies are getting funding.”

May 16, 2012  2:52 PM

Cloud security issues: Provider transparency, data-centric security

Marcia Savage Marcia Savage Profile: Marcia Savage

At an event last week in San Francisco that covered a variety of cloud security issues, infosec expert Kevin Walker told attendees to be aggressive with cloud service providers and hold them accountable when it comes to security.

“The key for us practitioners is to go into this with eyes wide open,” said Walker, who has held senior security positions at Symantec and Cisco, among other global firms. He spoke at the Cloud Security Symposium, which was sponsored by Trend Micro.

The traditional focus on building fortresses with firewalls and IPSes won’t translate to the cloud, he said.  Cloud provider requirements include increased transparency about their operations and how they detect rogue tenants, and information security pros need to be aggressive in making sure providers meet security requirements, he said.

That’s certainly easier said than done, especially when business units are going around IT and signing up on Amazon. It’s a hard to press for security when you don’t even know what cloud services your company is using.

In many cases, lines of business aren’t waiting for IT when they need something – they simply use their credit card to buy cloud services, said JJ DiGeronimo, senior accelerate practice manager and cloud strategist at VMware. “IT departments have true competition from outside service providers,” she told attendees.

“People are used to securing a box, but now we’re moving to securing the data,” she said. “Data is going to sit everywhere and you’ll have to manage it regardless of where it sits.”

Data-centric security has been an ongoing theme in the industry for several years as corporate network boundaries crumble as employees increasingly become more mobile. Enterprise adoption of cloud computing is becoming yet another driver.

“If you can’t control the systems anymore. … That’s the only way to do it [security] — to protect the data,” Trend Micro CTO Raimund Genes told me in an interview.

Trend Micro naturally has a vested interest in this trend – the company sells encryption products including a key management service for cloud and virtual environments – but it does make sense given that enterprise data is increasingly flowing to cloud environments and becoming harder to track. Maybe the rise of cloud computing will help push data-centric security into the mainstream.

In the meantime, if you’re looking for ways to track down unauthorized use of cloud services by your developers or sales executives, we published tips in this article.

May 10, 2012  1:01 PM

Going after the middlemen in the fight against financial cybercrime

Jane Wright Jane Wright Profile: Jane Wright

In the world of financial cybercrime, there are three primary groups of fraudsters at work. First up are the developers who write the applications to grab credit card and bank account data. In the middle are the “carders” who sell the ill-gotten data to, if you will, end users. The final group consists of these users or buyers who pay for the hot data and use it to make purchases or move funds to their own accounts.

Those fighting the battles have to make tough decisions about where to focus their resources. Should they go after the developers, the carders or the end users of the stolen financial data? The answer is surely a multi-pronged approach, with different tactics aimed at flushing out and stopping each group of criminals.

Law enforcement officials recently trained their sights on the middle group. In Operation Wreaking hAVoC, the FBI worked with the Serious Organized Crime Agency (SOCA) in the U.K. and authorities in other countries to shut down 36 carder sites. (The word hAVoC reflects the Automated Vending Carts, or AVCs, which are websites used by carders to sell financial information.)

SOCA said the successful operation will reduce international financial crime by ₤500 million (or more than $800 million) in the coming years. A SOCA representative told me they came to this figure by considering the average cost of the damage that could be incurred from each piece of stolen financial data. Credit card numbers with CVV codes have a damage value of up to $500 in the U.S. or ₤200 in the U.K., he said. If a full data dump from the card’s magnetic strip is included, or if bank account details are associated with the card, the potential damages go up significantly.

Operation hAVoC is a good example of the effective ways law enforcement agencies around the world can work together to successfully combat global networks of cybercriminals. But they won’t be able to bask in their success for long. Other carders are probably already dusting off their wares and pulling their vending carts onto the streets.

May 9, 2012  5:59 PM

Organizations lagging on cloud security training, survey shows

Marcia Savage Marcia Savage Profile: Marcia Savage

Symantec recently released some interesting findings from a survey the company conducted with the Cloud Security Alliance at the CSA Summit in February. The survey went beyond the usual sorts of basic questions to delve into organizations’ knowledge of cloud security. The results – albeit from a small sample size (128 respondents) — were a bit curious.

While 63% rated their cloud security efforts as good, 58% said their staff isn’t well prepared to secure their use of public cloud services. And although 68% said they think cloud security training is important for their organizations’ ability to use public cloud services, less than half (48%) planned to attend cloud security training over the next year. Eighty-six percent of respondents said protecting their organizations’ data was the top factor driving them to cloud security training.

In a blog post, Dave Elliott, senior product marketing manager of global cloud marketing at Symantec, summarized the survey findings:

“In short, what this survey reveals is that it’s important to have your own security for the cloud but that IT staff are not yet well prepared to secure the cloud.”

He added, “Cloud security needs leadership, and it requires standardized training and skills that will enable IT staff to confidently move into the cloud.”

Now, Symantec has a vested interest in promoting cloud security training – it’s partnered with the CSA to offer training for the CSA’s Certificate of Cloud Security Knowledge (CCSK). But if organizations don’t feel prepared for securing cloud computing deployments, it’s a little strange more aren’t seeking out cloud security training for their staff.

I recall seeing a discussion on LinkedIn a few months ago in which security pros debated the value of the CCSK. Some noted that employers don’t recognize the relatively new certification. That will probably change sooner than later, though, as cloud services become more prevalent in the enterprise.

Interestingly, 56% of respondents to the Symantec-CSA survey said advancing their careers was a major factor in their decision to attend cloud security training.

May 9, 2012  4:48 PM

Windows exploits: Data finds Windows Vista infections outpace Windows XP

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

When Microsoft issued version 12 of its Security Intelligence Report (.pdf) last month, its marketing machine had one message it wanted journalists to communicate to businesses: Conficker worm infections are a serious concern.

The messaging about Conficker was extremely strong. Prior to a briefing with a Microsoft executive, reporters were given a slide deck largely void of information except for data about Conficker; Microsoft’s 126-page report had been boiled down to 16 slides. Microsoft proclaimed Conficker as “the No. 1 threat facing businesses over the past 2.5 years.” It was “detected on 1.7 million machines in the fourth quarter of 2011; it was “detected almost 220 million times since 2009;” and there has been a 225% increase in quarterly detections since 2009, Microsoft said.

It sounds alarming, but that’s just marketing at its worst.

Conficker has no payload. There are no cybercriminals controlling it. The worm itself was designed to spread quickly to establish the infrastructure for a botnet. Once it’s installed on an infected machine it opens connections to receive instructions from a remote server. But that function has been neutralized by the Conficker Working Group, which uses the worm’s broken domain algorithm to block it from receiving data.

If Conficker isn’t a serious threat, what is? Here are a few data points to consider from the Microsoft SIR that may be more important than Microsoft’s Conficker message:

Windows exploits rise significantly:  Operating System exploits, specifically targeting Microsoft Windows, skyrocketed by 100% in 2011.

Despite a security update in August 2010 addressing a publicly disclosed vulnerability in Windows Shell, attackers have been successfully targeting the flaw using malicious shortcut files. Exploits against the vulnerability and several others that were detected by Microsoft increased from 400,000 in the first quarter of 2011, to more than 800,000 in the fourth quarter of 2011. The statistics point to the Ramnit worm as the culprit targeting the flaw. It was recently detected transforming into financial malware capable of draining bank accounts.

The other Microsoft Windows flaw being targeted was a Microsoft Windows Help and Support Center vulnerability that can be targeted via a drive-by attack. It was repaired in a security update issued in July 2010.

Windows Vista infection rate higher than Windows XP: The infection rate for 32- and 64-bit editions of Windows Vista SP1 and the 64-bit edition of Windows Vista SP2 outpaced Windows XP SP3. Microsoft says attackers are targeting the newer platforms because companies are migrating to them. Infection rates for the 64-bit editions of Windows Vista and Windows 7 have increased since the first half of 2011, Microsoft said.

Microsoft said the increase is also due to detection signatures it added to its Malicious Software Removal Tool for several malware families in the second half of 2011. “Detections of these families increased significantly on all of the supported platforms after MSRT coverage was added,” the company said in its report. In addition, a security update addressing the Windows Autorun feature in Windows was issued last year and was likely a major factor in driving down the infection rate in Windows XP, the software maker said.

Java exploits are out of control: Java, which is platform independent, has no doubt become a favorite attack tool of cybercriminals. Combined, the top six Java exploits represented millions of unique infections, according to the Microsoft SIR. Exploits delivered through HTML or JavaScript skyrocketed in the second half of 2011. A single Sun Java Runtime vulnerability is responsible for 1.4 million infections in the fourth quarter of 2011. There was an explosion of infections in the fourth quarter of a single Java vulnerability using a MIDI file with a malicious MixerSequencer. Most of the activity is driven by the Black Hole Exploit Kit.

Adobe Reader, Acrobat attacks: While not out of control, it continues to be a favorite attack method of cybercriminals. “Exploits that affect Adobe Reader and Adobe Acrobat accounted for most document format exploits detected throughout the last four quarters.” There were nearly 1 million of them.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: