You’d have to be a serious security curmudgeon to try to pick holes in the Microsoft SDL. The company’s security development lifecycle grew out of the Trustworthy Computing initiative, which turned 10 years old this year, and in many organizations, it sets the standard for secure development practices. At a minimum, it put secure development into the consciousness of many organizations and inspired a lot of companies to adopt bits and pieces, if not all, of the SDL.
No program is perfect, however.
Two security program managers working in the Microsoft Security Response Center (MSRC) shared a story during the SOURCE Boston Conference last week that’s worth sharing. It seems not too long ago, a security researcher reported a fairly serious vulnerability to Microsoft via its email@example.com email address. Turns out, however, that Microsoft’s spam filter kicked in and the vulnerability sat in limbo for months in a spam folder (sometimes it’s the simplest details that get ya.)
The researcher waited a responsible, er, respectable period of time, and eventually went public with details on the vulnerability, thinking Microsoft had ignored the researcher’s efforts. Once the details went full disclosure, Microsoft had to rush an out-of-band fix for the vulnerability; the two program managers refused to reveal the flaw last week.
“Don’t trust spam filtering,” said Jeremy Tinder, one of the managers. “This one was a crisis. Now we read them all (up to 500 a day). We have dedicated individuals to this triage stage of our security response.”
Tinder and his colleague David Seidman explained the MSRC’s role in the SDL at Microsoft and how vulnerabilities are handled once reported—and suggested these are minimal steps that organizations building their own software could follow. It’s a well-reported process that involves several stages:
· Triage—Microsoft determines whether vulnerabilities are security issues, or, for example, a coding or configuration error.
· Reproduce the issue –Microsoft tries to reproduce the security bug with the information provided by the researcher who reported it.
· Analyze the root cause—Once the MSRC is able to reproduce the issue, it determines how much user interaction is required to trigger it, and whether it’s a configuration that’s widely used by all customers.
· Planning—Schedule a fix and move forward after determining the scope of what needs to be fixed and any variants that could also trigger the vulnerability.
· Variant testing/investigation – This is a critical stage where all possible variants are tested before releasing a fix; the last thing the MSRC wants to do is release a fix and then have to re-release it.
· Implementation stage – The MSRC starts developing fixes immediately, and tests in parallel. They test whether other fixes cause regressions.
· Verification—Functional and regression testing is done here to ensure the patch fixes all attack vectors, doesn’t revert previous patches and doesn’t break applications.
· Release: More than a click of a button, Tinder and Seidman said. Involves having the infrastructure in place to push automatic downloads of patches, or give enterprises the ability to choose when and how to apply fixes.
Ultimately, the MSRC shoots for 60 to 90 days to turn around a patch, depending on testing and any issues that could arise and cause a regression forcing the MSRC to start over.
And oh yeah, check those spam folders.
Many IT managers in the U.K. are in a quandary right now as they decide how, and how far, to comply with the impending European “cookie law.” IT managers in the U.S. will soon face the same dilemma.
The dilemma doesn’t stop with the U.K. Other countries in the European Union will likely implement the PECR soon, so organizations operating anywhere in Europe will need to develop a cookie compliance strategy. It’s not an easy task, though, when a lot of the details remain unclear. For example, it is not yet known how the ICO will find out about errant websites, or if the ICO will respond to non-compliance with fines or just warnings, at least at first.
U.S. organizations are equally baffled by the cookie law. Must a U.S.-based organization comply if it serves customers in the UK or anywhere in the European Union? Does it matter where the website is hosted? To answer these questions, we’ve recently published two articles offering advice for U.S. organizations contemplating the cookie law. But even our two expert contributors do not agree on the best course of action. One expert advises U.S. organizations to begin taking proactive steps toward compliance, while another suggests U.S. organizations hold off for now.
As the enforcement date draws near, SearchSecurity.co.UK will continue to bring you updated news and advice from a variety of expert perspectives so you can decide on the best strategy for your organization.
The rush to the cloud can often make security an afterthought, but if recent funding announcements are any indication, the VC community wants to reverse that trend.
CloudPassage, Cloud Lock and Symplified are among the cloud security vendors winning funding this year.
San Francisco-based CloudPassage announced last week that it won $14 million in funding. The company said it would use the money, which brings its total funding to $21 million, to further market and develop its Halo cloud server security platform.
In late March, Waltham, Mass.-based CloudLock said it raised $8.7 million in funding to expand its engineering and sales efforts and extend its cloud security technologies to new platforms. The cloud security vendor provides a security SaaS add on for Google Apps. When I met with Tsahy Shapsa, Cloud Lock co-founder and vice president of sales and marketing, at the RSA Conference 2012, he said the company planned to expand its service to protect other cloud platforms.
Earlier this year, Boulder, Colo.-based Symplified garnered a whopping $20 million in VC financing led by Ignition Partners.
When announcing the CloudLock funding, Luke Burns, a partner with Ascent Venture Partners — CloudLock’s new investor — noted that increased collaboration is a major benefit of cloud computing, but organizations “lose sight and control of the data being shared, both internally and externally.” CloudLock, he added, bridges a “critical, emerging security gap.”
Meanwhile, Brian Melton, managing director at Tenaya Capital – which led CloudPassage’s latest funding – said the cloud security vendor’s technology addresses a large market opportunity. He noted that security has been a “key barrier to cloud adoption.”
The fact that VCs see cloud security as an opportunity is a promising sign. It should help cloud service providers understand that security is critical and provide cloud users with more options for securing their cloud environments.
How do you define a security threat? If you’re like most IT security professionals, your security threat definition is probably: “The potential occurrence of an attack against an organization’s infrastructure and assets.”
If this was a pop quiz, you could get half credit for that answer. It’s partly true, but it’s not the whole answer, and it’s not the answer your executive leaders and board of directors need to hear.
Christopher Armstrong, CISO of Livermore, Calif.-based Allgress Inc., popped this quiz on the audience during a business risk session at SecureWorld last month, and almost everyone gave the IT-centric answer above. But Armstrong made a strong case for changing our perspective when we talk about security threats.
When you talk to a CEO or a board member about the threats to his or her organization, Armstrong said, there’s no need to go into great detail about the type of attack that may occur, the motivation of the attacker, etc. All he or she really wants to know is: What will it cost us? And, what’s the probability it will happen?
Telling the CEO or the board that a widespread threat could steal your sensitive customer data isn’t likely to get you the funding you need to stop that threat. But tell them the threat could cost the organization $10 million and there’s a 50% chance it will happen, and they just may open the checkbook for you.
By looking at security projects from a board member’s perspective, as well your own infosec perspective, you’re more likely to get the resources you need to advance your security initiatives.
Cloud transparency remains a highly coveted but seemingly elusive wish for organizations. How can you trust a cloud provider with your data if you don’t know what security controls they implement? You can get details under NDA, but how can you compare that provider’s controls with another’s to make an educated buying decision?
But there is a glimmer of hope on the horizon. The Cloud Security Alliance’s (CSA) Security, Trust and Assurance Registry (STAR), which aims to provide a standards-based public repository of cloud provider security controls, is slowly growing. Launched last August, CSA’s STAR recently added SHI International to the three other providers publishing documentation of their controls: Microsoft, Mimecast and Solutionary. On March 30, Microsoft published a self-assessment of Windows Azure to add to its Office 365 documentation. Last week, it published a self-assessment for Microsoft Dynamics CRM Online.
The Windows Azure STAR documentation provides an overview of how core Azure services meet the requirements listed in the CSA’s Cloud Controls Matrix. Microsoft maps its security practices to the CCM guidance in 11 areas, including data governance, resiliency, risk management and security architecture. The software giant produced a video interview about the Azure STAR assessment on its Trustworthy Computing Blog.
Obviously, STAR needs more cloud providers participating to be an effective tool for cloud users, but with a major provider such as Microsoft taking the lead, one can hope it will lead more providers to step up. At the RSA Conference 2012, CSA Executive Director Jim Reavis told me he expected several providers to participate in the next two to three months, which would “force their peers to do this more wholeheartedly.”
He added that he would be surprised if any of the major providers are not in the registry by the end of this year. Let’s hope that’s the case.
There probably isn’t a more consistent theme we write about than the alignment of IT security with business goals: Understand your business first, then build your security empire to support and protect the business; lofty goals and heady stuff for sure.
I’m as guilty as anyone of writing stuff centered on the notion of alignment. But maybe that’s too abstract a notion? Maybe it’s the word “goals” that’s off? Maybe we should be writing about the alignment of security with business mandates? The goal of the majority of, if not all, businesses is to make money. And IT security leaders certainly don’t call the shots inside an enterprise. You’re told what to do, what to buy and when to buy it. If your CIO or CFO says your top priority is SOX compliance, guess what’s at the top of your to-do list every day?
It’s easy for journalists or industry experts, like last week’s panel at InfoSecWorld, to wedge ourselves onto a lofty perch atop that ivory tower and pontificate about what those who hold actual enterprise security management titles should be doing with their programs, policies and buying decisions. But how often is it realistic for a CISO to march into the CFO’s office, stomp their feet and hold their breath until they turn blue or until the CFO signs off on a major overhaul of the perimeter security investments someone else made 10 years ago?
Ideally, those things should be overhauled because they don’t work anymore. But the Titanic couldn’t turn on a dime 100 years ago, and neither does big business today. Other priorities that make money get the attention of business decision makers before budgeting for the latest and greatest security widget is stamped “approved” by the CFO or CEO.
Taking shots at security managers who are handed a budget that essentially maintains the status quo does nothing to advance the industry. Taking shots at security managers who have no choice but to listen to auditors first does nothing to advance the industry.
Ideally, yes, alignment of security and business goals is awesome. You do need to know how and why your business makes money. You do need to prioritize your efforts in that direction. You do need to understand who your adversaries are and what tactics they’re using to penetrate your defenses. But at the end of the day, if your boss tells you do something that keeps you from being idealistic, that doesn’t necessarily mean you’re not a leader or not a good security manager. It just means you’re employed.
BOSTON — Privacy is a fog rolling in over the land. That’s how Jeff Northrup, IT director of the International Association of Privacy, described personal information privacy during his presentation at the SecureWorld conference last week. The fog is thick over some countries, especially in Europe, and rather light over the U.S., but that will change soon. Northrup advised IT professionals in the U.S. to draw a map through the fog now to avoid crashing into problems and penalties later.
Evidence of a rapidly changing data privacy landscape is plentiful. The Obama administration just released its U.S. Privacy Bill of Rights, which would grant individuals more control over how their information is collected and managed, and increase transparency in privacy policies. Many observers believe it has a good chance of becoming law. Also, the FTC recently slapped Google and Facebook with penalties after users complained of privacy abuses; Google will now undergo 20 years of independent privacy audits, and Facebook may face similar chastisement from the FTC.
These incidents are just a few of the signs that security professionals need to amp up privacy projects before their organizations run afoul of current or future U.S. data privacy laws. Where to start? Northrup suggested organizations take an inventory of every piece of personal information it collects, and note why it is collected and where it is stored. This can be a daunting task, but many organizations already have some of the pieces in place as part of their compliance programs or DLP projects. Any information that does not have a clear business purpose (and the marketing team’s desire to send email blasts to a million relative strangers does not count as a “business purpose”) should be deleted or stored only on an as-needed, transient basis.
By taking steps toward greater transparency and giving users more control over how their information is used, organizations will be better prepared to navigate out of the fog.
Another day, another security information and event management vendor acquired. Well, O.K, the deals aren’t that frequent, but standalone SIEM vendors have become popular acquisition targets. On Tuesday, TIBCO Software announced that it inked a deal to acquire SIEM vendor LogLogic.
Last fall, IBM bought SIEM vendor Q1 Labs and McAfee acquired NitroSecurity. SolarWinds, an IT management software company bought TriGeo, a SIEM provider that targeted midsize companies. In 2010, HP bought Arcsight and Trustwave acquired Intellitactics.
The TIBCO-LogLogic deal is a bit unusual – TIBCO is an integration software company and an unfamiliar entity in the security market. Palo Alto, Calif.-based TIBCO said the deal will expand its operational intelligence offerings while giving customers the ability to monitor threats, assess risks and address threats. The company is also describing the deal as a big data play.
“Enterprises must be able to analyze big data, including machine data generated from across their various systems, to gain comprehensive, real-time insights into critical business questions relating to compliance, security and operations,” the company said. “LogLogic will build upon TIBCO’s proven capabilities in event processing and in-memory analytics.”
San Jose, Calif.-based LogLogic touts its ability to provide SIEM and log management capabilities in a single architecture.
SIEM suppliers such as HP and IBM have been talking up the technology’s future as providing analytics and a comprehensive view of an organization’s threat environment. Time will tell if their efforts – and now TIBCO’s – will pan out.
It’s becoming a pretty safe bet that the reported Global Payments credit card security breach isn’t the only big breach out there. Visa and MasterCard, without naming Global Payments, reported a payment processor had been popped between Jan. 21 and Feb. 25. Global Payments Chairman and CEO Paul Garcia, however, said yesterday that his company discovered the hack in early March and that’s when it reported the breach to law enforcement and hired outside security help.
Likely there’s another shoe to drop. Brian Krebs has been killing it on this story, and he wrote yesterday on his blog and was quoted in an ABC News story that his initial report that 10 million payment records had been stolen could have been about a breach at another processor that has not been disclosed yet. Only 1.5 million have been attributed to the Global Payments breach so far.
Clearly, we’re not past the big data breach. Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.
Over the weekend, Visa and MasterCard delisted Global Payments as PCI compliant, which indicates something nasty is going on with this breach behind the scenes. Maybe there isn’t another processor involved but deeper penetration into Global Payments that isn’t being reported until investigators say so. Martin McKeay, a former PCI QSA, has a good blow-by-blow into what happens to card data from the time it’s swiped, and how it moves through merchant and processor networks. There are plenty of places where data is exposed and security can fall down, and processors such as Global Payments have to continuously check these access and egress points, not just when it’s time for the PCI auditor to show up.
Other processors have been delisted; Heartland Payment Systems and RBS WorldPay in 2009 and CardSystems, which soon after went out of business in 2005. Global Payments said the reported breach (it says only Track 2 data has been stolen—account numbers and encrypted PINs) has been contained and no fraudulent transactions have been reported. Yet there’s a specter hanging over this story and Global Payments. Chances are, they’re not out of the water yet and should it fall, a la CardSystems, it’s another reminder that basic security measures still count, and hiding in the weeds hoping not to get hacked is a fool’s errand.
ORLANDO – If you’re currently evaluating mobile device management software you may want to stop and instead conduct a thorough assessment to figure out your exact requirements before making that investment. In fact, two security experts at the 2012 InfoSec World Conference and Expo here in Orlando say some enterprises may not have an immediate need to buy a mobile device management (MDM) platform. In-house capabilities, such as Microsoft Exchange Active Sync (EAS), provide a foundation for mobile device protection and can already use certain Apple iOS and Google Android device security features.
There’s a trade-off, explained Lisa Phifer, owner and consultant of Core Competence Inc. EAS is severely limited in the control it provides to employee-owned devices. If all the organization needs is to enforce password and PIN length and have remote wipe capabilities for iOS devices, it works. Android capabilities are even more restricted, Phifer said. Depending on the Android firmware version and the carrier limitations placed on devices, companies may have the ability to use EAS for remote wipe, resetting the device to the factory default condition and enforcing the use of a device password.
During a session here in Orlando, Phifer and Diana Kelley, a consultant with Security Curve, demonstrated mobile device platforms from AirWatch and Fiberlink. The two platforms are one of dozens of mobile device management vendors vying for the attention of enterprises looking to gain visibility and control – some semblance of security to the whole bring your own device (BYOD) movement.
Kelley said early adopters of MDM platforms sometimes are convinced to buy and deploy it, but then suddenly realize they don’t know how to manage the tool or exactly what they want to get out of it. These enterprises sometimes lack any formal mobile device security policies or sometimes they’re mismatched, she said. Senior-level executives have few restrictions on their devices, while sales staff and other employees are given device limitations. Ultimately, an attacker will find a weakness, she said.
So what exactly are the benefits of an MDM platform? MDM tools can help bring those policy mismatches in line by managing what users require the most restrictions based on their role. They provide a common management umbrella for device diversity; they typically can embed additional security capabilities onto the device such as a third-party VPN, antimalware or a secure data container. They can also help monitor and enforce security policies – but those policies have to be well defined and communicated to employees, Kelley said. Let people know what the penalty is for violating that policy.
MDM platforms can also create a framework for the enterprise to provide troubleshoot, support and expense management capabilities. Self-service portals controlled by the enterprise enable employees to use certain trusted apps.
I think Phifer summed up mobile security well: It’s about managing the corporate assets on the device, not necessarily the device itself.