Category: Uncategorized

… however, this is still reason for concern: a large majority of reported vulnerabilities allow an attacker to gain full control of a single hardware platform’s multi-server environment. Consequently, a close look at detection, containment, and response capabilities for the unique needs of VMs is an important step in integrating virtualization into the organization’s security program.

It is in this phase of incident management, security and infrastructure design teams address the unique challenges associated with virtualization.

A few simple steps – not always so simple to implement – will ensure an organization’s ability to detect unwanted behavior and effectively respond as virtual servers spread across the enterprise, including:

For example, critical or high-value breach targets might reside on a host with more than the recommended two NICs (one for partition management and one for VMs to access the physical network).

Implemented using VLANs configured in a virtual switch and VLAN access control lists (VACLs), this example is one way to help ensure unwanted traffic does not pass from a compromised VM to other VMs on the same host.

Remember that many controls you implement on the physical network must be configured in virtual environments, but VMs are by design isolated from controls on your physical network.

Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.

For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker. A VMware snapshot is a point-in-time image of a VM, including RAM and the virtual machine disk file (Siebert, 2011). Administrators typically strive to meet four goals when a virtual server is removed from service: 1) contain a breach or malware infestation by removing the affected server from the network; 2) prevent any further damage to, or loss of, information residing on local storage; 3) remove the server to a secure location for forensics analysis; and 4) restore services provided by the VM.

As I wrote in Step 3: Segment virtual networks, this is easily accomplished using documented steps to isolate one or more virtual network segments.

They examine and help remedy system, network, and process design challenges associated with VM placement, incident detection and containment, and business process recovery unique to virtualization.

Link: http://virtualization.sys-con.com/node/2760475

Shutting down a system in response to an information security incident is arguably the most drastic option that can be taken, but it might be the best option in certain scenarios.

For example, if there were a possibility that an attacker could gain control of a computer system that regulates traffic lights, it would likely be best to disable that system, and thus the traffic lights, because drivers would hopefully know to treat the non-working traffic signals like stop signs.

Such a decision would also depend on the security and availability controls implemented, including if there were controls in place that limited the compromise from spreading to the complete system versus just a compromised account.

In a system that contains no sensitive data and only has availability requirements, the security team could just do a basic calculation of the cost incurred from the downtime versus the recovery cost from containing and remediating the compromised system, and then make a decision based on the numbers.

This will lead into developing a business continuity and disaster recovery plan (BCDRP), which is similar to an incident response plan in that they both need to be developed prior to an incident and periodically tested so if a shutdown becomes necessary, a playbook for dealing with the situation is on hand.

In developing the BCDRP or incident response plan, establish a channel of communication with the necessary people, including the chief information security officer, chief information officer, helpdesk, business owners and marketing so they will be able to quickly make an informed decision about potentially shutting down a system.

For example, a Web server with a Web application susceptible to an SQL injection vulnerability might be shut down while a patch is being developed, a Web application firewall is set up or the configuration is changed to remove access by the Web server to run commands on the system.

Regardless of which option is the best in a given scenario, ensuring a plan and communication channels are in place prior to an incident is critical to minimizing the impact on your organization.

Link: http://searchsecurity.techtarget.com/tip/Security-incident-response-procedures-When-to-do-a-system-shutdown

Of course, spear phishing isn’t new, but the targets and tactics are evolving, and most users who might have known to not give away their banks account numbers at home may be handing over sensitive information in an enterprise setting due to lack of training and awareness.

Administrative assistants, accountants, salesmen, IT managers, and pretty much everyone else in an enterprise hold a great deal of company knowledge that criminals can use to ultimately unlock a company’s secrets.

But beyond simply explaining the threat to them, ask your staff to take a step back to see what information a cyber criminal can easily dig up. This may sound completely narcissistic to them, but I recommend you ask them to “Google” themselves from time to time in order to see what pops up in search results. The idea is to familiarize one’s self with what is public knowledge — so you aren’t caught off guard when it’s used to gain your trust.

Even though you aren’t likely to be considered a “whale” by Las Vegas casino standards, you and your staff need to understand that your position within a large organization probably makes you a pretty big fish in the eyes of a cyber criminal. And in order to help combat against these attempts, your best bet is to try and see what a hacker can see on the Internet so it can’t be used against you

Link: http://www.enterpriseefficiency.com/author.asp?section_id=1076&doc_id=265441&f_src=enterpriseefficiency_iwkfeed

An intelligence-driven security model, on the other hand, leverages Big Data analytics for pervasive monitoring, threat information sharing and intelligent controls and is designed to allow for more rapid detection of attacks and shortening an attacker’s dwell time within a breached enterprise. He said, “The ongoing expansion of the attack surface and the escalation in the threat environment require urgent action, there must be a sense of urgency to understand the security implications in everything we do so that we develop and implement the right security model.”

Create a transformational security strategy – Practitioners must look critically at their budgets and design a plan that transitions the existing infrastructure to an intelligence-driven approach that incorporate Big Data capabilities.

He went on to explain government’s key role of acting as a central repository to exchange pertinent security information about current threats and attacks as well as to set the tone for cooperation internationally.

The security vendors were called upon to help close the technology and skills gap for defending against attacks that has been created as a result of the growing attack surface and the escalating threat environment.

In closing he offered that these approaches can help enable the industry to manage cyber security risk to acceptable levels so that all societies around the world can reap the benefits and meet the goal of a more trusted digital world.

Link: http://www.informationweek.in/security/13-06-05/rsa_s_art_coviello_points_to_big_data_approach_to_combat_cyber_security_challenges.aspx

This is where predictive analytics come in — the same technology that an online retailer might use to better target product offers to customers based on recent buying behavior, for example. Consider a salesperson that might have the right to download an entire customer database, but if he does it at 2 a.m. on a Sunday morning from his home office, this might raise a few questions. By identifying patterns or anomalies from “normal” — and serving them up in graphical profiles — security staff have a never before seen, real-time view into potential risk.

Here’s the key point: with this new approach, risk is assessed from live data, not anticipated scenarios that have been coded into the system, alerting security staff to actions already defined as “bad.” Real-time, predictive analytics lets companies truly understand where their greatest risks lie by harnessing existing company data to sound alarms before a loss – when the risk around an individual or resource spikes.

By having a way to analyze risk associated with user access on a continuous basis, companies can truly understands who someone is, what they should access, what they are doing with that access and what patterns of behavior might represent threats. With this insight, companies will also have a better understanding of where their next breach could take place, and whether that threat is internal or external.

Link: http://www.wired.com/insights/2013/06/understanding-risk-in-real-time-where-will-your-next-breach-will-come-from/

Everybody owns [infrastructure] when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong

Building on the MSS relationship not only allows Foxtel to be more proactive in maintaining its security posture, but supports interactions with executives who are less concerned with technical minutiae but think of IT security in terms of business risk.

Analysis of internal cost-recovery claims is a great way to marry IT-security activity to potential business change: once the IT staff know which business units are paying for what systems and services, it’s much easier to know how any potential security issue will affect which parts of the business. Everybody owns it when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong.”

Shaw has often found it’s easier for an internal security organisation to get leverage with other business units by handballing the bad news to the MSS: “it’s always effective bringing in external parties to talk to your executives,” he laughed. “Your executives are not going to give you budget unless you can marry together the value from MSS, actionable intelligence – unless you can demonstrate the value to the business and where the business is trying to go.

Link: http://www.cso.com.au/article/462775/auscert_2013_visibility_critical_when_selling_it_security_execs_says_foxtel_cso/