Mobility and cloud computing are introducing exciting new directions for consumer and business technology and services. While this can significantly increases the utility and appeal of technology, it also dramatically raises the security risk as sensitive and personal data is shared across a network. Purpose built hardware can help deal with increasing network speeds and more complex threats. This is where semiconductor technology plays a fundamental role. Chip providers are developing business cases for implementing secure features on their products, and these are paving the way for new services for consumers and businesses. Gartner customers can view this latest webcast by registering here.
Vulnerability Management - Source (ISACA.org)
While there are different stories about what cloud computing “is”, there is one specific direction that virtualization is headed that could bring along with it some additional problems for the security industry. One issue I wanted to focus in on is centered around vulnerability management and how it is implemented in a cloud environment. Many customer’s are faced with the need to scan their cloud, but unable to do so.
Virtualization providers have been pushing their customers and hosting providers to adopt new infrastructure to automate the distribution of CPU processing time for their applications across multiple condensed hardware devices. This concept was originally conceived as “Grid-Computing” which was created to address the limits of processing power in single CPU systems. This new wave of virtualization technology is meant to automatically distribute processing time to maximize the utilization of hardware for reduced Cap Ex (Capital Expenditures) and ongoing support costs. VMware’s Cloud Director is a good example of the direction that virtualization is going and how the definition of “cloud computing” is changing. Virtualized systems are quickly being condensed into combined multi-CPU appliances that integrate the network, application and storage systems together for more harmonious and efficient IT operations.
The vulnerability management problem:
While cloud management is definitely becoming much more robust, one issue that is apparent for cloud providers is the management of the vulnerabilities inside a particular customer’s cloud. In a distributed environment, if the allocation of systems changes by either adding or removing virtual systems/instances from your cloud you quickly face the fact that you may not be scanning the correct system for it’s vulnerabilities. This is especially important in environments that are “shared” across different customers. Since most Vulnerability Management products use CIDR blocks or CMDB databases for defining the profile for scanning, you could easily end up scanning an adjacent customer’s system and hitting their environment with scans due to either a lag between CMDB updates or due to static definitions of scan network address space.
The vulnerability management cloud solution:
My belief is that this vulnerability management problem will be addressed by the integration and sharing of asset information between the cloud and vulnerability scanning services. Cloud providers will more than likely need to provide application programming interfaces which will allow the scan engines/management consoles to read-in current asset or deployment information from the cloud and then dynamically update the IP address information before scans commence.
Furthermore, I feel that applications such as web, ftp and databases will be increasingly distributed across these same virtualized environments and automatically integrate with load distribution systems (load balancers) to ensure delivery of the application no matter where the applications move inside the cloud. The first signs of this trend are already apparent in the VN-Link functionality release as part of the Unified Computing System from Cisco however adoption has been slow due to legacy and capital deployment on account of the world’s market recession. This may even lead to having multiple customer applications being processed or running on the same virtual host with different TCP/UDP port numbers.
This information would also need to roll down to the reporting and ticketing functionality of the vulnerability management suite so that reports and tickets are dynamically generated using the most up-to-date information and no adjacent customer data leaks into the report or your ticketing system for managing remediation efforts. Please let me know your thoughts….
Tags: able, alignright, application, applications, belief, CIDR, cloud, CMDB, com, computing, console, data, device, different, direction, end, ensure, important, industry, infrastructure, management, market, option, problem, process, processing, product, program, recession, ROC, run, scanning, Security, special, systems, TCP, technology, time, Trend, use, vulnerabilities, vulnerability, vulnerability management, widthDon’t get me wrong at all, I love Cloud computing and even invest in cloud computing companies but since cloud computing is becoming more popular than ever as more and more applications core to our businesses move into the cloud we need to consider some of our own risks. One thing I’m not sure if you or your business has thought of is availability on your own end (your internet connections). Availability is not just on the provider side which is normally fully redundant. Being that I am a CISSP, of course I know the clever Triad, but given that most of availability issues are still addressed by other parts of our organizations (network engineering, telecom etc). I know that I myself mostly focus on confidentiality and integrity related controls and not on availability. I don’t think I’m the only one in the security industry that is in this boat.
So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…
My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.
More questions to ask….If your internet went down:
1. Would your helpdesk software work?
2. Would your finance portal work?
3. Would your out-sourced marketing work?
4. Would your advertising continue?
5. Would your paycheck administration continue?
6. Would your recruiting efforts continue?
8. Would your customers be able to buy from you?
9. Would your banks be able to communicate to you?
10. Would you be able to get updates for your operating systems?
The list goes on and on…. Think about it at least a little.
Tags: able, application, applications, availability, business, cloud, com, companies, computing, connection, connections, continue, data, end, ensure, Hmm, i'm, industry, Internet, just, Law, market, pci, question, Security, software, SOX, systems
Image Source: Darkreading
Many corporations in the world are now mandated by PCI to perform at least quarterly scans against their PCI in-scope computing systems. The main goal of this activity is to ensure vulnerabilities in systems are identified and fixed on a regular basis. I myself think this is one of the more important provisions of PCI and one that I believe is tantamount to maintaining a secure environment.
What most corporations initially do is start by using simple scanning tools such as nessus, Gfi languard, ISS scanner etc and perform on-demand scans. While this is all well and good and provides an immediate snapshot of a particular point in time. There are several major flaws that must be addressed through richer tools.
First, it is great to get vulnerability and patch data, however providing a systems engineer or administrator with only one single report with many if not hundreds of things to fix this method becomes quickly unreasonable for them to track and respond to. We often forget that this systems engineer is often tasked with many other duties they must prioritize including new installs, troubleshooting, bug patching, administration, configuration etc that demands most of their time. These activities are often far more time sensitive in their eyes as projects etc have people bugging them regularly for completion. It is also important to note that the business is pushing them for ever greater functionality/features.
Given this fact, a simple scan report is just not viable for them to prioritize and track against existing workload. this has givrn rise to vulnerability management a.k.a. the process of managing vulnerabilities to remediation through the use of ticketing/reporting to management.
Secondly, another important flaw that exists with just simple scanning is the lack of overall metrics with regard to measuring risk. Measuring risk is hard is hard to do in security, but if you have an automated scanning process that is scheduled on a regularly occuring basis (i.e. more than once every 3 months) your vulnerability data over that time can be measured as systems become either more exposed or less exposed as they are patched or new vulnerabilities are found. This is one way you can effectively measure the effectiveness of your patch management and your security program.
Thirdly, this ensures your company clearly see’s that security is a process and not just a one time effort. This distinction is important because you as a security practitioner will need data to prove you need a consistent and ongoing supply of money to maintain security. Security is continuous and ever changing, stagnation is a guarentee of breach.
Moral of this story… manage security, don’t just triage it and forget it.
Great tools for managing vulnerabilities are:
-Rapid7
-McAfee Vulnerability Manager
-Qualys
Trust in computing today is different from human trust because trust is basically implicit. Trust is defined by humans, it is determined and interpreted by humans by an assessment of history provided by the human experience and the history of that experience of a given technology. (i.e. We trusted WPA until the recent discovery of its discovered weakness). Computers do not yet learn trust as humans do, there is no continued assessment of historical data that is automatically assessed by a computer. A computer must rely on humans to decide whether another system is “trusted” or not based on a variety of factors such as known state, historical exploit data, virus or malware infection etc. This puts humans at a great disadvantage because they cannot possibly monitor all interactions a particular system has. This has given rise to behavioral analytics which I will try to cover in a later post but this concept is of great historical significance as it truely affects us all and the automation of future systems.
Tags: behavior, cause, com, computing, continue, data, day, different, Exploit, malware, systems, technology, today, trust, useOver the next few weeks or so I will be focusing on issues of trust, these blog posting will cover the following sub topics:
- What is trust?
- Trust in Relationships
- How is trust different in computing?
- Trust based technologies
- Behavioral analysis
- Future thoughts on behavioral analysis
Today, most existing TV’s are real time streams from streaming servers, and digital content providers such as comcast etc are touting their On Demand programming. With this new change to digital media I can see it clearly that most of us in the very near future will watch TV in a completely on demand state where advertisements are built into the content when requested for delivery to the TV Digital Media endpoint. I can picture going home at the end of the day and selecting the News category and then the local news and then watching the 6 o clock news at 8pm. Its already happening, and its just one step away from being exploited by something entirely more sinister.
Crime Growth on the Internet
I have a friend of mine that works for Microsoft and he works on the security mechanisms of digital content delivery for a day that the existing TV goes into the totally delivered content mode rather than ad hoc content mode. It made me think about how the internet started out. In the beginning there was almost no crime and the internet was educational and informational in nature. As it was slowly adopted by the mainstream it enticed criminals to jump onto the bandwagon. Some are saying that cybercrime is now over a $100 billion industry towering over even illegal drug sales (although I’m not sure if this is true or not).
The Digital Content Problem
Initially, a television was a purpose built appliance that sat in the home and just read analog input from the cable or air networks and displayed the content to users which is a pretty simple technology by today’s standards. What is changing is the complexity and intelligence of the in-house endpoints. Rapidly approaching is the day that these systems get to the point where they will be completely network capable computing devices. DVR’s are already computers with Custom operating systems and many consumers are already modifying (hacking) and installing programs onto them.
This leads me to my next two questions:
Why not Infect them?
Are digital television worms on the horizon?
I can see a time very shortly ahead in which worms and viruses are sent out over the TV content networks. These new infections would be copying digital sound and video and automatically infecting the digital devices that process the content. I can see them even splicing in their own manipulated content into the video stream located on the DVR unit to change the content to “spam” the end user. I can see a time where cybercriminals will begin using another customer’s processing units to upload and download software from the infected digital TV systems. They could distribute copywritten movies for free or steal content from those who have purchased the content. They could then begin sharing it amoungst groups of others.
So all that being said, I dub thee “TV Spamming” and “Video Spamming” We”ve seen it at the post office, we’ve seen it in your email box so why is it that much of a stretch to see it on the TV screen propogated through a vulnerability on the DVR and blasted across the entire Television network?
TV Spamming:
The act of surrupticiously utilizing a digital video recorder or media center processing device to “splice” content and deliver unwanted custom video and audio to end users.
