My Top 5 Predictions for 2015

Predicting the future is almost impossible especially with such a fast evolving topic like cybersecurity. Nevertheless I’ll give it a try and share some of my thoughts with you.

I had a lot of chats with CIOs, CEOs and COOs as well as journalists talking about what we all see what our biggest fears are and what they and I expect to see in the near future.

Here are my thoughts about theTop 5 challenges our world will face in 2015. Just in case you would like to add something feel free to drop me a line and I will add your thoughts / comments promptly.

Top 1: Rent-A-Botnet
As we all saw in the past that botnets seem easy to rent (1.000 for some 100 USD down to 10 USD for an hour accesstime) the service quality is dramatically increasing while prices are decreasing. The service quality is key to the evolution of this market. When selling services to the “normal” world credentials are important. Selling services on the dark side means that delivering cybercrime services is only possible when having top credentials and a hard proof of delivery and 100% reliability. These requirements drive service quality enhancements that even lead to service desk support with your rented bot net, customization support and other services most people can hardly imagine when talking about a crime scene. We even see that targeted attacks lead to new customer creation efforts. An example is that DDoS targets sometimes receive blackmail eMails with 3 key messages:

1.      Pay the fee to avoid DDoS attacks leading to unavailability of your services

2.      Do not contact any cybersecurity specialist to defend your services because this will lead to a dramatical increase in bots attacking you

3.      Order your own botnet attack against attackers and you will receive a discount of 20-40%

Top 2: Industry 4.0
Industry 4.0 discussions very often end up in security concerns. On one hand companies fear that SCADA systems, PLCs and Industry devices could come under fire. This is a serious concern and it is very realistic when considering that a lot of industry devices are not hardened but connected to office networks having no virus scanners and very often being protected by firewalls having more communication exceptions than limitations.

Imagine that in combination with IP V6 internet structures become more stable and reliable and your refrigerator, lightbulb or industry roboter is infected and becomes part of a botnet or is in other ways involved in cybercriminal activities.

Top 3: Data Destruction
2014 ended up with a huge security incident at Sony pictures. We saw problems at Sony companies before like the PSN hack. Nevertheless the hack shows a new quality in cyberattacks. It became very common to hack companies and to leak information as a “proof of hack” to make the cybercriminal business plan work. During this hack we saw that users couldn’t use their workstations any more and data destruction seemed to be part of the game. Also in other security incidents we became aware of the fact that data loss is common but data manipulation and data destruction become even more serious and are on the rise.

Top 4: Supply Chain Security
In the past we already recognized the supply chain security seems to be important but the headlines have not been filled with stories about companies being attacked using supply chain connections. One of the most remarkable stories has been the virus problem on Predator and Reaper drones in 2011. Other hacks we saw in 2014 demonstrated that very often companies rely on their security measures like firewalls, awareness trainings, encryption and so forth. But as we all know is the strength of a chain determined by the weakest link which is very often a supplier. A “good” example is the “Target” breach where Fazio Mechanical, an air condition and heating maintenance company, was compromised. As we all know for various investigation reports on Targets incident the attack on their supplier seemed to be high sophisticated.

With research on this topic we see this threat on the rise and being more and more successful.

Top 5: Mobile Device Exploit Kits 
Years ago mobile devices have been pretty safe. But with the trend showing that mobile devices may replace notebooks and “thick clients” in general Exploit kit developers seem to start focussing on mobile device exploit kits. The mobile world seems to know several Operating Systems but in the end these are only 3 (IOS, Windows and Android). At least IOS shows only few variants – users keep their IOS up to date so that creating one exploit kit has a huge impact in the user community. Also with spyware for smartphones increasingly being thrown on the market a baseline software repository to duplicate calls, copy WhatsApp conversations as well as SMS messages is available. The step from “legal spyware” (in Germany it is not legal but in other jurisdictions its use is pretty common) to an exploit kit is pretty small.

Right now effective antivirus and other prevention software is hard to find and only few users even care about this problem leads to millions of vulnerable devices being in the focus of cybercriminals.

Advertisement

Cloud Computing – Security versus Industrialization

Some of you asked me to write more about Cloud Computing and issues related to this topic from the security and forensics space.

I would like to share some experiences that I made during the last year mainly from (Public) cloud projects where my team and I discussed security issues with business owners but also with security experts. Sometimes I am really worried about what I see and hear.

The Mystery of Cloud Computing Hardware

I can’t resist to write this paragraph because it was so surprising to me. In one of the project kick offs an experienced penetration tester of major German security firm said:

“Hm – the stuff I saw in the presentation was ordinary IT – I am missing the cloud technology!”

I found this comment a little bit bizarre because it shows that there is not yet a common understanding of what Cloud Computing is.

According to the NIST definition it is not a hardware or software model. It is a service delivery approach for IT services. The conclusion must be: Never expect to see a hardware register or a software register that tells you “This is a Cloud”.

Key criteria to name a service a cloud service are:

• On demand self service
• Broad network access
• Ressource pooling
• Rapid elasticity
• Metered service

Taylormade Public Clouds for each Client – lessons learnt about cloud strategy

Just in case a security advisor tells you:

Let me take a look at the cloud offering of provider XYZ and I’ll tell you what you need to change to be secure.

What is wrong about this statement? From my perspective this approach helps you to leave your path of industrialization and helps you to move back to IT manufacturing. I know that this is sarcastic thinking but the reason why I believe that you are a on a path of industrialization is that you are thinking about a highly automated delivery approach for IT when thinking about Cloud Computing. In case that you will tell your provider

• “Implement this control”
• “Create that report”
• “Change authorizations in this way”
• “Move my data to a single datastore”
• “Do not host any other clients in the same environment you are using for me”

you are loosing the efficiency of a cloud service that is usually designed to run without paying attention to individual needs.

If you want to have your own resources you are stepping back to traditional service delivery concepts which are called “IT Outsourcing”.

Let me clarify my thoughts: It is the right idea to test your suppliers and find out whether they are able to deliver the level of security you need. But it is the wrong idea to start negotiating what they need to change to meet your expectation. The only moment when I feel that this is acceptable is the moment when your requirements would be accepted as general requirements to be implemented for each cloud user.

The consequence of negotiating hardware and software architecture as well as the delivery model and individualizations of a service model would be one of the following or even both in combination:

1. Service Quality would remain the same like the contracted while other clients will benefit from continuous improvement processes.
2. Cost model for the service will be higher than for the “standard service” due to individualizations.

I think you would not want to experience this.

Just in case that you experience breach of regulations you might want to discuss this with a cloud provider because complying with regulations is mandatory and not optional and is in the interest of the provider.

Conclusion

I want to summarize some basic Do’s and Dont’s when negotiating cloud service contracts:

• Never change the delivery model – Do not try to change the IT architecture
• Always test the service if it meets your requirements
• Check for compliance
• Never change the reporting format

I know that it attracts a huge number of consulting firms that tell you to negotiate changes with cloud providers to meet your expectations. Resist!

If you are talking about your own custom made cloud you can do whatever you want – but not with a public cloud service!

A theorie about securing passwords

During the last years I was really impressed what happened with the internet. Maybe you don’t share my view but I got the impression that content is becoming richer. On the other hand the curators of these rich websites want to “own” the user by simply knowing him or her and ask new users to register.

There is nothing to complain about but there is no common sense on the internet about password complexity and you sometimes see really strange password rules for very simple content.

What happens? You register and you try to harmonize your passwords across different platforms. In the end you are not successful and have a couple of different login credentials you cannot remember at all. One day I counted my login credentials I have to login to different websites (Facebook, twitter, linked in, yahoo, google, banking, asalavista.net and so on). I stopped counting when I reached 30 websites with around 2 different login credentials. I am using a password safe I have written on my own, but others are using open source or public domain software without really knowing what it does with your passwords.

I believe it is a better idea to have one public authentication provider which is widely spread and that has a big interest in safeguarding the identity of the users.

I found a good article / infographic at gigya.com showing the market reach of Facebook, twitter, linkedin, yahoo and google.

It was no surprise to me that Facebook seems to have most of the users – and websites. But it was a surprised that Facebook already covers 37% of the business websites  seem to use Facebook connect. I started to review most of the websites I am using and found that most of them already have a facebook connect button and some are offering multiple login buttons (Facebook and twitter or Facebook and linkedin).

Think about the idea that you only login once into your Facebook account and the rest of the websites you use can use this authentication to identify you properly. I like that idea very much because it would help me to use one single and very complex password instead of dozensof passwords which are not that complex.

Some people might now say that it is not a good idea to use Facebook because they are considered to misbehave in terms of privacy and I fully agree with this. But for using Facebook as identity provider you do not need to tell them everything about yourself. You do not need to share pictures, do not need to press the like it button or need to connect to other people or use Facebook apps.

In the end I believe that there is hardly any other social website than Facebook that has this interest in maintaining the integrity of your digital identity. There is one simple reason: If they don’t know you, your profile has no value. The value of the entire Facebook profiles reflect the value of the Facebook brand. Remember Facebook’s IPO and you will understand what I mean.

Think about it! Mabe you’ll like the idea!

 

 

 

 

Incident Detection and Cloud Forensics

Overview (By Georg Beham – see the Bloggers)

Detecting security incidents is often a difficult task for cloud users. Conventional IT environments, with on-premises data-processing, can rely on an internal security incident management process which uses monitoring, log file analyses, intrusion detection systems as well as data loss prevention (DLP) to detect hacker attacks and data loss.

When outsourcing to the cloud, not only the cloud service itself but also significant aspects of security incident management are outsourced. Security incident management should therefore be included in the contract with the cloud provider.

Cloud users should inform themselves about the provider’s detection capabilities before migrating to the cloud. The existence of a security operation centre (SOC) and suitable security incident management is an important selection criterion for a cloud service. Cloud users and providers should have the same idea about what qualifies as a security incident. In fact, the definition of a security incident is mandatory in international cloud computing as cloud users and providers may be located in different jurisdictions and e.g. the loss of personal data could have different implications. The loss of certain personal data may be immaterial to a US provider, but it could be consequential to a European cloud user. The process for communicating security incidents and their escalation should also be set down.

A look at the tools for detecting and clearing security incidents can also provide clues as to the maturity of the provider’s security incident management.

Security incident reaction – Computer forensics

Computer forensics pertains to the identification, collection, analysis and presentation of digital data in order to establish the facts of the case. In the identification stage, possible evidence is identified together with the client, depending on the actual case. Data collection entails establishing the ‘scene of the crime’ and area of investigation, carefully preserving any evidence and safeguarding and verifying the integrity of the collected data. During analysis, the evidence is carefully analysed and the results objectively evaluated; the resultant conclusions are then reviewed. The findings are finalised and conclusively documented in the presentation (source:  ‘Computer Forensics: Recognising, detecting and resolving system intrusions’; Alexander Geschonneck) .

Cloud challenges

Nothing short of the ‘data collection’ stage constitutes a major cloud challenge for forensic experts. While conventional computer forensics often starts with the storage medium in order to construct bit-by-bit copies if they are lucky, that is nearly impossible to do in the cloud. For cloud users – not to mention forensics experts – there is usually no way to tell which storage media were used to store the data and where those storage media are physically located. Forensic data collection in the cloud calls for alternative – as well as qualitative – procedures. The forensic expert must collect the data via logical interfaces (e.g. virtual directories, databases). Today already, some cloud providers save hashes (digital fingerprints) along with each data record which are ready for use in the event of a forensic analysis. Here, however, it is important for cloud users and providers to set down such procedures in advance in a Service Level Agreement (SLA). In addition, they also require related technical documentation to ensure the credibility of the data.

A key success factor for computer forensic investigations is the existence of sufficient log data. Similar records should also be available for networks, systems and applications. The availability of log data to forensic experts and the retention period should also be set down in accordance with statute and internal agreements. Here, the synchronisation of system times for all systems is key. The log data from different systems are often merged for analysis purposes. Only with synchronised records can operations be reconstructed and the sequence of events be understood.

Cloud providers could even add extra services to their existing cloud services as proactive support for forensic investigations. These service packets could offer data versioning, alternative storage of forensic data (e.g. copies of emails), automatic hashes, relevant data interfaces as well as analysis tools.

Clouds can span many countries. Forensic investigations can therefore fall under different legal systems. This should also be considered, along with which measures to take in such cases. Rules for house searches (disclosure management) should be set down to ensure an orderly and controlled procedure.

An organisational structure encompassing cloud users, cloud providers and other interested parties should be created as well. Such a cloud forensics organisation should contain people with forensic, cloud, organisational and legal expertise.9

After all, forensic analyses have legal implications. Requirements ensuing from the Data Protection Act, Telecommunications Act or labour law must be taken into account. Enterprises that avail themselves of cloud services should ask these questions before an investigation proves necessary. Arrangements should be made with lawyers and staff councils on how these investigations should proceed. A procedure should then be set down with the cloud provider that can be initiated in the event of an investigation.

Cloud opportunities

Thus far we have seen the cloud in relation to computer forensics as the ‘scene of the crime’ from which data are collected and analysed. Yet the cloud may actually prove to be more of a solution for computer forensics, i.e. Forensics as a Service. After all, the analysis of mass data requires loads of storage space and machine time. Because the cloud is so scalable and flexible, it could amply satisfy those requirements in a relatively short span of time. In addition, it can be quite costly to acquire the necessary software and train staff. Enterprises could purchase these services from the cloud for the duration of the project.

Some words about Security in the Cloud

The security of cloud services has been the subject of heated debate and neither side is giving an inch.

One side claims cloud computing harbours uncontrollable risks and warns that we may well lose control of our own data; to them, every new security incident is grist to the mill.

The other side sees cloud computing as the way to higher security through the increasing industrialisation of IT services.

Both lines of argument have their merits. We can naturally expect a greater aggregation of data at certain providers as IT continues to industrialise. If a security incident were to occur in this situation, the assumption is that larger masses of data and even more enterprises could be affected as well. Inasmuch, the damage caused by a security incident at such a provider would be greater than the damage ensuing in the individual operations of an enterprise that has outsourced its data and services to that provider.  And there is another factor that makes the impact look even worse. While in-house security incidents are almost never reported (unless required by law), not so for the processes that many enterprises have contracted out to this provider. There will be no mantle of silence to cover up a security incident that affects so many enterprises and causes so much damage.

Deciding which side is right will depend on business indicators which we simply do not have at this time because they do not have to be reported in today’s regulatory climate.

Yet one thing is clear: the need to establish a systematic approach to secure our own data and processes.

That makes it indispensable to learn how to integrate our technical and business situation with cloud computing. As part of the big picture, (Cf. Chapter 3.3.1) cloud computing can be seen in the context of other hot topics.

The basic tendency is to try to prevent security incidents. That goes not only for cloud computing but also general business practice. To achieve that goal, we must clarify and understand the risks associated with cloud computing. That is the only way to do justice to the idea of Prevention.

Significant risk management parameters are ‘impact’ and ‘probability’. As the probability may be low, but not ‘nil’, an effective process must be established comprising two component to deal with actual risks:

1. Detection
2. Reaction

Detection is the process of flagging security incidents. Various studies show that only about 50% of all security incidents are detected within a week, while the rest are only discovered much later. Cloud computing complicates matters further.

Detection of a security incident must trigger a suitable reaction. Given the changing architectures in cloud computing, the procedures for obtaining legal evidence of security incidents are subject to change, and  both enterprises and the courts have yet to follow suit.

Look at the big picture and understand that the management of identities and authentication for a user’s cloud ecosystem is a not-to-be-underestimated strategic factor.

Next Generation Security – See how Facebook, Cloud Computing and Tablets change our lives!

The use of IT has gone through radical change in recent years and will see increasingly radical change in the future. More and more enterprises are getting involved in the opportunities and risks of cloud computing in all its different forms. This would therefore be a good place to clarify what other hot topics would be wise to consider in the context of cloud computing and what this will all mean for information security in particular.

For instance, seeing cloud computing in connection with Bring Your Own Device (BYOD) and social networks – two of the latest IT hypes –can be particularly exciting as this raises new information security issues.

The first question is why there has been so much hype around BYOD and how it relates to cloud computing.

Given the demographic shift, the related lack of qualified experts and the resultant general employee situation among today’s enterprises – a veritable job-seeker’s market – it is now more important than ever before for enterprises to take the needs of their employees to heart so as not to lose sight of the target markets. New employees are attracted to enterprises that have their individual, personal needs in mind, while long-time employees expect their employers to offer an evolving personal working environment that keeps pace with the times.

By now, the use of consumer devices has grown to become part and parcel of an attractive working environment. An IDC study from 2010 shows that about 95% of all employees also use consumer devices. So it is only logical for them to want those devices to be more integrated into the business structure. That integration is increasingly made possible by web based services, which are provided as cloud services.

One good example is the provision of storage capacity, which can be accessed through enterprise devices, consumer devices or a range of general device types. Cloud services make it possible to use to these consumer devices all at one and the same work location. This is also evident from the number of cloud users: since the launch of Android-based consumer devices in 2008, public cloud computing services have grown. While this trend might not be directly attributable to the new generation of devices, the statistics show a define connection.

By analysing different studies on cloud computing (e.g. Cloud Monitor 2012 – http://bit.ly/CloudMonitor2012) one can conclude that public and private cloud services, in spite of the difference in popularity between the two cloud types at present, will converge in the future. The hybrid cloud will therefore be the de-facto cloud model of the future.

The proliferation of social networks can be seen as another phenomenon. While we see different social networks, whose business model is based on actual ‘networking’, the ‘main players’ in this industry see the network as a means to an end to generate large numbers of users. These are then marketed (e.g. advertising) as the actual value added. In particular, some networks have specialised in reusing the identities in their database for authentication services. Facebook, Twitter, Google Yahoo and LinkedIn can be cited as the main examples. Who the market leader is depends on the field of use (http://info.gigya.com/identity.html). Facebook and Twitter almost always range among the top three.

Banks, mobile telephone providers or government agencies would be more likely candidates for B2B authentication systems given the confidentiality issues. And yet, Facebook has grown to become the leading provider of authentication systems (Facebook: 39% market share followed by Google with 19%, source: Gigya, 14 July 2012). In the first year of Facebook Connect alone, Facebook had signed up 80,000 websites and continues to sign up about 100,000 website a year. That social networks have become the dominant public authentication providers is something we simply cannot ignore.

So what do BYOD and social networks mean for cloud computing? Assuming that the proliferation of mobile consumer devices will promote the growth of hybrid clouds, it will likewise be necessary to use authentication providers that support authentication across the widest range of different platforms, both public and private. That is exactly what the social networks are pushing for here.

If we follow this logic, we also see a change in the need for information security.

Neither social networks nor public clouds can be swayed by enterprise security measures. Security in the sense of conventional border defences is only effective to a limited extent. That makes it increasing important to protect enterprise value while being able to react effectively to security incidents in cloud environments once they are detected. In the end, the data – whether stored on mobile consumer devices, social networks or in a cloud – are owned by company management. They remain responsible!

This results in three main aspects, which are dealt with below:

1. Prevention of security incidents through risk-oriented measures
2. Detection of security incidents
3. Effective incident reaction