nFX Blog One

Hot Topic at RSA - Challenges in Cloud Computing

2010-03-07T18:27:53Z

The overall theme this year at the RSA 2010 Conference in San Francisco that surrounded the conference was Information Security in Cloud Technologies how to prevent the Cloud Technologies from raining on everyone's parade. The article that I am highlighting in this blog "Research Challenges in Enterprise Cloud Computing: It is important to highlight cloud computing research challenges from an enterprise perspective because cloud computing is not simply about technological improvement of data centers but a fundamental change in how IT is provisioned and used."

Another interesting insight about this article is the inclusion of Nichols Carr's book "The Big Switch: Rewiring the World, from Edison to Google" noting that in the earily 1900's companies maintained their own power plants even though it was not their main expertise and how companies are maintaining their own Data Centers even though it is not their primary expertise. It is interesting though that last week on CBS 60 minutes broadcast the topic was how Cloud Computing providers are leading the way to provide their own green technology power plants.

The effects on IT and Security roles in their relationships with the user community and service providers will continue to evolve, as IT departments must make sure their cloud services can be migrated or failed over between service providers should one cloud service provider go out of business, as well as issues concerning certification, interoperability, API's between cloud vendors as well as SLA management, Privacy Rights Protection, and Intellectual Property Protection. "It it not clear "whether a cloud will be considered to legally be in one designated location [...] or in every location that has a data center that is part of the cloud"

These research challenges are interdisciplinary in nature, and there is a need for more co-operation between researchers, cloud users, and service providers.

REF;

Research Challenges in Enterprise Cloud Computing

netForensics Receives Network Products Guide 2010 Product Innovation Award

2010-03-04T16:52:53Z

netForensics announced that Network Products Guide, the industry's leading information technology research and advisory guide has named nFX Cinxi One, a winner of the 2010 Product Innovation Award. This award is given to vendors that show excellence and vision in delivering best of breed technology. This honor coincides with netForensics appearance this week at the security industry's premier event, RSA Conference 2010 in San Francisco, CA, where the company will showcase the award winning nFX Cinxi One Security information and event management (SIEM) and log management appliance.

Click here for the full story

Tracy Hulver, Executive Vice President of Products and Marketing at netForensics, Recognized as a 2010 Security Superstar by Everything Channel's CRN

2010-02-25T16:23:46Z

Hulver's Impressive IT-Security Background Over Nearly Two Decades and Dedication to Improving America's Security Posture Underscore Reasons for Award

Tracy Hulver, Executive Vice President of Products and Marketing of netForensics, has been named a 2010 Security Superstar by CRN's Everything Channel. CRN's comprehensive list represents today's thought leaders and technology innovators in the information security industry.

"The IT security industry is a rapidly changing landscape that continues to challenge both security vendors and companies of all types and sizes. I am honored to play a role in helping companies gain clear visibility into their security posture," said Tracy Hulver. "The Solution Provider Community is at the forefront of helping businesses improve and manage the security of their networks and through their efforts we can better defend against complex and malicious threats to corporate and government data as well as critical infrastructure."

Click here for the full story

Money for Data

2010-02-24T18:43:27Z

Image by inju via Flickr

As Gordon Smith from Canaudit Inc. pointed out this week "What do hackers want? they want your data." They go through great lengths not only to obtain your data but to correlate that data to make it even more valuable to their clients.

Last year we posted an article published by a German Online News service "wiwo.de" on a sting operation that involved millions of consumers correlated information for sale that may have come partly from well known back doors in customer corporate data.

Today it was published on that Deutsche Telekom found itself in the middle of a scandal accused of giving mobile phone retailer The Phone House access to data on 16 million T-Mobile Germany Customers according to the report published at wiwo.de "Deutsche Telekom: violation of the law, by secret agreements?"

As we have seen through the recent attacks on Google and Intel that no matter how your infrastructure is secured you can be come a target for an attack that they may have been in the planning for sometime or someone waiting for that pre-zero data vulnerability that allows them access to trust relationships.

Who as access to your personnel information and what information is available from their browsers and shares. As Gordon points out in his article it maybe as simple as someone bringing in a laptop that has internet access or wireless scans from your lobby or elevators.

Intel and Google attacked during the same time period

2010-02-23T20:21:42Z

Image via Wikipedia

According to the New York Times Bits Section Intel and Google were under "sophisticated" Cyber Attacks in around the time frame. Intel reports that although the events were close in time that they were unrelated. The cyber-attacks against Intel was reported in it's annual report to the Security Exchange Commission. Intel reported that it did not suffer a wide spread attack and no intellectual property was exposed.

On 2/20 the New York times reported that two Chinese Universities were involved in the attacks against Google and other corporations since then the Universities have denied any involvement in the attacks. "It was not until 2006 that our graduates began to join the army. So far, 38 students have been recruited by the military for their talent in auto repair, cooking and electric welding," said Zhou Hui, director of Lanxiang school's general office. He disputed claims in the New York Times article, which cited anonymous officials from the US National Security Agency, that there was a link to a computer science class taught at the school by a Ukrainian professor.

in other news the Telegraph.co.uk published that Cyber attacks in 2009 cost on average 1.2 Pounds a year.

Last October we published information regarding published report by Northrop Grumman a study done for the U.S.-China Economic and Security Review Commission
that describes similar tactics. ( Thank you Niels Groeneveld of "Operation Aurora" for reminding me about the relationship. If you have not read the Northrop Grumman report it is an interesting read on social and economic effects of this type of behavior.

netForensics Posts Strongest Quarter in Company's 10 Year History

2010-02-23T19:40:38Z

Image by kevindooley via Flickr

SIEM in the Cloud Solutions Drive 3rd Consecutive Quarter of Growth

netForensics' continued growth this quarter was achieved in large part due to is its market-ready SIEM in the Cloud solutions. For organizations looking to deploy software-as-a-service (SaaS), Cloud security is a primary concern. netForensics' capabilities of adding a defensive layer to the cloud architecture enable organizations to achieve the same level of situational awareness as if the security was installed locally. For those organizations that require additional security expertise to mitigate the increasing threats facing their environments, netForensics' deployments with Managed Security Service Providers provides yet another option to ensure an acceptable level of risk.

click here for the full story

Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two) : Info Law Group

2010-02-21T20:06:08Z

Image by musha68000 via Flickr

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

ERM and Its Instantiation as an Automated Framework to Manage IT Risks - John Raezer

2010-02-18T22:18:50Z

Image by Cold Cut via Flickr

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

IT World Canada reports - Windows 7 update makes PCs unstable

2010-02-16T15:10:16Z

Image via Wikipedia

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

Firefox Add-Ons Include Trojan

2010-02-08T19:49:53Z

Image by otzberg via Flickr

Just a quick note that 2 Mozilla Firefox Add-Ons were found to include a little more than bargained for in the form of Windows-based trojan malware. To be sure, these weren't the most popular add-ons in the catalog, with only around 4,600 downloads between the 2 infected offerings.

These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.

Blackhat DC - "Malware Analysis for the Enterprise"

2010-02-05T14:53:53Z

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

Oracle Hacker Gets The Last Word via forbes.com

2010-02-04T17:21:22Z

Image by RaghuP via Flickr

At the Blackhat Conference in Washington D.C., David Litchfield revealed a privilege escalation session and scripts that could be used by anyone with basic session access to gain administrative privilege to a Oracle 11g database and administrative access to the operating system files.

One of the interesting topics in the beginning of the presentation was that of the amount of security vulnerabilities reported by Oracle or other researchers compared to the number reported against Microsoft SQL Server 2005 and 2008. Although I would have expected the complete reverse on the the number of vulnerabilities reported against each product. David used Java calls in Oracle Aurora to gain access.

Oracle and Java Stored Procedures

SOURCE: FORBES.COM

Fighting Cybercrime, One Digital Thug At A Time - NPR

2010-01-29T13:26:20Z

Image by mtlin via Flickr

There is a interesting podcast on the 365.rsaconference blog
concerning large cybercrime organizations, originally broadcasted on NPR about Joesph Menn's new book, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet.

NPR Broadcast Fighting Cybercrime, One Digital Thug at a Time

Researchers point to deeper issues on IE exploit

2010-01-28T03:33:11Z

Image via Wikipedia

As we approach Black Hat Washington DC Conference next week there seems to be more and more unraveling about the vulnerabilities recently discovered in Internet Explorer. The security firm Vupen's Security in France has said it has confirmed code execution with Internet Explorer 8 even with Microsoft's DEP enabled. The company has said it has not released the exploit code to the general public but encourages all users to Disable Active Scripting. The firm also recommended using IE 8 on Wiindows 7 over even IE8 on XP SP3.

Let's see if there are more discussions or disclosures happening about Operation Aurora next week at Black Hat. Infragard Security Organization also announced that it is holding a Webinar on Feb. 2nd to review Aurora and some security initiatives with Adobe, one never knows.

There are other researchers pointing out that there are organization specializing in in gathering intelligence on corporate, and government entities vulnerabilities and weaknesses in their control environments and making that information sale to others that might seek to gain a competitive advantage either technically or politically over their rivals and even providing Cloud Bot Services to deploy their objective. Researchers maintain that there are organizations active today that actively are gathering information whether externally or internally about the infrastructure and the control environments of industries or individuals with the hopes of selling that information or leasing time on distributed servers with access to gain intelligence on their competitors.

For those of us that have been lucky enough to hear Gordon Smith from Canaudit speak about using social and technical engineering to collect information for pen testing and/or auditing, by gathering up as much information as possible to obtain access through both methods is worthwhile.

While this all sounds very Swordfish vogue, there is a lot of information scattered across the world that is very valuable or can gain access to valuable things. If 90% of the systems are running common code, that reduces the amount of unraveling. There was a presentation by "javaman" in New York at the 5th HOPE conference that outlined his thoughts on "Security through Diversity" that I thought was very interesting as well as his talk on parallelism, how individual systems and large enterprises can improve their tolerance to massive attacks through this principle. If you're under attack why would you fail over your control environment to the exact same mirror control environment that was already compromised?

The first time I saw mshtml being utilized for deployments of software by the user accessing a URL and the whole process would happen in the background without the user knowing, I thought to myself that it could only be trouble and that was probably about 2000 - 2001, thanks Jon R. you were always workin it. Jon and Bjorn always had some cool Windows stuff going no matter if it raised the hairs on the back of your neck.

Click here for more information

IE 6 Exploited in China's Google Hack

2010-01-20T19:57:58Z

Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.

What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.

So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"

France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.

YC27UCFX9322