Security and Risk

Rewind And Replay For Web App Vulnerabilities

Andrew Rose — Fri, 10 Feb 2012 11:23:49 +0000

Security threats develop and evolve with startling rapidity, with the attackers always seeking to stay one step ahead of the S&R professional. The agility of our aggressors is understandable; they do not have the same service-focused restrictions that most organizations have, and they seek to find and exploit individual weaknesses in the vast sea of interconnecting technology that is our computing infrastructure.

If we are to stand a chance of breaking even in this game, we have to learn our lessons and ensure that we don't repeat the same mistakes over and over. Unfortunately, it is alarmingly common to see well known vulnerabilities and weakness being baked right in to new applications and systems - just as if the past 5 years had never happened!

A recent report released by Alex Hopkins of Context Information Security shines a light on the vulnerabilities they discovered while testing almost 600 pre-release web applications during 2011. The headlines for me were:

On average, the number of issues discovered per application is on the rise.
Two-thirds of web applications were affected by cross site scripting (XSS).
Nearly one in five web applications were vulnerable to SQL injection.

It makes depressing reading, but I'm interested in why this situation is occurring:

MSSP Valuation - Information For Selecting An MSSP

Edward Ferrara — Thu, 02 Feb 2012 16:15:46 +0000

I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance [i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.

So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay? This is an important question for Forrester's IT clients because the rules of valuation can help IT clients evaluate potential partners. Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP. In any negotiation it's also always good to know what the other side is thinking. Here's the list:

1. Recurring Revenue - What is the firm's recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?

2. Service Agreements - What is the nature of the service-level agreements the firm has in place with other clients? Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?

3. Service Revenues - What percentage of the MSSP's revenue comes from what types of business?

New Research: Organizational Challenges

Andrew Rose — Fri, 27 Jan 2012 17:36:10 +0000

I was reading an article recently which outlined the different agencies employed within the United Kingdom to protect against cyber-threats. Not including the armed forces, who would have specialist roles to play in any particular cyber-threat scenario, it transpires that there are 18(!) different players covering this space, each with overlapping strategies, policies and expenditure. The formal report, from the UK Government's Intelligence & Security Committee, was wonderfully understated, speaking of "confusion and duplication of effort".

Such difficulties bring to mind the challenges we face in our global organizations, which are often made up from different corporate entities. Similar issues can happen to our security management functions - we overlap, overspend and contradict - all to the detriment of the enterprise as a whole. Managing a global information security function in an optimal manner is no easy task; it takes careful planning, an understanding of essential roles & responsibilities and the ability to manage some elements remotely.

I've recently published two papers relating to these very topics. If you are considering a reorganization, or just interested in what top performing security organizations look like right now, check out these links:

New Research: Develop Effective Security Metics - Published this Month

Edward Ferrara — Mon, 23 Jan 2012 16:51:16 +0000

This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process. This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.

Take a look at these links:

Planning for Failure, Personal Edition - Strategies to protect yourself in 2012

Rick Holland — Fri, 20 Jan 2012 13:00:16 +0000

This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents. An effective response can be the difference between your organization's recovery and future success or irreparable damage. While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me. Three breaches immediately came to mind:

Texas Teacher Retirement System - My personal data was stored unencrypted on a public server
Epsilon - Email compromise that resulted in increased phishing attempts
STRATFOR - My personal information, credit card and password hash were stolen

Unfortunately, I expect to be the victim of additional security breaches in 2012, so I started to transition my mindset from protecting entrprises to protecting myself. Since it is a new year and everyone loves to make resolutions (I call them strategic initiatives), I decided it was time to formalize my personal planning for failure strategy. I needed a plan to quickly detect and respond to incidents. Here is what I came up with:

Virtualization Security, Better Late Than Never

Rick Holland — Tue, 17 Jan 2012 15:13:50 +0000

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments. The reduced costs and flexibility of virtualization have led to widespread adoption of the technology. Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required. Our research interviews revealed several themes:

Symantec Scoops Up LiveOffice

Brian Hill — Mon, 16 Jan 2012 19:55:08 +0000

Symantec today announced that it has purchased LiveOffice, a privately-held cloud-based archiving vendor, for approximately $115 million. With nearly 20,000 customers, LiveOffice has historically marketed to small- and mid-sized financial services firms. Over the past couple of years, however, the vendor has steadily bolstered its archiving and broader information governance functionality, lined up productive partnerships with major technology vendors, and met with success in selling to larger organizations across a wider set of vertical markets.

Buying LiveOffice is a smart move for Symantec. My initial take is that this acquisition will be a positive development for current and prospective enterprise customers. Here's why:

More Holiday Cheer: SCIM Cloud Provisioning Standard Reaches A Big Milestone

Eve Maler — Tue, 20 Dec 2011 21:56:22 +0000

I've blogged and published research before about the emerging Simple Cloud Identity Management (SCIM) standard. The SCIM group has just approved Version 1.0. No, it's not your imagination: important standards around loosely coupled identity management really are being developed, tested, and deployed at a faster rate than ever before.

What does this new pace mean for security pros? New identity protocols can be disruptive to large enterprises that have already deployed older solutions, but these new solutions will enable IT organizations to reduce costs and improve agility in managing access to/from smaller partners and customers that don't have the means to deploy the heavy stuff. That makes access control easier to achieve in a Zero Trust world. (Andras Cser and I touch on the theme of "leaner and cleaner" identity protocols in our just-published Identity And Access Management: 2012 Budget And Planning Guide, and I do a deeper dive, assessing the future of SAML and the business value of newer federation protocols, in OpenID Connect Heralds The "Identity Singularity".)

A Christmas Present From MIT?

Andrew Rose — Tue, 20 Dec 2011 15:50:32 +0000

As much as the cloud computing model makes sense to me, my security sensibilities cry out about information risk every time I start to consider actual implementation for data of value across an enterprise.

A model which has always made sense has been to place only encrypted data in the cloud, holding the keys locally. This solution gives you control over data access, bypassing any Patriot Act concerns, but allows realization of the benefits of a shared, cloud infrastructure. It has always been recognized, however, that this solution has a number of drawbacks, such as:

The immense corporate sensitivity of the encryption keys utilised. These keys become essential to doing business. If they are corrupted, lost or held hostage by hacktivists, for example, then the organization stops dead in the water.
The difficulty of creating indexes, searching and applying transactions across encrypted data stores. If the concept is to keep the keys away from the cloud environment then actions such as indexing, searching or running database functions become very challenging.

In 2009 an IBM cryptographer named Craig Gentry wrote a PhD dissertation describing a solution to the second of these challenges, unfortunately it too had a drawback - his homomorphic encryption solution would increase transaction times by a factor of one trillion.

Xmas IAM Spending Spree: Quest Software Acquires BiTKOO, Enters IAM Suite Provider Market

Andras Cser — Mon, 19 Dec 2011 18:53:43 +0000

With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell's IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.

A European Perspective On The USA PATRIOT Act

Andrew Rose — Tue, 13 Dec 2011 12:33:31 +0000

The USA PATRIOT Act (more commonly known as "the Patriot Act") was signed into law by George W. Bush on October 26, 2001 as a response to the September 11 attacks. The title of the act (USA PATRIOT) is actually an acronym that stands for "Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism". Many aspects of the Act were to expire in 2005; however, renewals and extensions mean that the Act is here for a while yet.

For Security & Risk Professionals, the Patriot Act comes up in conversation mostly with regard to data access. The Act suggests that the US government is able to gain access to data held on US soil, or even by a US firm outside US territory, without the data owner being notified; this is of significant concern when it comes to considerations around the adoption of cloud technology. EU-based organizations are concerned that utilizing cloud as part of their infrastructure will make their data accessible to the US government. In 2004, the Canadian government passed laws prohibiting the storage of citizens' personal data outside their physical boundaries, and a recent news article suggested that one large UK defense contractor walked away from Microsoft's Office 365 due to lack of assurances on data location.

Competitors to the US-based cloud vendors are utilizing this concern to leverage marketing by stating that their solutions will "shelter users from the US Patriot Act." There may be truth here but,, as always, the rabbit hole goes further down than that.

InfoSec: Enterprise Architecture Building Codes

Edward Ferrara — Sun, 11 Dec 2011 01:30:33 +0000

There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both. Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.

Security architecture is dependent on the idea of "security." Security by some definitions is the trade-off of convenience for protection. When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.

Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
Security is in response to perceived business risks.
Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.

Forrester Vice President, Principal Analyst Randy Heffner wrote in his article of May 2011, "The Future Of Solution Architecture, Part 1: Business Processes Within A Capability," on set of architectural views to describe the enterprise and the processes and systems that make up the enterprise. Randy defines six design focal points that define successful business technology implementation. As I read this article I thought it important to provide the information security perspective on Randy's approach.

Enterprises Continue To Drive Adoption Of Advanced Endpoint Security Tools, But SMBs Are Not Far Behind

Stephanie Balaouras — Mon, 05 Dec 2011 20:23:08 +0000

Guest post from S&R Researcher Chris Sherman.

Host-based intrusion prevention systems, host-based data leak protection, full disk and file level encryption . . . all are important tools used on the frontline of endpoint security. They all offer added levels of protection when used with traditional client AV and patch management systems, but at what cost? In order for these tools to be used correctly, organizations must be prepared to invest in increased IT staffing and product training for administrators. This generally proves to be too high of an obstacle for many SMBs, leaving a majority of the market to comprise of enterprises customers and big spenders. With their higher budgets and dedicated IT staff, enterprises are better positioned to take advantage of these advanced security technologies.

However, according to recent Forrester survey data, SMBs are just as interested in using these advanced security technologies. In our latest report "Endpoint Security Adoption Trends, Q2 2011 To Q4 2012," we present data showing adoption patterns of the various endpoint technologies in both SMBs and enterprises, while offering some analysis on what this means for security professionals looking to support current and future trends.

For those of you who are already planning on increasing your investment in endpoint security next year, which tools specifically are you looking at? What are your decision criteria?

@ChrisShermanFR

Announcing Two New Forrester Waves: Enterprise GRC And IT GRC

Chris McClean — Wed, 30 Nov 2011 18:25:59 +0000

After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.

Why two Forrester Waves?

Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time... audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You'll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.

So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?

Dusting Off Our Content Security Crystal Ball

Rick Holland — Sat, 19 Nov 2011 16:25:48 +0000

Winter is coming; the year is quickly drawing to a close, and its time to a look back and see how accurate our content security crystal ball was for 2011. Last year we predicted three trends; two were accurate and one was partially correct. Let's take a closer look.

1) Content security spending will slow down - We were right. According to our latest survey data, the content security budget represented 6% of the total IT security budget; this is a 1% decrease from 2010. Content security remains one of the lowest budgeted technology areas in IT.

2) Consolidation will continue to drive suite offerings - We were partially correct. In 2011, we didn't see any significant M&A activity in the content security space. While we were wrong on the vendor consolidation prediction, we were correct on the prediction that market leaders would increase their data loss prevention and mobile capabilities to further solidify their market positions.

3) Mobile filtering will enter mainstream IT - We were correct. Laptop filtering is mainstream, and mobile device filtering is gaining momentum and getting significant attention. Content security vendors are currently testing content filtering on mobile phones and tablets.

What about 2012? To see what five trends we predict will impact your strategy next year, check out the full document: "Content Security: 2012 Budget And Planning Guide." Here's a teaser, is your content security strategy ready for the extended enterprise?

Security and Risk

Rewind And Replay For Web App Vulnerabilities

Categories:

MSSP Valuation - Information For Selecting An MSSP

New Research: Organizational Challenges

Categories:

New Research: Develop Effective Security Metics - Published this Month

Planning for Failure, Personal Edition - Strategies to protect yourself in 2012

Categories:

Virtualization Security, Better Late Than Never

Symantec Scoops Up LiveOffice

Categories:

More Holiday Cheer: SCIM Cloud Provisioning Standard Reaches A Big Milestone

Categories:

A Christmas Present From MIT?

Categories:

Xmas IAM Spending Spree: Quest Software Acquires BiTKOO, Enters IAM Suite Provider Market

Categories:

A European Perspective On The USA PATRIOT Act

InfoSec: Enterprise Architecture Building Codes

Categories:

Enterprises Continue To Drive Adoption Of Advanced Endpoint Security Tools, But SMBs Are Not Far Behind

Announcing Two New Forrester Waves: Enterprise GRC And IT GRC

Dusting Off Our Content Security Crystal Ball