Information Security Q&A

ITGRC Software Vendors 2011

noreply@blogger.com (Yinal Ozkan) — Wed, 26 Oct 2011 02:59:00 +0000

Here is the most "far-reaching" list of IT-GRC vendors that you can find on the Internet.

I stand by my statement that IT-GRC does not stick due to several reasons.

My previous posts with risk management frameworks and tools are at this link (I will update risk management tools sometime this year)

Currently there are 4 types of companies at IT GRC market:

1- IT-GRC vendors: IT Risk Management solutions with integrated workflow and compliance features.
2- Enterprise GRC vendors: ERM (Enterprise Risk Management) tools expanding into IT GRC space -sometimes called eGRC
3- Glorified Access Control Tools: This is the world of SAP, Oracle and the related vendors ( note to the vendors - GRC is not SoD - Segregation of Duties)
4- Compliance Management Tools (just targeting without risk focus)

Market is not as dynamic as 2010.IT-GRC and Enterprise Risk Management (ERM) solutions have not unified (yet). There are apps for contract management, vendor management, trading risk management, ethics management, asset management, policy management, workflow management, financial risk management, quality management, hazard management, incident management etc..All we need on the other hand is comprehensive authoritative templates, and a solid / easy to use unified GRC framework.. IT-GRC is a good starting point for merging risk management of all these activities. The effort required for this usually delays the actual quick wins IT-GRC.

2010 -11 Changes:
1- IBM acquired OpenPages and the Algorithmics Inc
2- Software AG acquired IDS Sheer
3- RSA Archer started bundle enVision (SIEM) and RSA DLP
4- Paisley's latest name is Accelus at Thomson Reuters
5- Strategic Thought is now ActiveRisk (name change)
6- Check Point (a security veteran in conventional security software - firewalls, ips, endpoint security, dlp, drm etc) acquired Easy2Comply provider Dynasec as of 10/31/201

Before moving forward, please remember that Excel is 'by far' the most common application in IT-GRC market : )

There is no order or filter on the list... I simply added all visible vendors (keep me posted)

IT-GRC vendors

Agiliance
http://www.agiliance.com/
RSA eGRC - Archer
http://www.rsa.com/node.aspx?id=3732
BWise
http://www.bwise.com/
Trustwave GRC (Control Path)
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://www.symantec.com/business/control-compliance-suite
Modulo
http://www.modulo.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Metric Stream
http://www.metricstream.com/
nCircle’s IT GRC Solution – Suite360 (acquired ClearPoint Metrics)
http://www.ncircle.com/index.php?s=solution_IT-Governance-Risk-Compliance
Lumension
http://www.lumension.com/Solutions/IT-Risk-Management.aspx
BPS
http://www.bpsresolver.com/
Avedos
http://www.avedos.com/en/home/home.html
Neupart
http://www.neupart.com/
Thomson Reuters (old Paisley)
http://accelus.thomsonreuters.com/solutions/risk-management/
IBM OpenPages (yes IBM acquired Openpages)
http://www.openpages.com/
Software AG GRC (IDS Scheer was acquired by Software AG)
http://www.softwareag.com/us/solutions/grc/overview/default.asp
ARC Logics - Axentis
Wolters Kluwers, the parent of Axentis; also acquired CI-3 , MediRegs ComplyTrack, CCH, TeamMate audit, FRS
http://www.axentis.com/Products/Axentis/ProductOverview.html
Methodware
http://www.methodware.com/grc/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
Compliance 360 ( eGRC )
http://www.compliance360.com/
Nemea
http://www.nemea.us/
eGestalt SecureGRC - SaaS hosted GRC offering
http://www.egestalt.com/
Aline GRC
http://www.alinegrc.com/GRC-Platform/20/
Easy2Comply (Powered by Dynasec which is Check Point now...)
http://www.easy2comply.com/
SAI Global
http://www.saiglobal.com/compliance/grc-software/
SwordAchiever Governance, Risk and Compliance (GRC) Software
http://www.sword-achiever.com/Pages/Home.aspx
Xybion eGRC Enterprise 2011 (formerly Amadeus International)
http://www.xybion.com/Products/eGRCEnterprise/eGRCProductOverview.aspx
Ethics.Point Adaptive GRC Framework (acquired HeatShield, Audit 2)
http://www.ethicspoint.com/products/
MitraTech TeamConnect GRC
http://www.mitratech.com/teamconnect-grc
Optial GRC
http://www.optial.com/Products/GovernanceRiskandComplianceGRC.aspx
Highpoint
http://www.highpointgrc.com/
RVR GRC
http://www.rvrsystems.com/IG.php
NeoGRC Compliance Manager (Neohapsis also acquired Securac Certus)
http://www.neohapsis.com/products/neogrc-compliance-manager.php
TraceSecurity Compliance Manager (TSCM)
http://www.tracesecurity.com/products/ts_compliance_manager.php
Avior BenchMark risk and compliance management platform
http://www.aviorcomputing.com/solutions/benchmark
AssurX CATSWeb Quality Risk and Compliance Management
http://www.assurx.com/solutions.html
ANX GRC (TrueARX)
http://www.anx.com/content/solutions/compliance-and-risk-management/trucomply
Telos Xacta IA Manager: Governance, risk, and compliance management
http://www.telos.com/cybersecurity/grc/index.cfm
ServiceNow IT Governance, Risk and Compliance (ITGRC) Management
http://www.service-now.com/itgrc.do
White Cyber Knight -WCK / Lancelot
http://www.wck-grc.com/Products_Lancelot_IT-GRC.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Evantix Vendor IT Risk and Compliance Management
http://www.evantix.com/what-is-evantix/
Align Alytics Risk, IT, Compliance Management
http://www.align-alytics.com/clientsolutions/

There are many other tools with ERM (Enterprise Risk Management) Compliance Management, Audit and Access Control Governance feature sets.

Here is a long list of indirect GRC software providers:
Oracle Enterprise Governance, Risk, and Compliance Manager
Oracle also acquired Reveleus, Mantas, Logical Apps, Ruleburst, Oracle GRC Manager
http://www.oracle.com/us/solutions/corporate-governance/grc-manager/index.html
SAP (no clear IT-GRC besides Access Control - SoD)
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
Greenlight
http://www.greenlightcorp.net/index.aspx
Qumas(Regulatory Compliance)
http://www.qumas.com/
Aveksa (Enterprise Access Governance)
http://www.aveksa.com/
Trintech (Financial controls- no IT)
http://www.trintech.com/
Doublecheck ERM
http://www.doublechecksoftware.com/solutions.htm
ACL - Transactional controls testing
http://www.acl.com/products/ccm.aspx
Approva (ERP Audit / SoD on steroids)
http://www.approva.net/solutions/itsecurity/
Open Text Governance, Risk Management & Compliance
http://www.opentext.com/2/global/sol-products/sol-pro-compliance-governance/pro-open-text-governance-risk-compliance.htm
Grant Thornton - ExpeditionGRC - GT acquired Avalion Consulting ComplianceSet solution
http://bit.ly/9bvCFB (Long URL shortened)
Incom Enterprise Risk Mgr ISO 31000
http://www.incom.com.au
EIQNetworks SecureVue
http://www.eiqnetworks.com/securevue/securevue.php
Brinqa brings privacy, identity and vendor management
http://www.brinqa.com/products/brinqa-grc-platform/
SecurityWeaver (SoD tool)
http://www.securityweaver.com/Products_Separations_Enforcer.asp
ControlpanelGRC - SOX compliance for SAP users
http://www.controlpanelgrc.com/
Xpandion SAP Security -
http://www.xpandion.com/
EtQ Reliance (Quality Management, Environmental Health & Safety (EHS) Management)
http://www.etq.com/reliance/
Active Risk Management - ARM (Strategic Thought Group became Active Risk)
http://www.activerisk.com/risk-management/
Symb ERM and Aptius Risk Management
http://www.symb.com/content/c_symbhome.asp
Actimize (Fraud Prevention and ERM - acquired Syfact)
http://www.actimize.com/index.aspx?page=actimizeplatform
Guideline Risk Universe Business Intelligence (RUBI)
http://www.guidelinerisk.com/RUBI_system_intro.html
Hitec Labs Policy Hub and Ten Risk Management
http://www.hiteclabs.com/uk/solutions/policy-management-policyhub/
Horwath Software Services Magique Galileo
http://www.horwathsoftware.com/hsl/hslwebsite.nsf
IBS Compliance Pro Compliance Management
http://www.ibs-us.com/en/products/compliantpro/index.html
LRN Ethics Compliance
http://lrn.com/
Pentena PAWS Audit & Risk Management Software
http://www.pentana.com/products.asp
Prodiance ERM Spreadsheet Compliance (now Microsoft)
http://www.microsoft.com/pathways/prodiance/
policyIQ Risk & Compliance
http://www.policyiq.com/solutions_risk_compliance.asp
SAS Operational Risk Management
http://www.sas.com/industry/fsi/oprisk/index.html
FairWarning Healthcare Compliance Audit /Monitoring
http://www.fairwarningaudit.com/subpages/auditing.asp
Assuria Audit & Compliance Management
http://www.assuria.com/products-new.html
Flexeye Operational Intelligence
http://www.flexeyetech.com/operational-intelligence.html
Consult2Comply Compliance Infrastructure Management
http://www.consult2comply.com/main/
CMO Audit Compliance Risk Management
http://www.cmo-compliance.com/
ComplianceBridge Compliance Policy and Procedure Management
http://www.compliancebridge.com/
The Gartland RiskKey Continous Compliance
http://www.thegarlandgroup.net/services/continuous-compliance-service/
NextLabs Policy and Compliance Management
http://www.nextlabs.com/html/?q=control-center
McAfee Risk & Compliance Products
http://www.mcafee.com/us/products/risk-and-compliance/index.aspx
Collaborative Software Initiative - Standardized Information Gathering (SIG)
http://csinitiative.com/products/sig/overview/
LogicManager ERM
http://www.logicmanager.com/contents/why_logicmanager/model.php
Enablon ERM
http://enablon.com/products/risk-management.aspx

IT-GRC software make our lives more organized but we should not skip the motto of the CSI audit people: " ‘A fool with a tool is still a fool’"

Other Links:
http://www.gartner.com/it/content/925200/925212/ks_sd_may09.pdf
Gartner eGRC 2011 report: http://www.openpages.com/Information-Center-Registration/Campaign_88.asp
http://www.isaca.org/Knowledge-Center/Documents/COBIT-Focus-ISO-38500-Why-Another-Standard.pdf

Which Logs are Security Logs?

noreply@blogger.com (Yinal Ozkan) — Thu, 29 Sep 2011 03:52:00 +0000

This was originally posted on my RSA Conference Blog

Many of the security logging discussions center about the following topics:

1- Log Collection

2- Log Transport

3- Log Storage

4- Log Taxonomy

5- Log Analysis / Correlation

6- Log Protection / Security

These are all good topics but a very important topic is rarely discussed, and it is usually the most important one:

What are the security logs?

It is easy to work with security devices (Firewall, IDP, DLP, AV etc), their logs/alerts are classified as security logs, but what about regular applications or infrastructure components that are not build as a “security device” or security in mind? Do we need to process all logs from these devices? Which logs are more important? Which logs go to “security” queue?

Let’s go with example, if you are the security architect, what would you recommend to a system owner who came up with a new application that writes the logs to a flat file or a database? Even if the logs are shipped to a syslog collector or an OS log queue; does it change the question?

The question is same “Which” logs? What do you want?

Here is a quick check list of activities to ask for the logs:

1- Logs for all access (User, Admin, Service, Application etc)

2- Logs for all changes (changes in monitored files, configurations, hardware,software – MACD logs)

3- Logs for critical transactions in the applications

4- Logs from user repository (e.g if AD, LDAP, RADIUS is used) access, change and transaction logs from user repository

5- Logs for anomalies (changes in baseline activity, failed attempts, unexpected connections etc)

Since a security architect cannot know all applications, this is a good start to communicate with 3^rd party developers and application/system owners for security log generation.

For a structured approach here are a few good reads to start with:

NIST 800-92, Guide to Computer Security Log Management

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

Common Event Expression White Paper (also has a history on other initiatives)

http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf

Watch Your Logs! Quick intro

http://www.issa.org/Library/Journals/2007/July/Malatesti%20-%20Watch%20Your%20Logs.pdf

Microsoft's The Security Monitoring and Attack Detection Planning Guidehttp://www.dabcc.com/documentlibrary/file/MicrosoftreleasesanewSecurity,MonitoringandAttackDetectionWhitepaper.pdf

Reminder: PCI DSS 2.0 is asking for Vulnerability Risk Rating

noreply@blogger.com (Yinal Ozkan) — Tue, 12 Jul 2011 21:27:00 +0000

You know the story; if your systems/applications store transmit or process credit card data, you must meet PCI data security standards.

Since Q4 2010 all PCI shops are aware that their Cardholder Data Environments need a risk ranking procedure.

But, What is it and how does it change current practices?

PCI DSS Requirement 6.2 says "Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities"

And a new recommendation may certainly effect how you manage risk…

This recommendation (which will be a requirement by June 30, 2012) can be classified as Risk Management 101, and yet it may change several cornerstones of your processes.

Here is what 6.2.a is asking for:

1- Check your processes for identifying new security vulnerabilities (make sure you have one)

2- Assign risk ranking to identified vulnerabilities

6.2.b Continues with the recommendation that you use and outside source for this risk ranking process.

This translates into a solid scoring system for risk. Enterprise options to collect data for a scoring system are:

1- Vendor Security Alerts

2- Vulnerability Management Advisories (Usually security scanner, and IDS/IPS shops)

3- Vulnerability Intelligence Advisories (e.g. Secunia, iDefense, Deepsight)

4- Internal risk scoring systems (yes we all love academic endeavors - that is why PCI SSC asks for "outside" source : )

Either way (using one of the options, using some/all of them) PCI recommendation 6.2 will push risk management practices in the right direction and make risk prioritization a priority...Eventually PCI shops will (6/30/2012) integrate risk management with vulnerability scanning devices, security alerts, advisories and patch management solutions to audit and validate PCI 6.2 with risk rankings.

Here are a few good links:

Common Vulnerability Scoring System (CVSS-SIG) - http://www.first.org/cvss/

Common Vulnerabilities and Exposures -CVE - http://cve.mitre.org/

National Vulnerability Database - NVD - http://nvd.nist.gov/

Secunia - http://secunia.com/advisories/

Verisign iDefense - http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml

TippingPoint Zero Day Initiative ZDI - http://www.zerodayinitiative.com/advisories/upcoming/

Symanted DeepSight Alert Services - https://tms.symantec.com/

Cisco Security IntelliShield Alert Manager Service -http://www.cisco.com/en/US/products/ps6834/serv_group_home.html

IBM ISS XForce - http://www-935.ibm.com/services/us/iss/xforce/

VUPEN - http://www.vupen.com/english/research.php

McAfee Threat Intelligence Services (MTIS) - http://www.mcafee.com/us/mcafee-labs/technology/threat-intelligence-services.aspx

Bugtraq -http://seclists.org/bugtraq/

Full Disclosure - http://seclists.org/fulldisclosure/

p.s. I have written this article for RSA Conference

Video Notes From the RSA 2011 Conference

noreply@blogger.com (Yinal Ozkan) — Mon, 04 Jul 2011 19:20:00 +0000

RSA Conference 2011

Video Blog #1
RSA Conference Video Blogger Yinal Ozkan talks about his first day at the 2011 RSA Conference in San Francisco, California.

http://www.youtube.com/rsaconference#p/u/99/88pVqQgjkH0

Video Blog #2
http://www.youtube.com/rsaconference#p/u/96/Ss33IH0laAw

Video Blog #3
http://www.youtube.com/rsaconference#p/u/94/vUtFR_DeHOc

Talent Filtering for Information Security

noreply@blogger.com (Yinal Ozkan) — Sun, 26 Jun 2011 04:05:00 +0000

I have written this article for RSA Conference blog originally (https://365.rsaconference.com/blogs/yinal-ozkan)

Great results are not achieved by mediocre teams… Building the right Information Security team does matter, and usually it becomes a full time task for the owners of Information Security initiatives at today’s enterprise.

Information Security domain might be hot, and we may have a positive influx of talent to the sector, however finding the right people with right skills sets at the right time and the right cost is close to impossible.

This post has no intention of questioning/changing years of HR practices – the goal is to give feedback from the enterprise Information Security field and to create useful short order cook content that can quickly be consumed within the next 15 minutes for the upcoming interview you are conducting…

Here are my experiences with finding/hiring talent in Information Security:

1- Do not reinvent basics. As Buffet/Gates duo has stated the great talent should have the 3 basic skills:

Technical Skills (This is standard – I will dig into this item more down below)
Conceptual Thinking (Seeing the big picture)
Communication Skills (This is not talking too much as perceived by many engineers. Effective communication is a very valuable skill in all team deliverables

It is usually simple to find any one of these skills in an individual, but when you find 3 of them together never miss the opportunity, these people will carry the workload of many!

2- Have the right pyramid mix of talent in your team: Complex projects require good leaders who can set the target, coach others, lead by example and more important than all great leaders can take the team from A to B. Then you need good managers, who can plan, organize and delegate. It is usually a good practice to have managers who cut their teeth in project management and financial management offices. Last, but not least, the engineers (or consultants). Based on the size of the project, you must determine whether to go with specialists or generalists. This is a big decision point. The more specialists you have, the more integration glue (architects, project managers, program managers ) you need.

3- Since generic HR topics are not my intention here, I will skip managerial skills and focus on finding the right technical resources. Project based deliverables do not require that much real-time information. Therefore, it does not make sense to filter candidates based on closed book random interview questions. My recommendation is to measure their knowledge so you may level them based on knowledge. This is management basics - data to wisdom:

Ask them questions starting with who?, when?, where?, what?? If you can get good answers that means your candidate has “information”. Your candidate is probably familiar with the topic.
Ask them questions starting with “how?”. If you can get good answers that means your candidate has knowledge.This is a clear signal of experience.
Ask them questions starting with “why?” If you can get good answers to “why” questions that means your candidate has the wisdom and the conceptual thinking skills that you are looking for.

4- Specialists: Being a specialist does not create a rain check to omit basics of information security. I have met several consultants who were very familiar with compliance but did not understand the technical tools, or I have seen great application security people with zero understanding of network basics. The trend is to have good understanding of all domains where you excel in 1 or 2 of the domains as a specialist. Interviewing specialists should have 2 different class of questions to gauge:

How much do they do they own their domain of specialization?
How much do they understand about how other domains work?

5- Generalists: I believe there are 2 types of generalists you can trust in Information Security:

New Grads with no experience
Project Managers, Auditors, and Managers (usually go well with the certificates like CISSP, CISM etc)
If you are interviewing a candidate with over 3 years of Information Security experience with no particular specialty that is a big red flag.

6- Send consultants the questions that you will ask in advance. This will eliminate the “it is not at the top of my head /it has been a while” excuse. Since you send the technical interview questions in advance you can ask any particular sub question. This asynchronous Q&A style is more close to real life. This way you can also ask really tough questions as well.

7- Ask for a sanitized copy of deliverables from the past assignments. Good samples are good indicators of pitched skills. Obtaining samples are problematic especially in Information Security due to security and Intellectual Property concerns but checking is better than not checking.

8- Classify Information Security resource types (this is subjective) Classification will help you to identify your candidates specialty, customize your questions and assess them more evenly. In today’s IS world, I see the following backgrounds We can dig into each area in separate articles. Here is the bird’s eye view for the 15m intro:

Network Security Specialists: This is the most abundant resource. Most of the resources have strong networking background and they do have operational and engineering know-how about common tools like firewalls, IDP, content security, OS hardening. Ask for the enterprise know how instead of small shops, that is completely different skill-set. It usually makes sense to get “Security Operations” resources from this background since their operational background fits well with the SOC (Security Operation Centers)
Vulnerability Testers: This is another domain where you can find a lot of resources. (not necessarily the best ones) From network testing, to penetration testing, this area requires a lot of technical skills. Ask for methodologies, frameworks, references and sample deliverables in addition to basic checks. Network Vulnerabilities, Application Vulnerabilities, operational Vulnerabilities, and the Physical Vulnerabilities are different so make sure that you have the right skill sets.
Single Domain Specialists: If your project is big enough you can acquire a domain specialist (e.g. SIEM) or a technology (e.g. RSA envision) specialist. Be sure to question other skills as discussed above. DLP, DRM, Virtualization Security, Social Media, and Mobile Security-type of next generation projects usually require specialists so it makes sense to start with a consultant specialists to acquire the skills sets.
Application Security Specialists: Securing SAP, Siebel, Oracle is a life time goal. It does require life time experience. Again the same rules with hiring specialists.
Desktop Security: Understanding desktop security is different than all other security areas where the end users are non-IT users. Lately desktop security domain is crisscrossing a lot of other domains like NAC, 802.1x, VDI so be very careful to filter.
Code Security: This is a hot domain, possible candidates interact with application security, vulnerability testing. It is not possible to understand code security in every development framework so an eclipse environment expert cannot be very useful in the .NET environment
Security Architects: Even if you see a lot of titles with Security Architect, the real ones are tough to come by, look for understanding of EA frameworks like TOGAF, Zachman etc. Also look for special frameworks like ISO 27001, CoBIT, and NIST. Generic frameworks like ITIL, 6 Sigma, and other compliance frameworks are important. In addition, look for perfect understanding of operations and the technology.
Compliance Specialists: Audit background helps. Top 4 experience helps. Compliance has 2 important parts, meeting compliance and an accreditation. Make sure that you acquire the right internal resources to meet your compliance goals. Instead of going with multiple security compliance specialists, it will make more sense to build an information security management program that can answer the common 80% requirements of all frameworks.

9- Classify candidate backgrounds based on the verticals; it makes sense to find Information Security resources with vertical specialization. I find it amusing to mark “government” background as we start discussing topics with “cyber” word… So far I have seen the following backgrounds in the field. Based on your project’s requirements, different backgrounds provide different outcome.. You can find Information Security professionals with the following backgrounds

Enterprise
Government
Military
SMB
Consultancy
Higher-Ed
Service Provider
New Grad
Vendor
Reseller
Out of Sector

Wrap Up: Look for talent with specific skill-sets – To help you better identify the right skill sets, customize your questions based on experience background, vertical background and universal skills such as conceptual thinking.

RSA SecurID Breach Questions

noreply@blogger.com (Yinal Ozkan) — Sun, 20 Mar 2011 06:06:00 +0000

Q: What was stolen from RSA? (based on Art Coviello's blog) and What is the current risk for SecurID users?

A: RSA says "..extracted information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation..." This is boiling water and everybody is trying to reverse engineer this statement.. What does RSA mean by reduced effectiveness? Without the full disclosure, all interpretations will be semi fictional.. Information sources are limited when RSA is silent. A very important sign of RSA's response is "RSA SecurID Authentication Engine Security Best Practices Guide" document which was published in March 17.

Here are the 2 interesting statements from the March 17 Guide:

1 - "RSA recommends a defense-in-depth approach for protecting token data stored in your environment. RSA strongly recommends that your storage systems encrypt the token data with a separate key in addition to the encryption provided by RSA SecurID Authentication Engine. Using two separate keys maximizes the protection of stored token data."

My interpretation: Do not trust RSA authentication server's built-in encryption, use yours.This means 3rd party who "extracted information from RSA" has a good understanding of how RSA obscures token data on the authentication server...It is usually possible to access stored encryption keys since they have to be accessed for operation anyway. So if source code is lost, this may happen faster..Risk: You had to secure auth server anyway, now the risks are higher but this specific risk does not require you to replace every single token in the field until your own auth server is hacked.. And believe me when your authentication server is hacked you have other serious problems as well (BTW I'am not sure how auth server will work if I encrypt token data with my keys at file level)

2- "Never give the token serial number, PIN, tokencode, token, passcode or passwords to anyone."

My interpretation: Let's analyze this one in-depth.. When you use SecurID, you enter passcode as your password. A passcode is made up 2 pieces on RSA, a pseudo-number (that is dynamically generated on the token a.k.a. tokencode) and your PIN..

The beauty of multi-factor dynamic password tokens is that if I know your PIN I still need the tokencode (so the token).. If I steal your token, I still need the PIN... No attacks are effective until you get token for that specific 60 seconds+PIN combo.(in theory ; ).... The scary part of the warning above is the "token serial number", a number on the back of the token usually used as a subfactor for enrollment and password resets... Directly losing ""token serial number" shouldn't have mattered . if it did, it was not supposed to be imprinted on the back of the token..So the hypothetical risk is that the guys who extracted data from RSA can generate a tokencode from the serial number.. I do not think this is the possibility since that eliminates the whole idea for the need for the token seeds..Hopefully RSA token's private algos are not that simple (serial number generates the seed). Same argument is valid for tokencodes.. If I have to hide my tokencode where is the advantage of using a dynamic code generator?

Back Image with Token Serial Number

I will keep covering this topic until we have a conclusive answer.

MSSPs - Another one bites the dust - Dell acquires SecureWorks

noreply@blogger.com (Yinal Ozkan) — Wed, 12 Jan 2011 06:17:00 +0000

So I had to update my chart for MSSP history ..Again..

SecureWorks no more (independent). As you all know, last Tuesday (Jan 4th) Dell made this announcement from Round Rock, Texas "Dell today announced it has signed a definitive agreement to acquire SecureWorks Inc"

Financial Analysts were puzzled with the "all-cash" move from Dell. How come a technology giant with $53 Billion in annual revenues, is making a scene with a small services company with $120M revenue?..

Before moving to possible reasoning, let's dig the deeper question: "How Much ?"... Terms were not disclosed but here are the facts:

• As of 2010 SecureWorks was completing all the necessary prep work for an IPO after the 2008 fiasco.

• So it is not very difficult to guess the game changer on SecureWorks side: Bags of cash….

• Dell paid 10x reveunue ($1.4B) for a mediocre virtualized storage company (EqualLogic), so why not paying 10x to a successful company with over 3000 qualified "services" buyer accounts? (for those who pull the calc, it makes $1.2 billion in cash, but of course this is a guess – it looks like the number is around 600M)

• Bean counters will need to factor in the cost of acquiring an acqusition mode startup company with plenty of debt when calculating SecureWorks' price tag.(SecureWorks acquired Lurqh, DNS, and Verisign -$45M- MSS lately - from 2004–2008. SecureWorks grew 492 percent)

• At the end of the day IBM paid $1.3B to ISS in 2006.

Why Dell Acquired SecureWorks?

CATALYST:

Security is the catalyst component in many large scale complex deals even if does not present a larger financial percentage of the whole deal. Lately information security is getting more and more byzantine and unmanageable,so selling security hardware/software/consulting does not quench today’s enterprise level security needs. So instead of acquiring half baked hardware/software solutions (like HP's TippingPoint, Arcsight or IBM’s Guardium, Ounce Labs, BigFix acquisitions) Dell made a shortcut to get the whole security package. SecureWorks can offer full security services with or without “best of breed hardware/software” , they do all they need is a “Dell” box loaded with a homemade software such as iSensor, iScanner etc/.

MSP + MSSP

Merging MSPs with MSSPs enable companies like Dell to offer complex services remotely. Outsourcing performed in the form of “body shop” is so 1990s. Taking over the operations of a large company and their IT staff is not outsourcing / neither sending the same operation to overseas. The leverage is where shared services are utilized .That is why Telecoms like Verizon, BT, AT&T and NTT are behind all “managed service” offerings. When compared with HP and IBM, Dell is much better positioned with their strategy. Please evaluate Everdream, Silverback, MessageOne, and KACE acquisitions of Dell. Dell has been making acquisitions to become the “Shared Services” central of the world. Dell is perfectly positioned to offer services remotely from Data Centers without the outsourcing shops like HP-EDS or IBM Global Services. Remote device management, or in Dell’s words “Distributed Device Management” is the next generation of outsourcing. With SecureWorks, Dell will add another critical piece to remote device management and in-the-cloud offerings : Security. (Dell also acquires Perot Systems to fill in the “services” gap) . With SecureWorks, Dell will acquire Verisign’s remote management platform and SecureWorks’ SIM-On-Demand hosted security solutions… Dell already owns in the cloud Message-One security systems..HP and IBM will need to build services around the security tools they have acquired.

POWER OF MARKETING

SecureWorks reached the first 1000 customers with a very small dedicated team from Atlanta, GA. Targeting small credit unions and healthcare organizations, SecureWorks now has around 3000 managed security services customers. Even if the revenue numbers are limited, Dell will be happy to leverage the SecureWorks’ know-how in acquiring “Monthly Recurring Revenue”.

COMPETITION

HP, Dell, Cisco and IBM are in a tight race to own enterprise data centers…Any leverage is welcome for Dell. Many of HP Enterprise Services (HPES - formerly known as EDS) customer shops are SecureWorks customers. Dell’s SecureWorks acquisition puts HP on a very uncomfortable seat. HP does not have an MSSP like IBM (EDS came with UK based Vistorm but try finding "managed security" on hp web sites today) , and they do not have the know-how for build and run an MSSP (where Verizon has Cybertrust, BT has Counterpane , NTT has Integralis, IBM has ISS etc).. it will be an interesting year to watch remaining managed/in-the-cloud security service providers: Perimeter, Fishnet, Trustwave, Solutionary and zScaler.

Outsourcing shops, and System Integrators (SI)s are puzzled with this as well. Other major players like Fujitsu, AT&T, Raytheon, Savvis, Unisys, T-Systems, Tata, CSC, Wipro, Logica and any other large scale Telecoms offer managed security (MSS) as a part of other offerings. Security heavy weights McAfee (now Intel) and Symantec have conflict of interest when offering vendor agnostic services.

What Does SecureWorks Offer Today?

Managed SERVICES

• SIM On-Demand – SaaS without 3rd party vendors

• Log Monitoring

• Log Retention

• IPS / IDS – via 3rd party CPE and internal appliances

• Firewall via 3rd party CPE and internal appliances

• Web App Firewall

• Host IPS

• Vulnerability Scanning via 3rd party CPE and internal appliances

• Web App Scanning via 3rd party CPE and internal appliances

• Encrypted Email

• Security and Risk Consulting

• Deployment Services

Compliance Solutions

• GLBA/FFIEC – financial services

• HIPAA - healthcare

• NERC CIP - utilities

• PCI – payment services

• FISMA –US government

Vertical Solutions

• Banking Compliance Solutions

• Credit Unions Compliance Solutions

• Utilities Compliance Solutions

• Healthcare Compliance Solutions

• Insurance Compliance Solutions

• Retail Compliance Solutions

• Government Compliance Solutions

Security Research

• Advisories

• Articles

• Counter Threat UnitSM

• Newsletter

• Research Blog

• Security Tools

• Security Threat Analyses

• Webcasts

• White Papers

SecureWorks VC investors

Mellon Ventures Inc., GE Capital, SBK Capital, Alliance Technology Ventures L.P., ITC Holding Co. Frontier Capital (via Lurhq) , Great Hill Partners, and Noro-Moseley Partners.

Recent Relevant Dell acquisitions

• Everdream Software 2007 - MSP - Remote Service Management

• ACS (not Xerox' ACS Inc) 2006 - Application Management

• SilverBack Technologies 2007, MSP - Platform Provider

• MessageOne 2008 - Security As a Service (Content Filtering)

• Perot Systems 2009 - SI

• KACE Networks 2010 - MSP Appliance

Recent Relevant IBM acquisitions

• Internet Security Systems (ISS), 2006 - MSSP

• Consul Risk Management, Inc., 2007 - Risk Management

• Watchfire Corporation, 2007 - Security Testing

• Ounce Labs 2009 - Code/Application Security

• Guardium 2010 - Database Security

• BigFix, Inc 2010 - Patch Management

• OpenPages 2010 - GRC

Recent Relevant HP acquisitions

• SPI Dynamics Inc., 2007 - Application Security Testing

• Opsware - 2007 Network management

• Atos Origin Middle East Group - SI

• Electronic Data Systems, 2008 - SI (EDS acquired Vistorm)

• 3Com (includes TippingPoint), 2009 - Network and Security Infrastructure

• ArcSight, 2010 - Security Event and Information Management

• Fortify Software, 2010 - Code/Application Security

Why Did Nokia Fail in Enterprise Smartphone Business ?

noreply@blogger.com (Yinal Ozkan) — Sat, 16 Oct 2010 04:57:00 +0000

Q: Why Did Nokia Fail in Enterprise Smartphone Business?

I do write about security, but seeing Nokia fail hurts everyone. (When Dilbert Came to Nokia - http://www.theregister.co.uk/2010/10/14/nokia_dilbert/ ) So here is my part of the story.

Being a part of one of the largest Nokia Enterprise Security Partners, we felt the Dilbert story of Nokia organization at first hand. Since Nokia Enterprise Security is no more, I can write about what happened. It was around 2004 when Nokia Reps, SEs started to visit us regarding “Mobile Business Solutions” even back then Blackberry was so popular, so we developed an interest in “free” Nokia phones handed to us by Nokia.

Nokia Access Mobilizer ( NAM which became N1BS -Nokia One Business Solution) was our first hit. Our idea was that Nokia will deliver an excellent mail server, and then Blackberry would be the history

Here is an email I have written to a colleague in 2004 regarding NAM / N1BS

Here are my notes:

N1BS is the new name that Nokia marketing geniuses found for Nokia Access Mobilizer. N1BS stands for Nokia One Business Server.

N1BS does not run on classic Nokia hardware and the IPSO operating system. Instead, this product runs on a specific blend of Linux called IPSO-SX and the proprietary "Intel" server called EM6000. If you need to dig more here is the Nokia's acquisition path for these products:

a- N1BS was acquired from EIZEL in 2003. Its original name was Amplifi : http://web.archive.org/web/20030422051926/http://www.eizel.com/

b-The Linux kernel for IPSO-SX is from Montevista. Isn't it a coincidence that Montevista is a Linux distributor for mobile phones :) http://www.mvista.com/

c- The em6000 hardware is from ablecom which sells the system in the name of superserver: http://www.ablecom.com/system/6013p-8.htm

N1BS is good for the following:
1- Any mobile device with wap browser can access to any web page through its proxy. Device independent internet service. N1BS morphs the web pages to your tiny mobile device screen.

2- Email and PIM (Calendar-contacts) integration. Supports exchange and Lotus Notes in native mode
3- Offline sync for PIM and e-mail (through IMAP client)
4- Content processing; N1BS aggregates/abbreviates the data for you. Image processing: Images are re-rendered.
5- Viewers for most of the attachments. E.g. powerpoints. pdfs on your phone
6- Secure, reliable, flexible etc, enterprise marketing stuff..

Here are the highlights that drew my attention
a- Licensing is important. This device uses FlexLM licenses. This means you get a LAC (License Authorization Code) and generate the real license on Nokia web site. 2 per LAC.

b- Sensitive information on the device is encrypted with Blowfish
c- Regular RPM packages are installable by newpkg command. Nokia recommends some packages so this means it does not break the support agreement

d- There is an integrated postgreSQL on the box
e- X libraries are there too. The reason is attachment processing
f- No "Voyager" or "Clish" on this new IPSO-SX. You are on your own.
g- No HA or load balancing solutions are in place
h- No central authentication system integration (LDAP, Radius, AD etc). Even with Radius you need to define users one by one

i- No central "config" file like IPSO
j- No CD bay on the EM6000 hardware
k- No Cron :)
l- No SSL accelerator
m- Nokia gives NAM support from India
n- There is integrated openoffice for attachment viewing
o- You may see NAM, MCA, Documa, names in the documentation . They all mean N1BS
p- No SNMP integration

There is a rumor that Nokia will use this IPSO-SX on the firewalls too but I think it is still too early(See items above that start with No). I have heard that Nokia quit message protector which was also runnning on IPSO-SX

N1BS had a brilliant idea, back then smartphones were very expensive and there was a clear need for a mid market mail solution. With Sync-ML and integrated mail/calendar/contact synchronization this was the right solution for midmarket. It also had auto abbreviation which is made sense where data was costing arms and legs.. So we made the decision and I spearheaded the investment on developing a managed services solution for N1BS.. Then came the Nokia announcement, “We do not think that N1BS works like Blackberrry so we are changing the platform”

When Nokia canceled N1BS you could tell there was an internal friction at Nokia organization. In September 2005 (http://www.theregister.co.uk/2005/09/13/nokia_unveils_mobile_email_drive/) Nokia told us that we were supposed to use Nokia Business Center – NBC, NBC would support push mail that N1BS suffered. So we formatted the N1BS server started from the scratch with NBC, we were still ok because I was a big fan for my S80 9500. We believed in Nokia and continued to market the Nokia mail solution.We built NBC server, tried to build the services around it. But there were problems here is an email I have written in Oct 2005. You can tell that NBC was buggy..Now looking back, I can tell what the problem was; Symbian Group did not work with NBC group at Nokia, they were simply different business lines (retail vs enterprise), so NBC could not use any of the OS level features, even cut&paste was not available to NBC mail client, without phone OS integration NBC's doom was fixed.

The email client interface is not good. It lacks the basic editing functionality of Nokia Symbian interface. I even could not select-cut&paste the e-mail content. Mouse over dial/e-mail things do not work, I have to go over the menu. Body of the messages format is clumsy.

If this is a unified messaging tool, then it should. I like the built-in messaging interface more. Built-in mail client has the ability to forward mails to cell phones, and fax (fax, SMS, MMS profiles). Built-in client works perfect..on the other hand NBC client is worse than built-in mail client.

External e-mail does not work with the following message:

Sending of e-mail failed . Please try again

mail.send.failed:Invalid Addresses

nested exception.js

class.javax.mail.SendFailedException: 451 Can't connect to gmail.com – psmtp. This problem has been fixed

PIM sync has its own problems

This problem has been fixed. I get PIM sync failed errors sporadically. It works after 2-3 trials

When I forward reply and e-mail with NBC, I do not see forward, reply information in Exchange. It only marks read/unread data. If an e-mail is forwarded or replied via business center client, exchange not update the forward/reply history

Embedded URL links are stripped. No URL links in incoming mail

URL links are stripped by NBC server or the client. An example is the following mailAttached below is the outlook version where URL and the links are working.. On NBC both the format is gone and there are no links..

I did a couple of tests, this mail goes to gmail as a multi-part message in MIME format with base64 encoding. That may be the problem.

NBC does not work well with these mails.
Attachments open a separate interface when 'add' is chosen. This interface requires shut down after adding the attachment.This problem has been fixed

I could not manage to delete/edit original mail content when replying

Connectivity is a big problem… It never survives the night. Executives will not like that.

Clients still hang due to GRPS errors. If they are left on all night (sometimes) or phone is shutdown during communication, the client hangs up in "connecting" state.

Here is the fix that works for me:

From tools conn.manager menu highlight GPRS connection and disconnect
Go to NBC client and switch to offline
Reconnect from NBC choose GPRS connection.

Wouldn't be easier if the NBC client disconnects GPRS and reconnects instead off trying "connecting" for hours..?

But if the G sign is still there and the connection is not there (G sign not in the box) the conn manager displays receive/sent 0/0kB duration 00:00:00, this means remove the battery - hard reset solution.. I cannot kill/disconnect a an already disconnected GPRS connection..

This will be annoying for novice executives..

Sometimes after rebooting I get the "install business extras?" installation prompt even if it is installed.. Ususally phone crashes afterward, 2,nd remve battery insert batttery solved the problem.. Can we request for a reboot, or ctrl+alt+del button?

Signature sends a garbage character with rich text. There is no option to choose text/html only signature

Directory search does not search local contacts database. Sending e-mail to local contacts is difficult.

When the phone is off (or no coverage), NBC does not work over wi-fi for 9500 hundred. There is no switch connection option either.

You would think Nokia was settled no, right after we deployed NBC Nokia announced that they have acquired intellisync (Nov 2005) for $430M.( http://www.infoworld.com/d/networking/update-nokia-acquires-intellisync-430-million-221) I was furious I have developed a solution 2 times for nothing. Intellisync was simply a replication platform on steroids. It was replicating files, emails whatever it could find. Nokia liked it because Verizon, and Vodaphone used it.. (Service Providers used Intellisync because it was cheap) ..Right after the acquisition, I was told we should wait because Intellisync did not match the development quality of Nokia….It was so bad even internal Nokai employees couldn’t switch, they were still on NBC.. So within that turmoil I was invited to a partner conference. Partner conference was for Nokia Business as it is described in the recent register article

So this time we did not move.. In 2006 I received an invite from Nokia

Hello Nokia Partner,

Just a note to remind you to register for the Nokia Enterprise Solutions Partner Conference in Boston next month on October 25-27 2006

Your participation and feedback as one of our most valued partners is vital to our continued growth and success together. This will be one of the most substantial and important Partner Conferences we have had in a number of years. This event will be an opportunity to meet and listen to Nokia Enterprise Solutions Senior Management as they share their vision and strategies for the enterprise market. Mary McDowell, Executive Vice President and General Manager, Nokia Enterprise Solutions, David Petts, Senior VP Global Sales, Marketing & Services, Nokia Enterprise Solutions, and other members of the Nokia management team will be there to present their ideas and to meet you personally.

You do not want to miss the kick off of our newly designed Partner Program or the roll out of new products that will offer your business new strategic directions. I guarantee you will leave the conference excited, energized, and ready to get to work. We also have a little fun planned.

During the conference I did speak. I told hundreds of Nokia Executives that as a partner I lost my confidence that nokia could deliver a solution that could last more than 1 year.. nobody listened they were all lost in the glory of the "Intellisync", they even didn’t know about competition, I remember 1 comment, “We are bigger than Microsoft in Operating Systems”…That was nothing more than self soothing propaganda - as we all expected the truth was not so far in the future (http://www.theregister.co.uk/2010/10/22/symbian_wound_down/)

So Nokia Enterprise Business gave their promise on 2 major tickets at the Boston conference

Intellisync is the last stop, trust us, and invest in Intellisync
Nokia IPSO platform is here to stay, trust us, do not invest in any other appliance

I was like Cassandra, So as expected nothing happened with intellisync, Nokia was so lost, you could tell is when they announced that they are killing Intellisync (http://www.open-horizons.net/blog/erno/replacement-strategies-did-nokia-kill-intellisync-or-protect-your-investment) in Sep 2008 Nokia made the expected announcement

“
"The Nokia-Microsoft collaboration to bring corporate mobile email to businesses and mobile professionals is truly unbeatable. No other device manufacturer provides the wide range of devices that we have which immediately mobilize the hundreds of millions of email accounts from Microsoft Exchange," said Anssi Vanjoki, Executive Vice President, Markets, Nokia. "The costs of mobility are contained as companies are able to utilize existing Microsoft Exchange infrastructure, and there is also the strong possibility that a large number of employees already have one or more of the 43 Nokia devices that enable Exchange ActiveSync - http://www.designtaxi.com/news/20941/Nokia-brings-Microsoft-Exchange-ActiveSync-Corporate-Mobile-Email-Solutions/"

But this time we were prepared we already had Blackberries everywhere..

IT-GRC ( Governance Risk and Compliance) Tools - 2010

noreply@blogger.com (Yinal Ozkan) — Mon, 23 Aug 2010 03:47:00 +0000

I have updated this list (October 2011), you can find the recent copy @ this URL:
http://security.24kasim.org/2011/10/itgrc-software-vendors-2011.html

Here is the 2010 version:
-----------------------------------------------------------------------

I stand by my statement that IT-GRC does not stick due to several reasons.

My previous posts with risk management frameworks and tools are at this link (I will update risk management tools next month)

Currently there are 4 types of companies at IT GRC market:
1- IT-GRC vendors: IT Risk Management solutions with integrated workflow and compliance features.
2- Enterprise GRC vendors: Audit driven ERM tools expanding into IT GRC space
3- Glorified Access Control Tools: This is the world of SAP, Oracle and the related vendors ( note to the vendors - GRC is not SoD)
4- Compliance Management Tools (without risk focus)

There are a lot of changes in the market. Market is not as colorful as 2009. I think the main reasons are:
1- Global market for pure IT-GRC vendors are still around $120M /year.
2- Entry to market is not very difficult

Big News are:
CA killed the whole GRC Manager line.
Archer was acquired by RSA (of EMC) - 04-Jan 2010
Compliance Spectrum is now history.

Before moving forward, please remember that Excel is 'by far' the most common application in IT-GRC market : )

IT-GRC vendors

Agiliance
http://www.agiliance.com/
RSA eGRC - Archer
http://www.rsa.com/node.aspx?id=2428
Trustwave GRC (Control Path)
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://www.symantec.com/business/control-compliance-suite
Modulo
http://www.modulo.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Lumension
http://www.lumension.com/Solutions/IT-Risk-Management.aspx
BPS
http://www.bpsresolver.com/
Avedos
http://www.avedos.com/en/home/home.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley Enterprise GRC® for IT (Requires registration to display product information :)
http://paisley.thomsonreuters.com/website/pcweb.nsf/pages/ARAE-6XLQSR
OpenPages
http://www.openpages.com/solutions/governance_risk_compliance_management_solutions.asp
IDS Scheer (GRC is a part of BPM offering)
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html
ARC Logics - Axentis (same company for CCH TeamMate audit)
http://www.axentis.com/Products/Axentis/ProductOverview.html
Methodware
http://www.methodware.com/grc/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/
eGestalt SecureGRC - SaaS hosted GRC offering
http://www.egestalt.com/
Aline GRC
http://www.alinegrc.com/GRC-Platform/20/
TrueArx
http://www.truarx.com/
Easy2Comply
http://www.easy2comply.com/
SAI Global
http://www.saiglobal.com/compliance/grc-software/

There are many other tools with ERM (Enterprise Risk Management) Compliance Management, Audit and Access Control Governance feature sets.

Here is a long list of indirect GRC software providers that make auditors happy:
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
SAP (no clear IT-GRC besides Access Control - SoD)
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
Greenlight
http://www.greenlightcorp.net/index.aspx
Qumas avoids GRC term (Regulatory Compliance)
http://www.qumas.com/
Aveksa (Enterprise Access Governance)
http://www.aveksa.com/
Trintech (Financial controls- no IT)
http://www.trintech.com/
Doublecheck ERM
http://www.doublechecksoftware.com/solutions.htm
ACL - Transactional controls testing
http://www.acl.com/products/ccm.aspx
Approva (ERP Audit / SoD on steroids)
http://www.approva.net/solutions/itsecurity/
Strategic Thought (Full Service ERM)
http://www.strategicthought.com/
Open Text Governance, Risk Management & Compliance
http://www.opentext.com/2/global/sol-products/sol-pro-compliance-governance/pro-open-text-governance-risk-compliance.htm
Enablon - ERM
http://enablon.com/products/risk-management.aspx
Pentana Audit Work System (risk Audit)
http://www.pentana.com/products.asp#PAWS
Grant Thornton - Compliance Management - GT acquired Avalion Consulting ComplianceSet solution
http://bit.ly/9bvCFB (Long URL shortened)
Incom Enterprise Risk Mgr ISO 31000
http://www.incom.com.au/products.asp?ID=407
EIQNetworks SecureVue also avoids the GRC acronym
http://www.eiqnetworks.com/products/SecureVue.shtm
Brinqa brings privacy, identity and vendor management http://www.brinqa.com/solutions
SecurityWeaver (SoD tool) http://www.securityweaver.com/Products_Separations_Enforcer.asp
ControlpanelGRC - SOX compliance for SAP users http://www.controlpanelgrc.com/
Xpandion SAP Security - http://www.xpandion.com/

IT-GRC software make our lives more organized but we should not skip the motto of the CSI audit people : " ‘A fool with a tool is still a fool’"

Free and Commercial Firewall Analysis Tools

noreply@blogger.com (Yinal Ozkan) — Thu, 17 Jun 2010 13:56:00 +0000

Q:Hello,

Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.

Thanks,

A:,

There are several audit tools with different features. The most common features in these tools are:

Rule Analysis to detect security holes in the configuration (e.g. allow any)
Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
Logfile analysis to find most used rules objects
Rulebase analysis to find unused/unconsolidated objects rules
Simulation of changes.
Risk Analysis
Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
Workflow automation
Backup management
Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
Change Management
Regular Log Analysis

Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.

That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT

Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):

http://www.tufin.com SecureTrack, SecureChange Workflow
http://www.algosec.com Firewall Analyzer, FireFlow
http://www.securepassage.com Firemon
http://www.manageengine.com Firewall Log Analyzer
http://www.skyboxsecurity.com/ CertiFire, Firewall Analysis
http://www.redseal.net/ Redseal Vulnerability Advisor
http://www.athenasecurity.net FirePac, Verify

Let me know if you have a specific question.
cheers,
- yinal

HIPS and VPN Concentrator Network Deployment

noreply@blogger.com (Yinal Ozkan) — Thu, 17 Jun 2010 13:48:00 +0000

Q: How decide the placement of Host Based Intrusion prevention System & VPN Concentrator

What is criteria to decide the placement of HIPS and VPN Concentrator.

A: Hi XXXXX,

Your question generated more questions than answers : )

Here is how I think on where host based IPS should be:

HIPS should be installed on hosts which need IPS (based on risk assessment).
HIPS should not be installed on hosts where installing a 3^rd party agent may decrease the reliability of the services on the host system
HIPS should not be installed on hosts where installing a 3^rd party agent may slow down the speed of the host system due to extra resource utilization, added latency etc.
HIPS should be installed when it is possible to manage HIPS. In large scale deployments remote installation, central management etc are usually more important than security.

Here are the important points of VPN Concentrator placement:

It is recommended that your VPN concentrator has trusted and untrusted segments (It is also possible to deploy one-arm single interface deployments – but for management and audit I do recommend 2 segments – where untrusted segment is Internet facing
Untrusted segment should be protected by a firewall (usually in a dedicated DMZ) even if all VPN vendors claim to be very secure. Make sure that the firewall protecting your VPN supports IPSEC pass through (if you are using IPSEC).
Instead of hooking the trusted (Internal) segment into your (internal) networks, connect your trusted segment back to the firewall so that decrypted traffic is firewalled. If you have an IPS make sure that IDS/IPS is inspecting decrypted traffic.
Make sure that you have a dedicated management network to manage the VPN concentrator. If you do not have an extra management interface, use trusted interface for management. Do not allow management over untrusted interface.
Do not deploy NAT before the VPN traffic hits your concentrator, try to use real public IP address (es) on the untrusted /public side of your concentrator since using private addresses may create configuration nightmares
Check destination networks for VPN clients / or remote VPN sites on your network. Analyze the protocols. Sometimes based on the nature of the traffic (e.g. complex VOIP) you may need to hook your concentrator directly into your network. Always check reverse routing for VPN networks.
Verify IP addressing assignments for VPN clients, choose a subnet that will not create internal routing problems (e.g. overlapping IP address space. Dynamic routing etc). If you are dealing with site to site VPNs make sure that you address overlapping IP address spaces.
Check the location of authentication servers. The placement of the concentrator must be is close/redundant proximity to authentication servers (AD, RADIUS, TACACS, LDAP etc). Make sure that the communication with auth servers is not a n issue
Verify multiple entry points, if you are deploying concentrators in HA, make sure that failover works properly, and NAT issues, IP address assignments for different concentrators are configured properly. Also make sure that your access logs can be unified.

Let me know if you have a specific question,

Cheers,
- yinal

Why did Symantec buy Verisign's security business ?

noreply@blogger.com (Yinal Ozkan) — Sat, 05 Jun 2010 22:56:00 +0000

Q: Why did Symantec buy Verisign's security business ?
A 3.5 revenue multiple for a revenue stream comprising largely of a commoditized business (SSL) begs for a strong rationale that goes beyond pure top line growth for this acquistion. Would love to hear of use cases that this will enable that will result in new products/offers from this combined entity.

A: Here are quick comments:
1- Symantec will have direct access to almost all major enterprise accounts using Verisign's SSL certificate relationship. there are a lot of cross-sell opportunities for Symantec such as securing server 2 server communication. On the retail side Symantec can cross sell Norton line at Verisign's high-volume SSL online store

2- Last year Verisign asold MSS (to Secureworks) and security consulting (to AT&T) units, these were the overlapping units for Symantec. The security products that Symantec acquired from Verisign do not have an overlap with Symantec's existing portfolio.

3- Related with the note above, Symantec could not provide full identity management solutions. With Verisign acqusition (SSL certificates, Trust Seal, PKI, VIP ) they will fill-in a big gap. This creates a nice go-to-market plan. e.g. Hosted PKI, Norton Identity Safe etc..

4- All cloud based / remote management solutions (e.g. HEP from Symantec) rely on certificates, Verisign acquisition will play a strong role for Symantec's cloud strategy. Identity security is a key block in delivering cloud based solutions for data security and compliance.

5- Check-out PGP and GuardianEdge acquisitions. They will all integrate well with Vontu line when Verisign's solutions are added to the mix..Verisign complements encryption really well. Re-evaluate data at rest, data in transit and data in use terms : )

6- Verisign has a good brand name, Symantec can definitely leverage the Verisign name

7- The value of the deal can be multiplied if Symantec manages to integrate security solutions (inlcuding this Verisign Portfolio) with its Veritas, Altiris, MSS, and Hosted Security (MessageLabs) lines.

Let me know if you have a specific question,

regards,
- yinal ozkan
(on personal behalf)

DLP as a Service: What's the business case for this?

noreply@blogger.com (Yinal Ozkan) — Sat, 05 Jun 2010 22:51:00 +0000

Question:

DLP as a Service: What's the business case for this?

Answer:
Xxxxxx,
DLP can leverage all the advantages of service-alization on legacy information systems.
If we define service a standard offering delivered by a service provider, business case (of DLP as a service versus technology solution) can be summarized as:
1- Leveraging economies of scale with utilizing shared resources at service provider
2- Leveraging deep-dive technical specialization at service provider since service provider can effort dedicated specialists (not because they are more intelligent). Levering know-how gained from managing multiple customers.
3- Measurements and metrics program guaranteed by service level agreements
4- Ability to scale up/down easily, more reliability and redundancy on the provider side.
5- The old capex vs opex discussion
6- No operational worries (e.g. who will patch my appliance) / focus on core business goals, competitiveness
7- Pay as you go elastic service.

But if you look at DLP specific cases, the answers could be categorized in many different buckets. (this might be different for different organizations). We believe that a DLP program must include
• DLP program management (GRC, Policies , Procedures)
• Endpoint enforcement components,
• Secure remote access components,
• Data classification & governance components,
• Encryption components
• Rights management components.
• Training and user awareness component
• Incident management component
• Central monitoring , Access Control, RBCA the usual InfoSec components

This can all be offered as a hybrid service of people, process, technology and managed services. Usually an important component of DLP program is the network based DLP gateway solutions. A managed offering for network level DLP gateway may offer
1- Ability to get a clean pipe from service provider (e..g prevention in the cloud)
2- Ability to leverage a wide set of solutions for the recognition of different data types / file formats since service provider is developing the service for other customers
3- Ability get experts for custom scripting (yes you will need this)
4- Transparent deployment
5- Correlation of events with other network activities (e.g. IPS, Anomaly Detection, Content security solutions, Firewalls, AV etc)

Type rest of the post here

Open Source IDS/IPS

noreply@blogger.com (Yinal Ozkan) — Sat, 05 Jun 2010 22:47:00 +0000

Question : Are there an open source IDS or Firewall which alert the command center or system administrator by pager, e-mail or cell phone when an event listed on the company’s security event list is triggered?

Answer:
Xxxxxxxxxx,
The answer will be based on the company’s security event list. The first prerequisite is that you need to find an opensource IDS or Firewall that can detect security events in the list. Detection success rate will be based on the complexity of the security events in your list.

Firewalls are usually not very good in malicious activity detection so IDS/IPS is a better idea. Snort is a good start (http://www.snort.org/) . It is opensource and it allows you to configure your custom detection signature and rules.

Alerting is simple, you can configure Snort to alert via e-mail E-mail messages can be converted to SMS and pager messages easily. (you may need to pay for SMS messages depending on the destination and or geographic location)

For IDS/IPS deployment you have to be careful. You might be receiving millions of alerts so forwarding them as a message might not be the best good idea. You need to tune your IDS to report real incidents only (e.g. you may have detected 1 million identical events but all you need is to know what the incident is when it started and what is the frequency). Also remember that Snort will only inspect cleartext traffic in day1 unless you are decrypting the encrypted traffic.

Another approach is to use a Security Information Event Management Solution in addition to the IDS. Forward all Snort alerts and other alerts (e.g. Windows logs, Syslog) to your SIEM tool and make sure that the SIEM consolidates normalizes and correlates the alerts for you, so that you receive the ultimate information from SIEM instead of IDS tools. There are opensource SIEM tools like OSSIM (http://sourceforge.net/projects/os-sim/) and Cyberoam iView (http://sourceforge.net/projects/cyberoam-iview/files/)

Let me know if you have a specific question,

Cheers,
- yinal

Securing Offshore Remote Access

noreply@blogger.com (Yinal Ozkan) — Tue, 23 Mar 2010 17:27:00 +0000

Question:
How to secure data and protect intellectual property while allowing remote access to remote consultants / outsourcing partners / offshore captive operations?

Answer:
This is a long procedural and legal discussion. Restriction of access for remote administrators / consultants / offshore centers is not an actual “productivity” solution, so there is a clear need for sharing data in an intelligent and secure way.
Recently I have seen several discussions on policy based governance and operational controls but I was disappointed with the available technical options. Most of the articles I have seen so far were limited with phrases like “We do use firewalls”, ”We have SAS 70” , “We have strong authentication” or “We do have encryption” type of over the counter canned answers. The most joyful one was (this was on an overseas web site describing how secure the outsourcing operations were) : “We do use SecureFTP”
Well, basic technical controls are nice, like using scrubbed test data, segmenting servers, using strong auth, physical data center security, or using full VPNs..But, what if the requirement is to have real controls?

The technical controls can be deployed at 2 layers:
1-    Controls at the Offshore Center: Regardless of the desktop security controls, endusers at remote data centers can access and steal critical data, at the end of the day, who will stop them if they can take a 5 megapixel shot of their screens with their cell phones. So it is a good idea to have a CCTV / camera based monitoring where access stations are (All remote access should be limited to secured facilities where it is possible – try to avoid roaming laptop based remote workers). I use the term access station because it makes no sense to have regular desktops at offshore operational centers. Using terminal server type of solutions are great but citrix/terminal server type of emulations do not work great for developers. I like virtual desktop infrastructure (VDI) for developers since it gives them full independence in a controlled environment. Base station should be thin clients or must be managed (e.g. group policies with limited user rights) even if they are using the base station only for terminal session.
If you do not have a captive center, and you do not have the full control on remote desktops or you cannot enforce thin client stations or managed workstations, securing the other endpoint (where terminal connection/citrix/VDI term is run) is very difficult. On these cases, make sure that you require VPN connection from individual endpoints so that you can control split tunneling, and you can apply /enforce pre-auth/during-auth posture checks very much like a NAC. The idea is to enforce endusers to install a security applet before they login to your network and run cleaning prior to auth. Create onetime secure virtual workspace that expire at the end of the session. You may also create remediation and quarantine options for non-managed remote access.
When you are securing the remote offshore centers never skip the “air” piece. Roque AP detection is a key feature. Your remote switch must detect any attached device to network esp if it is working as a switch. Also your policies must limit usage of cell phones and other wireless gadgets.
Of course endpoint security is still a key, like using full group policies, firewall/IPS, antimalware, antivirus, encryption, rights management etc, but it is much better to have it on a VDI system. It is also easier to control peripherals on a VDI.
Non-repudiation is another important point. Like the physical camera, a secure remote tamper proof logging facility is highly recommended.
2-    Controls at the server level: Consultants / remote system administrators/ offshore developers do need to access servers in development, test and sometimes production environment. It is a mandate to enforce individual user identities, with full access audit. Actually you can steal the PCI requirements. There are systems that record every single move (literally on a video file - ObserveIT) of a remote administrator. Or you can basically deploy privilege escalation management systems integrated with jump servers (e.g. SSH proxies, Power Broker) Need to know access is essential, but even after policy decisions, make sure that every activity is logged at different layers (network layer, OS layer, DB layer and Application layer) Remote admins should never access to log settings or the log repository (tamper proof logging is the key). This is the time to put SIEM solutions in use. Write correlation rules to alert you when suspicious activity is detected.
Segmentation is another key, but today’s high speed computing makes network level firewalling very difficult. (If you have 100 servers with only 1 Gbps NICs, you will a 100Gbps full duplex firewall , and as of today there is no IPS). I do expect switch vendors to offer port based filrewalling / IPS in the very near future but not today unless you have 7 figures to spend. Either way segment your servers at network level as much as possible, Even if you are using VMware, categorize servers physically according to their risk levels. There are also creative solutions like Apani Networks, Rohati Networks (now Cisco), or the NAC vendors for network based segmentation using user identities. Basically segmenting users with their user IDs instead of their source and destination addresses is better. You can even utilize secure de

Again, none of the technical controls eliminate the need for governance, policy based controls and the risk management frameworks.
Full data life-cycle management, data privacy, data security, audit program, security management program (like ISO 27001) are all essential. But technical controls do really help you to reach your security objectives.

Let me know if you have a detailed question

Regards,
-    Yinal Ozkan

Security awareness - what worked for you

noreply@blogger.com (Yinal Ozkan) — Mon, 08 Feb 2010 13:42:00 +0000

Question:

I am interested to know from you guys what methods you have used to prick the consciousness of your end users - from the standard policy delivery & enforcement tools (e.g. neupart, policy matter, netconsent, et al), through posters & startup screens, right through to "guerilla tactics" rather like Chris Nickerson & hisd guys who did the job on the car dealer.

I had thought of gearing ideas around end user pain points - e.g. post-it notes with a PIN on a dummy credit card, etc. Interested in what low-cost ways others have used.

Thanks in advance guys

Answer:

........,

I have gone through several iterations of awareness initiatives. Web based, class based, print media based, campaign based you name it…

Information Security Practitioners usually skip a very important part of awareness programs, these programs are not security projects where you deliver a technical solution; awareness programs depend on the training component…

Here is the most important thing I learned: Adult psychology is different, you cannot train adults as you train kids.. When you put kids a in a class they simply listen and they learn. Adults never do, they keep questioning: “ Why I am here? Is this good for me? What will I lose if I do not listen? What is in it for me? etc” The questions above must be answered within security awareness initiative since they will keep occupying the short focus of the of the adult minds during training..

So the important structural shift of awareness program initiative is that this is not a project, this not about a portal with multiple choice questions with diagrams, this is not about an application that pops-up, this is about training, and the adult training rules apply.

Years ago, I was in charge of security awareness training of a large trading house.. Participation of all employees was mandatory. Everybody in the class (pre WebEx days) thought this was yet another training, and the eyes were focused on the clock.. I started the conversation with, “I am reading all your e-mail” Well, I got the attention. The whole class got mad . But we had established the training rationale, everybody wanted to how and why I was able to read their e-mail , they were questioning on who else can read their e-mail. Until that moment most of them thought the problems were someone else’s.

In order to share create the personal interest, the best way is to demonstrate vulnerability in day to day applications with live demonstrations (not the checklists, and the pop-quizzes) that employees can associate themselves individually. The demo should not be about the millions that a distant company lost (yes we all heard about TJ Max) or powerpointing defaced web sites to death to bore sales team away. There must be personal interest in security awareness program. Unfortunately not too many people care about the greater good of their employers or the security teams…A salesperson will be more interested so see his CRM database being stolen using his own small blackberry. Or displaying chain of evidence for intellectual property for design engineers, more examples can be given but I think everybody who has managed to read until this paragraph gets the idea; unless there is personal interest there won’t be success.

That being said classical program components like continuous improvement, cyclic approach, audit, measurement/metrics etc will help. ISO programs or the programs like neupart can be used as a good base program management.

-Regards,

- Yinal Ozkan

Using Certificates for Authentication ? Where to store them ?

noreply@blogger.com (Yinal Ozkan) — Sun, 06 Dec 2009 18:57:00 +0000

Question:

Has anyone deployed a VPN solution that leverages user certificates for authentication?

We are considering the possibility of leveraging digital certificates as an authentication factor for VPN. Has anyone implemented this or looked at solutions that do this? We are not comfortable with solely relying on a certificate and the security/integrity of the PC as an authentication mechanism. If you are currently using certificates, I would be interested in hearing how you are deploying this.

Answer:

.....,

The short answer is yes. We did deploy several off-the-shelf certificate based authentication solutions for remote access VPN systems such as Cisco, Check Point, Juniper, Citrix, Nortel.. It is again very possible to deploy similar solutions over SSL VPN solutions (This time easier since browser is the client). I worked with Entrust as the PKI integration provider. When using certs, most of the questions/problems are generic PKI related questions (CRLs, OCSP, identity management etc)

9 out of 10, enterprise shops store the certs on PC or mobile devices since they want to avoid using tokens/smart cards. Using a 3^rd party storage is ideal but to be honest smart cards share the fate of PKI for complexity so many solution sets avoid tokens/smart cards, unless the policies mandate certificates.

When smart cards are more expensive/complex (readers, personalization etc) enterprises use USB tokens to store certificates. (Several companies provide tokens with certificate support, ActivIdentity, Aladdin, Authenex, Entrust, SafeNet (merged with Aladdin) , RSA (RSA has a hybrid token for OTP + certs)).

If you would like to use smart cards as the certificate container, or use the same certs for physical security simultaneously, you can simple take one of the ready to use HSPD-12 Personal Identity Verification (PIV) Card solutions (http://fips201ep.cio.gov/apl.php) so that you can avoid designing all components architecture yourself.

Of course do it yourself path is more fun, technically it is straightforward to integrate certs with any 802.1x based authentication server but as you know it usually gets more complex. We have deployed a complete system for enrollment, biometrics, cards, CMS etc, (took 3+ years)

cheers,

- - yinal ozkan

Best way to stop malware from spreading in a large secure network

noreply@blogger.com (Yinal Ozkan) — Mon, 16 Nov 2009 12:14:00 +0000

Question :What's the best way to stop malware from spreading in a large secure network with no internet connectivity and a multi-platform environment?

Even though the secure environment has no internet access and is on a controlled environment, external USB devices have been added to the network and viruses have been introduced. I'm trying to think of the best ways to stop such external threats being added to a secure closed network. I've got a few ideas bouncing around my head as I believe Antivirus software should be deployed on the workstations in case additional methods of malware introduction are given other that USB. The USB ports could be disabled on all workstations and then the external devices could be scanned before adding to the network. But I'm sure there could be other ideas so can someone offer some suggestions?

Answer:There are multiple approaches, but “the” best way will depend on the mix of your devices in your multi-platform environment (if you still have NT4s and ancient slackware linux copies the solutions you are looking at will be different) and your network status. If there is no internet connectivity naturally you should focus more on entry points (intranets, USB, CD, Floppy, Bluetooth, IR, Wi-Fi)

If you want to classify approaches, your solutions can be at 3 levels, host based, network based and hybrid.

1- Host Based:

a. Use a comprehensive “endpoint security” solution that will have

i. Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)

ii. Encryption (file, disk, mail), key/cert management

iii. Firewall

iv. IPS

v. Antivirus (http and SMTP)

vi. Antispam, Phishing, Malware control (http, SMTP, SMS)

vii. URL filtering

viii. Application control

ix. File integrity Monitoring

x. Remote device management (in a secure manner :)

xi. Biometrics/TPM/SSO/802.1x support

b. Lock down the environment. Do not allow end users to modify any system settings. (e.g. use group policies on windows environment, security blanket on Linux etc)

c. Use point solutions start with port control, anti malware, AV, IPS, firewall . Monitor system resource utilization you may kill endpoints by multiple clients

d. Get physical; super glue all USB ports, remove the CD Drives, break IR sensors, turn off the radios.

e. For old unsupported platforms, deploy file integrity monitoring on critical areas (e.g. tripwire)

f. Use a big brother monitoring tool like Raytheon Oakley’s SureView (check with legal first : )

2- Network Based:

a. Use IPS on the network. IPS will alert you on suspicious traffic you that you can take action faster. If the network traffic is encrypted, IPS will not be very helpful. You may consider decrypting traffic but the solution is a topic for another post

b. Use anomaly detection tools. I really like using these tools; they are my most favorite malware detection solutions. They can either sniff traffic over taps or get flow data. Good solutions are Q1 Labs, Mazu (now Riverbed Cascade).. But any netflow tool will help

c. Segment your network with firewalls

d. Do not allow all protocols (who needs IPX, NetBeui, AppleTalk, SNA anyway : )

e. Use ACLs on network devices. Only allow known ports, lock down network for SRC/DST APP based access rules

f. Monitor Airspace… Make sure that nothing flies out /comes in via wi-fi/Bluetooth et al. I can recommend several tools.

3- Hybrid

a. Use Network access control (NAC). You can have all the security in the world until the cable guy plugs-in his laptop to the Ethernet port in the cafeteria.

b. Use an agent-less scanning tool. Compare all hosts, applications vs your approved gold copies. Monitor all malware constantly from remote. My favorite is Promisec. But you can even use Microsoft SMS

c. Never forget the phones, the smartphones, VOIP phones are the new hosts for the virulent outbreaks/pandemic

If you have a specific question please let me know.

Regards,

- Yinal Ozkan

The "Cyber" Word

noreply@blogger.com (Yinal Ozkan) — Sat, 17 Oct 2009 00:11:00 +0000

I got the following e-mail from one of my peers.
==================
From: Chris Camejo
Sent: Sunday, October 04, 2009 2:19 PM
To: ---------------------
Subject: Cyberwords
I saw this “Cybersecurity” article on CNN and the ridiculous overuse of cyberwords is good for a chuckle:
http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/index.html
Apparently the government wants a “cyberczar” and more “cyberexperts” to work as “cyberanalysts” to protect “cybernetworks” from “cyberthreats” and engage in “cyberwarfare” so they can be a an effective “cyberorganization”. Yes, all of those words were really used in the article.
It scares me that there are people making decisions in government who write stuff like that.
-Chris
=====================
I could not agree more.

Every time I see an acronym or a government program that starts with “cyber” prefix I get irritated. I quickly associate the misapplication of the “cyber” prefix with ill-thought, wrong- footed, erroneous information security initiatives – cybersecurity, cyberczar, cybercop, cyberspace and the list goes on…Even my MS Word spell check doesn’t like them. This (using cyber prefix) simply takes the meaning of many serious topics that we are working on by diluting the significance, to the point of serious confusion to everyone except the small number of cyber experts : )

It is also very interesting that only state and federal agencies use “cyber”

The word cyber entered English language in 1991 as “of, relating to, or involving computers or computer networks” according to Merriam-Webster.

The reason I cannot associate cyber is that etymologically it is wrong. Cyber prefix is derived from cybernetics. Cybernetics as a concept in society has been around at least since Plato used it to refer to government. Maybe that is why the government today likes to use it. In modern times, the term became widespread because Norbert Wiener wrote a book called "Cybernetics" in 1948. The study is described as the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (as the nervous system and brain and mechanical-electrical communication systems) Cybernetics is an established interdisciplinary science not a sci-fi flick or an internet buzz word (http://en.wikipedia.org/wiki/Cybernetics) ) The word comes from Greek “kybernetes” pilot, governor (from kybernan to steer, govern) + English –ics.

So what is the relationship between Internet and Cyber? I do not see a real one ..Maybe it is the cyborgs which is a combination of cybernetic + organism.

-yinal

Web Application Security Tools

noreply@blogger.com (Yinal Ozkan) — Tue, 15 Sep 2009 15:49:00 +0000

I have been checking tools for a while for web application security engagements. Here is my list for web application scanners, test tools, proxies, source code analyzers, web application firewalls, XML SOA gateways (I will crosscheck methodologies in another post)

Remote Web App Test Tools and test proxies
1- SPI Dynamics WebInspect - Now HP Webinspect - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__
2- Sanctum then Watchfire AppScan - Now IBM Rational AppScan - http://www-01.ibm.com/software/awdtools/appscan/
3- Kavado Scando - Now Protegrity - http://www.protegrity.com/DefianceSecuritySuite
4- AppSecInc AppDetective Pro - http://www.appsecinc.com/products/appdetective/index.shtml
5- Cenzic Hailstorm - http://www.cenzic.com/products/software/overview/
6- NT Objectives NTOSpider http://www.ntobjectives.com/products/ntospider.php
7- Acunetix Web Vulnerability Scanner http://www.acunetix.com/vulnerability-scanner/
8- Burp Suite -proxy- http://www.portswigger.net/
9- Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/about.html
10- Positive Technologies MaxPatrol 7 - http://www.ptsecurity.com/mp_eval.asp
11- NGS Typhon III - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
12- Parasoft http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319#web_iface_penetration
13- Hyperscan -Art of Defense - http://www.artofdefence.com/en/hyperscan/hyperscan.html
14- HP Assessment Management Platform software - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9580_4000_100__
15- nCircle - http://www.ncircle.com/index.php?s=products_webapp360
16- Qualys - Web Application Scanning - http://www.qualys.com/solutions/web_application_scanning/
17- Foundstone - Now McAfee Vulnerability Manager - http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html
18- Nessus - Tenable Security - http://www.tenablesecurity.com/nessus/
19- Syhunt SandCat http://www.syhunt.com/
20- Saint - No Web App Customization - http://www.saintcorporation.com/products/vulnerability_scan/saint/saint_scanner.html
21- MileSCAN Web Security Auditor (WSA) - Paros Proxy - http://www.milescan.com/hk/ , http://www.parosproxy.org/index.shtml
22- N-Stalker Web Application Security Scanner http://www.nstalker.com/products
23- Nikto - Open Source (GPL) web server scanner http://www.cirt.net/nikto2
24- Canvas (formerly SpikeSecurity) - http://www.immunitysec.com/products-canvas.shtml
25- WebScarab -proxy- http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
26- Odysseus - proxy- http://www.bindshell.net/tools/odysseus
27- CoreImpact - http://www.coresecurity.com/content/core-impact-overview
28- Metasploit - http://www.metasploit.com/
29- Wikto - http://www.sensepost.com/research/wikto/
30- Proventia Scanner (formerly ISS) -http://www-935.ibm.com/services/us , http://www-935.ibm.com/services2
31- e-Eye Retina Web Scanner http://www.eeye.com/html/products/RetinaWebScanner/index.html
32- SQL Power Injector http://www.sqlpowerinjector.com/
33- Sensepost BiDiBLAH - Security Assessment Power Tools (not sure for Web App features) http://www.sensepost.com/research/bidiblah/
34- The Security Auditor's Research Assistant (SARA) - http://www-arc.com/sara/
35- Founstone Tools - http://www.foundstone.com/us/resources/freetools.asp
36- Wapiti Web application vulnerability scanner / security auditor - http://wapiti.sourceforge.net/
37- Curl - httptools, not a scanner - http://curl.haxx.se/
38- Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
39- Fiddler Proxy - http://www.fiddler2.com/fiddler2/
40- Pantera - another spikeproxy- http://www.owasp.org/index.php/Pantera
41- Suru - proxy from sensepost - http://www.sensepost.com/research/suru/
42- Charles Proxy - http://www.charlesproxy.com/
43- Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
44- RatPrxoy from Google http://code.google.com/p/ratproxy/
45- JS Proxy - for javascript - http://jscmd.rubyforge.org/
46- OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools

Source Code Analysis
1.Coverity Integrity Server / Prevent -http://www.coverity.com/products/coverity-prevent.html
2.Escher Technologies Eschertech - http://eschertech.com/
3.Fortify Software Suite (analysis, workbench, metrics & trending console, customization module) http://www.fortify.com/products/fortify-360/vulnerability-detection.jsp
4.Gimple PC and Flexe-Lint C/C++ -http://www.gimpel.com/html/products.htm
5.Grammatech CodeSurfer C/C++ - http://www.grammatech.com/products/codesurfer/overview.html
6.Ounce Labs - Now IBM - http://www.ouncelabs.com/application_security/
7.Parasoft JTest Parasoft Application Security- Java Static Code Analysis - http://www.parasoft.com/jsp/products/home.jsp?product=Jtest
8.Secure Software CodeAssure Workbench C/C++, Java (Now Fortify)
9.Veracode - http://www.veracode.com/solutions
10.Armorize Codesecure - http://www.armorize.com/?link_id=codesecure
11.Klocwork Insight/Solo http://www.klocwork.com/products/product-comparison-matrix/
12.Hypersource - Art of Defense - http://www.artofdefence.com/en/hypersource/hypersource.html
13. PHP Pixy - http://pixybox.seclab.tuwien.ac.at/pixy/
14. BFBTester: Brute Force Binary Tester - http://bfbtester.sourceforge.net/
15. CROSS (Codenomicon Robust Open Source Software) -http://www.codenomicon.com/solutions/cross.shtml
16. Flawfinder - C/C++ source code - http://www.dwheeler.com/flawfinder/
17. Gendarme -.NET applications and libraries - http://www.mono-project.com/Gendarme
18. Stanford SecuriBench -open source - http://suif.stanford.edu/~livshits/securibench/
19. OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools

Web Application Firewalls:
I am excluding network firewalls with deep inspection features such as Cisco, Juniper, Check Point, Fortinet

F5- ASM -Application Security Manager - http://www.f5.com/products/big-ip/product-modules/application-security-manager.html
Breach Security - http://www.breach.com/products/
Imperva - SecureSphere -http://www.imperva.com/solutions/web-application-security.html
Cisco ACE Web Application Firewall http://www.cisco.com/en/US/products/ps9586/index.html
White Hat Sentinel (add-on for F5, Imperva, Breach) - http://www.whitehatsec.com/home/services/waf.html
Citrix NetScaler http://www.citrix.com/English/ps2/products/product.asp?contentID=25636
Protegrity WAF - http://www.protegrity.com/WebApplicationFirewall
Fortify Real Time Analyzer RTA - http://www.fortify.com/products/detect/
AQtronix for IIS - http://www.aqtronix.com/?PageID=99
DenyAll rWeb - http://www.denyall.com/products/rweb_en.html
Applicure DotDefender - http://www.applicure.com/About_dotDefender
Armorlogic Profense - http://www.armorlogic.com/
Bee Ware i-Sentry http://www.bee-ware.net/en/product/i-sentry/
BinarySec (French) http://www.binarysec.com/cms/docs/products/products.html
BugSec WebSniper http://www.bugsec.com/index.php?q=WebSniper
e-Eye SecureIIS http://www.eeye.com/html/products/secureiis/index.html
webscurity web.AppSecure http://www.webscurity.com/products.htm
Phion Airlock http://www.phion.com/INT/products/websecurity/Pages/default.aspx
Radware AppWall http://www.radware.com/Products/ApplicationDelivery/AppWall/default.aspx
Hyperguard - Art of Defense : http://www.artofdefence.com/en/hyperguard/hyperguard.html
Barracuda Web Application Firewall - http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

XML Firewalls
Radware AppXML http://www.radware.com/Products/ApplicationDelivery/AppXML/default.aspx
DataPower (now owned by IBM) - WebSphere DataPower SOA Appliances -http://www-01.ibm.com/software/integration/datapower/
Reactivity, Inc. (acquired by CISCO), The Cisco ACE XML Gateway - http://www.cisco.com/en/US/products/ps7314/index.html
Forum Sentry XML Gateway - http://www.forumsys.com/products/index.php
Layer 7 Technologies' SecureSpan XML Firewall - http://www.layer7tech.com/main/solutions/firewalling.html
Vordel XML Gateway - http://www.vordel.com/products/vx_gateway/
Dajeil - http://www.dajeil.com/Products.asp
Sarvega (now owned by Intel) Intel SOA Expressway - http://www.intel.com/cd/software/products/asmo-na/eng/373233.htm
Bloombase Spitfire Security Server - http://www.bloombase.com/products/spitfire/index.html
Sonoa http://www.sonoasystems.com/product-matrix#anc-security
inferno - opensource - http://ixmlfirewall.sourceforge.net/
DAXFi - Dynamic XML Firewal - Opensource - http://sourceforge.net/projects/daxfi/

open for feedback,
- yinal ozkan

RSA Conference Notes (US 2009)

noreply@blogger.com (Yinal Ozkan) — Sun, 13 Sep 2009 02:28:00 +0000

Better late than never...

During the RSA conference (April 2009) organizers had flip cameras for us (where they announced over twitter)
Instead of typing/blogging my notes, I experienced the "vlogging" which was easy. Here are RSA edited notes from RSA Conference web site:

Part I
Part II
Part III

Sometimes it is positive to see and hear the author, sometimes it is not. But as far as I see we should better not hide behind anonymous posts. I think that we can communicate better with the new gadgets offered us literally at no cost.

cheers,
- yinal

IT Governance, Risk and Compliance (ITGRC) Tools August 2009

noreply@blogger.com (Yinal Ozkan) — Sun, 16 Aug 2009 19:26:00 +0000

For 2011 list follow this link

Here are the updated links for the IT-GRC vendors, IT-GRC wanna be GRC vendors, and some IT based risk management tool/software providers.

There is still a thin line between IT, Financial and ERP GRC solution providers.

I have noticed that SAP has created its own GRC context where GRC means a lot of other things... SoD- Segregation of Duties, entitlements management, users access/authorization for applications/transactions, audit managment, role management etc.Basically a dull extention of IT audit controls. SAP's Virsa and SUN's Vaau acqusitions are good examples of this trend. That is not GRC -- that is mediocre IT controls audit. The term GRC is used without any consideration. This statement is also valid for the other usual suspects l(Oracle, PeopleSoft, Hyperion, JD Edwards,)

Here is a quick M&A update from last post:
Brabeion is acquired by Archer (Big News)
Controlpath is acquired by Trustwave.
Paisley is acquired by ThomsonReuters
Iconium is acquired by Logicalis
IBM dropped their own suite and working with Modulo
Favored GRC has a new name Highpoint GRC
Achiever is gone
I looked at ACL, Approva,Aveksa,Opentext,SecurityWeaver, Xpandion, Spatiq solutions,, I will be checking these vendors in the future, these solutins tend to manage ERP security only)..

IT-GRC solution Providers:

Agiliance
http://www.agiliance.com/
Archer ( acquired Brabeion)
http://www.archer-tech.com/solutions/index.html
Trustwave GRC
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_control_compliance_suite_9.0-11_2008_14121573.en-us.pdf
Compliance Spectrum
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/home.jsp
NeIQ
http://www.netiq.com/solutions/scm/default.asp
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue/SecureVue_Technology.shtml
CA GRC
http://www.ca-grc.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Logicalis grace (acquired Iconium Assets)
http://www.uk.logicalis.com/business_issues/governance_grace.asp
Lumension (acquired Security-Works)
http://www.lumension.com/landing.spring?contentId=154643
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
BPS
http://www.bpsinc.com/
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley (now Thomson Reuters)
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html Axentis
http://www.axentis.com/offerings/solutions/itgovernance
Methodware
http://www.methodware.com/it-security/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
McAfee Risk and Compliance Manager (formerly McAfee Preventsys),
http://www.mcafee.com/us/local_content/white_papers/dashboard_reporting_it_grc.pdf
Greenlightcorp (SAP GRC)
http://www.greenlightcorp.net/sap_grc_cross_platform.html
Trintech -Financial GRC only
http://www.trintech.com/
SAI global
http://www.saiglobal.com/compliance/grc-software/
SAP
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
eFortresses
http://www.efortresses.com/Compliantz.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/news.asp

There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Casis
http://www.clearpriority.com/ (clearpriority)
Strategic Thought Active Risk Manager
http://www.strategicthought.com/riskmanagement.html
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Acuity Stream
http://www.acuityrm.com/
EAR/Pilar
http://www.ar-tools.com/en/index.html
GStool (mainly German)
https://www.bsi.bund.de/cln_136/EN/topics/ITGrundschutz/ITGrundschutzGSTOOL/itgrundschutzgstool_node.html Sigea GxSGSI (this site is in Spanish only)
http://www.gxsgsi.es/
RA2
http://www.aexis.de/index.php?site=static&staticID=4
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/
ISmart
http://www.biznet.com.tr/english/ismart_info.htm
Resolver
http://www.resolver.ca/
RMStudio
http://www.riskmanagementstudio.com/
RiskConnect
http://www.riskonnect.com/riskonnect_products.html
PTA Risk Assessment Tools and Technology
http://www.ptatechnologies.com/
Avedos Risk2Value
http://www.avedos.com/111-Short-Facts.html
Non-IT Risk Software
http://www.riskworld.com/SOFTWARE/sw5sw001.htm

I still need time to add URL links for the well known risk assessment methodologies. A little bit googling will take you to the right resources if you want to build your won system using a methodology or a framework.
Methodologies for Risk Assessment and Management listed below can be used at IT operations... Endless discussion for quantifying the risks... I like ISO 27000 series to lead, but each case is different.

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

There are also Compliance Management/SIM/SIEM solutions which partially present GRC.
Here are a few links:

Tivoli Security Compliance Manager
http://www-01.ibm.com/software/tivoli/products/security-compliance-mgr/
Novell Compliance Management Platform
http://www.novell.com/products/compliancemanagementplatform/
Easy2comply (formerly Dynasec)
http://www.easy2comply.com/
AlertLogic
http://www.alertlogic.com/
NetForensics
http://www.netforensics.com/compliance/
Arcsight
http://www.arcsight.com/solutions/solutions-compliance/
RSA enVision
http://www.rsa.com/solutions/compliance/datasheets/9373_ISOENV_DS_0408-lowres.pdf
Intellitactics
http://www.intellitactics.com/int/solutions/compliance.asp

Actually all SIM SIEM vendors have a compliance management solution. For their list you can check the following post:
http://security.24kasim.org/2008/12/differentiation-of-log-management.html

PCI Reporting Requirements for Merchants

noreply@blogger.com (Yinal Ozkan) — Fri, 31 Jul 2009 16:00:00 +0000

Facts:
- Check your PCI Merchant levels and validation requirements from the following post: http://security.24kasim.org/2009/06/pci-levels-for-merchants-2009.html

Amex

Level 1-
If compliant, Attestation of Compliance –AOC- (recommended) or exec summary of onsite security assessment report (QSA/internal) annually and quarterly network scan
If not compliant, AOC (recommended) or exec summary of onsite security assessment report and Remediation Plan annually and quarterly network scan and Remediation Plan

Level 2-
Quarterly Network Scans (and Remediation Plan if not compliant)
AOC (Recommended) or Executive Summary
In EU: PCI SAQ

Level 3- Level 4 -
No reporting Required for Amex at L3 and L4

Discover

Level 1 –
Network Merchants:
If compliant Appendix D of PCI DSS requirements and Security Assessment Procedures v1.2 - Attestation of Compliance –AOC-
If not fully compliant must also complete the Action Plan for Nono-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 2:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 3:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 4:
Network Merchants
If compliant Attestation of Compliance –AOC- from applicable SAQ maybe required
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form or Level 4 Merchant Action Plan to Discover twice a year

JCB

JCB has no reporting requirements at this time

MasterCard

Level 1-
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 2-
Acquirers annually register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 3 –
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 4-
No requirements

Visa Inc

Level 1-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 2-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 3-
At least a twice a year , a statement of merchant compliance / non-compliance

Level 4-
Set by the acquirer

Visa Europe
Level 1-
Annual statement of merchant compliance
For merchants in progress, quarterly update until compliance confirmed
Upon request a copy of Report on Compliance (ROC) including indication of scan completion

Level 2-
Annual Statement of compliance / non-compliance
For merchants in progress, quarterly update until compliance confirmed

Level 3-
Quarterly statement of compliance / non-compliance for merchants above 20000 transactions/year. Annual statement for merchant below 20000 transactions/year

Level 4:
Annual statement of compliance / non-compliance for merchants processing < 1 million Visa transactions/year.

Service Providers are not merchants so if you are providing card processing for 3rd parties (Payment Service Provider) PSP or if you are a TPP (Third Party Processor) PCI levels, validation and reporting requirements are different. The charts above are for merchants only.

Clouds and the VPN

noreply@blogger.com (Yinal Ozkan) — Sun, 28 Jun 2009 21:04:00 +0000

Question:
Do I need VPNs in the cloud?

Answer:
There are several questions regarding the necessity of VPNs in the cloud.

I think the first step is to clear the concept of cloud. Currently the word “cloud” is used interchangeably for TelCo service provider transport clouds (Network Clouds) (e.g.MPLS) and Cloud computing web services that provide resizable compute capacity as a cloud (like Amazon EC2).. We can also define private service providers like SaaS providers, managed service providers MSPs) as cloud/utility providers (like force.com from salesforce.com, webroot SaaS). Here are some articles defining cloud and transport options.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
http://mediaproducts.gartner.com/reprints/f5networks/vol3/article4/article4.html

When the necessity of VPNs in the clouds are analyzed, it is obvious that encryption is indeed one of the key pillars of modern information security. And VPNs do provide confidentiality and integrity for data at transit. When cloud networks do transport the data they should provide integrity and confidentiality of data. That being said this does not have to be at layer 3 (IPSEC) or layer 6 (SSL). So focusing on an IPSEC client does not help to address the issue. Confidentiality and integrity services can also be provided via applications themselves. When data is critical you may certainly encrypt data at application layer. (e.g. rights management solutions)

Here is the high level satus for VPNs in the cloud

1- TelCo Network Clouds (Service Provider) – This is the most interesting part. TelCos claim that their shared infrastructure and MPLS VPNs are secure. This is questionable (see article below) but the answer depends on the security needed.
If service provider cloud is not trusted enough you always encrypt at another layer (usually with the application).I personally believe that cloud service provider (TelCos) must be subject to heavier inspection when they are transporting almost all of the intersite traffic. Here are some articles discussing the issue
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rey-up.pdf
http://www.techworld.com/networking/features/index.cfm?featureid=3360

I also do not understand why TelCos are exempt from security regulations. (PCI is a good example) TelCos (and their admins, applications, helpdesk people, servers, cable guys…) do have access to almost all interoffice data traffic when MPLS type of TelCo backbone is used. And when the MPLS cloud is compromised, all clear text (yes even the tunneled ones) will be compromised. Real encryption is rarely used. TelCos have been promoting themselves as secure service providers while promoting layered tunnels as segmentation, but I believe they must seal these claims with 3rd party certifications and allowing encryption friendly (where keys are held by the data custodians) clouds.

2- Cloud Computing providers: These providers addressed encryption at their inception thanks to their security aware generation. Before encryption there are several other questions. Here is my post on generic cloud computing security issues: http://security.24kasim.org/2009/02/cloud-computing-security.html

3- SaaS providers. SSL looks like the king at these providers. Segregation of customer data, and customer driven/controlled encrpytion for data at rest and data at transit is required. For data at transit, SSL is secure enough when proper authentication/cert management is provided.

I am still following the following basic principles when I evaluate a platform. Regardless of the nature of technology, all platforms (clouds and others) should answer properly to following areas of information security:
1- Authentication
2- Authorization
3- Confidentiality
4- Integrity
5- Non-Repudiation

cheers,
- yinal

PCI Levels and Validation Requirements for Merchants 2009

noreply@blogger.com (Yinal Ozkan) — Mon, 01 Jun 2009 04:04:00 +0000

This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:

Facts:

- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic

- Transaction volume is determined by Acquirer

- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)

Amex

Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand

Action: EU only annual SAQ, Quarterly ASV scans

Level 3- Less than 50000 AMEX transactions/year

Action Quarterly ASV scans (recommended) , EU only SQA (recommended)

Level 4- N/A

Action: None

Discover

Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- Everybody else with Discover card processing

Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended

JCB

Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised

Action: Annual Onsite QSA audit, Quarterly ASV scans

Level 2- Less than 1 Million JCB transactions/year

Action: Annual SAQ, Quarterly ASV scans

Level 3- N/A

Action: none

Level 4- N/A

Action: None

MasterCard

Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- All other Mastercard merchants

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Inc

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 20000-1 Million Visa “e-commerce” transactions/year

Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV

Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Europe

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year

Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions

Level 4- Merchants processing up to 1 Million any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.

I will cover reporting requirements for merchants in another post.