The Cloud Security Rules aggregator

via @j4vv4d: Cookies and European Laws

Thu, 03 Jan 2013 14:38:28 +0100

Ever visit a European website and wonder what that message means that generally pops up telling you they use cookies? Well all is about to be revealed.

via @lmacvittie: Back to Basics: Least Connections is Not Least Loaded

Wed, 02 Jan 2013 18:08:00 +0100

#webperf #ado When load balancing, "least connections" does not mean "least loaded"

Performance is important, and that means it's important that our infrastructure support the need for speed. Load balancing algorithms are an integral piece of the performance equation and can both improve - or degrade - performance.

That's why it's important to understand more about the algorithms than their general selection mechanism. Understanding that round robin is basically an iterative choice, traversing a list one by one is good - but understanding what that means in terms of performance and capacity on different types of applications and application workloads is even better.

We last checked out "fastest response time" and today we're diving into "least connections" which, as stated above, does not mean "least loaded."

INTRA-APPLICATION WORKLOADS

The industry standard "Least connections" load balancing algorithm uses the number of current connections to each application instance (member) to make its load balancing decision. The member with the least number of active connections is chosen. Pretty simple, right?

The premise of this algorithm is a general assumption that fewer connections (and thus fewer users) means less load and therefore better performance. That's operational axiom #2 at work - if performance decreases as load increases it stands to reason that performance increases as load decreases.

That would be true (and in the early days of load balancing it was true) if all intra-application workloads required the same resources. Unfortunately, that's no longer true and the result is uneven load distribution that leads to unpredictable performance fluctuations as demand increases.

Consider a simple example: a user logging into a system takes at least one if not more database queries to validate credentials and then update the system to indicate the activity. Depending on the nature of the application, other intra-application activities will require different quantities of resources. Some are RAM heavy, others CPU heavy, others file or database heavy. Furthermore, depending on the user in question, the usage pattern will vary greatly. One hundred users can be logged into the same system (requiring at a minimum ten connections) but if they're all relatively idle, the system will be lightly loaded and performing well.

Conversely, another application instance may boast only 50 connections, but all fifty users are heavily active with database queries returning large volumes of data. The system is far more heavily loaded and performance may be already beginning to suffer.

When the next request comes in, however, the load balancer using a "least connections" algorithm will choose the latter member, increasing the burden on that member and likely further degrading performance.

The premise of the least connections algorithm is that the application instance with the fewest number of connections is the least loaded. Except, it's not.

The only way to know which application instance is the least loaded is to monitor its system variables directly, gathering CPU utilization and memory and comparing it against known maximums. That generally requires either SNMP, agents, or other active monitoring mechanisms that can unduly tax the system in and of itself by virtue of consuming resources.

This is a quandary for operations, because "application workload" is simply too broad a generalization. Certainly some applications are more I/O heavy than others, still others are more CPU or connection heavy. But all applications have both a general workload profile and an intra-application workload profile. Understanding the usage patterns - the intra-application workload profile - of an application is critical to being able to determine how best to not only choose a load balancing algorithm but specify any limitations that may provide better overall performance and use of capacity during execution.

As always, being aware of the capabilities and the limitations of a given load balancing algorithm will assist in choosing one that is best able to meet the performance and availability requirements of an application (and thus the business).

via @GFISoftware: 13 for ’13 Jumpstart: BYOD and MDM

Wed, 02 Jan 2013 16:00:38 +0100

A few weeks ago we published an article called 13 IT Projects to Include in Your Plans for 2013. In that post, we suggested thirteen great IT projects for you to consider, since as the New Year approaches, many IT departments start lining up their wish lists for the following year. We got several requests either in comments or through email asking for tips to help “jumpstart” some of these projects, and since we’re all about our readers, we decided to publish some follow-up articles to help do just that.

Our first project suggestion was patch management; in this second project suggestion we’ll be discussing BYOD (Bring Your Own Device) and MDM (Mobile Device Management). Here’s what is said in the initial post:

BYOD is one of those inevitable things that you can either get on board with, or get rolled over by. Tablets, smartphones, convertibles and more are all growing in popularity, and if your users want to spend their own money on devices to make them more productive, who are you to object? You want them secure and manageable, and having good policies and MDM solutions in place are the first key steps towards making BYOD good for all concerned.

With that in mind, here are some tips to help you jump start this project:

Decide what is acceptable

BYOD does not have to be a free for all. Determine what devices you want to support, and what services you want to provide. Will they connect to the internal network or the guest network? Are all apps up for consideration or only core services that lend themselves well to BYOD, like email and messaging?

Decide what is not

BYOD can present certain security risks if it is not handled appropriately. Part of mitigating those risks is determining what is not acceptable. You might be okay with users accessing the guest wireless network with their tablets, but not connecting their personally owned laptops to the corporate Ethernet. You might be okay with employees using their BYOD hardware to access email, but not with them saving confidential information on their device’s local storage.

Ultimately your team needs to decide what is not acceptable, but here’s a tip that works for me. If they could do something from home on their personal device, like check their email, log onto the company web portal, etc. then it should be okay for them to do so with BYOD. If all unmanaged devices are kept on the guest network, then they present no more real risk than they did coming over the Internet. Start there, and work your way up as you get more comfortable and can better evaluate your apps.

Determine where the support boundaries are

The Y in BYOD may imply that it is not company property, but your support desk is going to get questions. How do I set up my email? How can I access the Intranet? Why can’t I get on the Wi-Fi network? Can’t I install that app? And the myriad of platforms out there will make it very challenging to provide support, since even different Android devices can have radically different ways to do trivial tasks like setting up email or configuring the wireless client. As a team, decide what you are comfortable with and make sure you set clear expectations with your users before you open the floodgates.

Create and publicize the device policy

And here is where you make that clear. Create and publicize a policy that clearly lists the devices that will be supported, the apps that are permissible, and just how far the support desk can go before the user is on his/her own to figure out how to make his/her personal device work.

Create and publicize the Acceptable Use Policy

Here is where you need to be really clear with your users, so this is a policy that you want to spend time on to be sure that it is clear and written so that end users can understand it. You don’t want users to abuse the privilege of BYOD, and you don’t want to negatively impact productivity. Making it clear to users what is and is not acceptable is key here, since they will often think that corporate policies don’t apply to their personal devices.

Account for security

The last thing anyone wants is for BYOD to result in a security incident, so make sure you talk about that at the beginning and not at the end. Users of Exchange (on-premises or Office 365) can use Exchange ActiveSync policies to lock down devices with passwords, screen locks, etc., and can remotely wipe a lost device. Not all devices support hardware encryption though, so you need to decide whether or not to require that, and if you do, how you will address all those users whose BYOD devices won’t be permitted. You will also want to make sure that your policy covers remote wipe and that users know they are responsible for their own backups, since BYOD devices will have personal content on them.

Evaluate and select your solution

If you want to use a Mobile Device Management solution, you are going to have to do an in-house evaluation to make sure you like the product and it works in your environment. Plan on a month to six week test drive for each MDM solution you want to evaluate, and make it clear to the sales team that you have to test drive it before you buy it. You need to be sure any MDM will do what you need, across all the devices you plan to support. You cannot determine that from a website or online demo.

Pilot

Most, if not all, of your IT team probably already owns devices that could be used for BYOD. Conduct a pilot, with phase one being your IT team, and phase two being a limited number of business users. You want to be comfortable with all the aspects of BYOD before you open the flood gates and let everyone in.

Deploy

When you are ready, deploy. MDM solutions can make this very easy, by pushing configs to users when they visit a website using a link you can send out in an email. If you are not using MDM, send out instructions for how to set up the most common devices, and be ready at the support desk for those you missed and for users who either don’t read, or have challenges with the do-it-yourself part of BYOD. And you really need to plan for and offer at least some level of best effort support for your users – it’s the right thing to do.

Wash, rinse and repeat

BYOD and MDM are not fire and forget solutions. They will need constant evaluation to determine what works, what needs to be changed and what needs to be dumped. Set the expectation amongst the team that you will formally evaluate at least twice a year, and that the project is open to requested or required changes as needed to ensure that the solution is working for both users and the company.

So now you have some tips to help you get started on BYOD as a project, along with some of the key things to be sure you include to make this project a success. Management sponsorship, project management and consensus are all as important as the more technical parts, even if they aren’t quite as sexy. BYOD can offer significant benefits to the business and can make a big impact on user morale too, so it’s in the best interests of the entire company to make sure this is a success. With the tips above, you are in a much better position to make sure it is a success.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

via @anton_chuvakin: Annual Blog Round-Up – 2012

Tue, 01 Jan 2013 20:11:00 +0100

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2012.

“Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing system, network and security logs when responding to a security incident
PCI DSS Log Review series of posts take the #2 spot; they are about planning and executing PCI DSS-driven log review at an organization
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“On Free Log Management Tools” is another perma-popular post, presenting a companion resource to the log checklist above
“Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.
“Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
“Updated With Community Feedback SANS Top 7 Essential Log Reports” and an older “SANS Top 5 Essential Log Reports Update!”
“SIEM Bloggables” has one possible view on higher-level SIEM use cases and basic functionality, and a quick discussion of SIEM user types.
“How Do I Get The Best SIEM?” is a discussion (circa 2010) about approaches to choosing SIEM tools and matching functionality to requirements.
2009 post called “Log Management + SIEM = ?” gives some quick architecture advice on combining SIEM and log management

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

via @lmacvittie: 1024 Words: Least Connections is Not Least Loaded

Mon, 31 Dec 2012 15:14:00 +0100

#webperf #ado When load balancing, workload profile matters

via @GFISoftware: 2013 Through the Crystal Ball

Fri, 28 Dec 2012 16:00:58 +0100

Predicting the future is one hazardous occupation (ask the Mayans), yet in the world of IT and technology, trends and habits have a tendency to repeat themselves year after year. In this post we look at some of the things that will most likely happen in 2013 – affecting both your users and the business in general.

1. MySpace comeback

A recent study shows that MySpace is one of the poorest performing social media platforms of 2012; however, its latest site redesign and strategy could be enticing enough for netizens to give it a second (or third) chance. If MySpace becomes as buzz worthy as Google+ prior to its launch, we can expect criminals to take advantage of this. Expect a first-off shenanigan like bogus MySpace invites for this one.

2. The debate on BYOD will go on

For some, BYOD (Bring Your Own Device) was already a reality even before the term was invented and security measures were instituted in the company. It seems this policy is already bound to happen as more and more people bring and use their own personal devices. Now that an increasing number of employees and enterprises are embracing this policy, serious questions on security come in. As long as security remains an issue that is not addressed, BYOD will continue to be a hot topic of debate.

3. Online criminals will continue to bait mobile users with fake apps

Regardless of a security measure in place, people are still finding bogus apps served on Google Play. It is now up to the users to fend for themselves by checking and double-checking the credibility of the app creators.

4. Phishing, other scams, hacking and malware will continue to target gamers

Gamers on any gaming platform (Steam, PC, PS2, XBox, even social networking sites) have been subjected to phishing attacks and malware attacks in the past. Whether gamers are entering their account credentials to sleek looking bogus gaming sites to which they were redirected from an email or downloading a keygen for their games, the gaming industry is a market cybercriminals will not fail to exploit.

5. Social media platforms will continue to be rife with web threats

Social media platforms like Facebook, Twitter, and Tumblr make it easy for anyone to share and see shared posts in real time. This, however, can also mean that what you’re sharing might lead someone to panic unnecessarily, click a link that will take them to fill in surveys, or download and install something to their system.

6. There’s still that issue of passwords

It’s very alarming to see that bad passwords used a couple of years back are still being used now. As long as internet users continue to ignore the liabilities of recycling and reusing passwords, creating passwords that are too short and predictable, more accounts and sites will be in the hands of criminals.

7. Compromising/defacing sites will remain a means to express online protest and “tough love”

This so-called “Hacking for a cause” will continue as a means to protest against an ideology, law, philosophy, etc

8. Vulnerabilities in third party software

Hackers will continue to target 3rd party programs, such as Adobe Flash, Oracle Java, and Adobe Acrobat for software vulnerabilities. They realize patching 3rd party applications is an area that many IT admins simply do not address. The solution to this would be to run a product that provides patch management for 3rd party applications, such as GFI LanGuard.

9. Social engineering – you can’t patch people

Hackers will continue targeting employees, by sending them emails that look legitimate, in hopes that the user falls for their trap. These emails may contain malicious attachments or URLs that point to malicious websites. IT admins should ensure they have an antivirus solution installed on the server and endpoints, as well as have the ability to filter malicious URLs.

10. Data loss

Nearly everyone at one point in their life has lost a mobile device, such as a smart phone. With increase in employees following the “Bring Your Own Device” trend, IT admins need to know which devices are actually connected to their networks. They need to put policies in place that allow them to locate, lock, or wipe the device, and the employee needs to sign an agreement stating they approve of this. If the employee wants to connect their personal device to the corporate network, they have to agree to the terms set in place by the IT admin. If the admin has no way of tracking/wiping these devices, sensitive data may be lost, or put into the wrong hands.

11. Data theft

Miscreants will continue targeting high profile companies, in hopes of gaining access to sensitive data. We have seen the Anonymous group in 2010-2012 breach several corporations and government entities, and believe they will continue to do so in 2013. Typically, they are performing SQLi attacks, or SQL injection attacks, which allow them to reveal sensitive data stored in databases. IT admins should not only perform 3rd party audits of their web servers, but also have a contingency plan, in the event something goes wrong.

12. Mobile threats

Mobile threats will continue to escalate into a bigger problem for enterprises. Hackers realize that IT admins do not necessarily run an antivirus solution on their mobile endpoints, and as such, will target them. Malware is being created to steal data from Android devices. In order to keep this attack vector under control, corporations need to put security policies in place, which include installing an antivirus solution on mobile devices.

13. Cloud-based storage services havoc

More and more enterprises will use cloud-based storage services to store corporate data to allow for easy access when users are mobile. This is a nightmare for IT administrators because they have no clue where the data is going. Cloud-based storage services can be installed on any machine or device and so data is also accessed in many ways. Admins will need to regulate and control how cloud-based storage services are used in a corporate environment. Cloud services may also bypass content checking features in antivirus and anti-spam products because data is not being sent by email.

Do you have any other predictions for 2013? Leave us a comment below and let us know!

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

via @kairoer: A review of security in 2012 (and some thoughts for 2013)

Fri, 28 Dec 2012 16:00:11 +0100

2012 was the year of many things. Not only the year a hero fell off his piedestall and crashed his bike and career, it was also a year with quite some interesting security issues too. I have selected a few topics that I believe were important in 2012, as they are shaping the security community.

Do we really need security awareness training programs?

An article by Dave Aitel claimed that security awareness training is a waste of time and resources because it does not work. Stoping activities that is not working seems like a good idea, and one I commend.

Yet, there is a difference between doing something right, and doing something wrong. If you do it wrong, it makes more sense to figure out how to do it right before you just abandon your activities all together.

In my opinion training is ever-important also in security. If we want people to become more secure, we need to teach them what works, and what works not. More importantly is that we understand that people are humans, with their own minds, faults and reasons. Unlike technology, it can be quite hard to make people do what you want them to, all the time.

The fact that making people do the right thing all the time is impossible, is also why some security folks may find it frustrating. My advice is to use professional trainers, whom know security, and understand how people function too. Have them design a training platform that works for your organization.

Not everything that counts can be counted, and not everything counted counts.

Another topic that was up again this year is security metrics. As Albert Einstein observed, it can be easy to measure stuff, but doing so does not automagically make it relevant or even right. I find that many metrics measure stuff just to make up a fancy dashboard, one that looks important. And I find there are two main reasons for this:

Those who set up the metrics don't know what is important to them and their organization,
It's cheaper to show a fancy-pancy graph than digging into what it really mean

It's not that hard to do metrics, as long as you understand that generic metrics based on a standard product or best practice never will give you the answers you need. You must analyse your internal needs and requirements, deside upon which controls to measure, and then implement metrics that give you relevant and realistic figures.

For 2013, I suggest you identify a small number (5-10) controls that really matters to you, and design (and test) metrics that give you useful information. After all, if the figures you get does not enable you to tune your security efforts, what is the point?

I can't fix the security, who can I blame? Ah - the users!

Another trend I saw in 2012 is a new version of the blame game. We have been talking about the human factor for years, and finally it seems like security people are opening their eyes to the possibility that there is more to security than firewalls, encryption and access controls.

What concerns me about this trend is how some CSO/CISO's seems to be using the human factor as a new excuse for why they can't secure their organizations as they expected. Instead of spreading their effort to include user awareness training programs (that actually work), and implementing metrics that show the real status, they seem to be more interested in blaming poor security on stupid users and their lack of interest and understanding.

For 2013, dear CSO/CISO, I suggest you suck it up and realize this is your responsiblility. Start doing things right, and please realize that people can be a great resource to you. With propper training and cultivation, you can build a culture of awareness that will help you doing your job better. But continue to put the blame on them, and you will alienate yourself and your security efforts.

Google and Microsoft, bend to my will!

As is stated in the great book (yes, shameless self promotion) The Cloud Security Rules, when you deside to use cloud services (as many did in 2012, and more will do in 2013), you must review and tweak the SLA to suit your needs. The challenge is that most companies are too small to force a change in the cloud providers SLA, and thus they end up accepting terms they may not be able to live with.

One example of such is the Norwegian municipalities of Narvik and Moss, whom decided to move their internal office and email services to Google Docs and Microsoft 365.

The SLA of both suppliers where designed for the US market, and not really adjusted for the legal situation in Europe/EU. The Norwegian Data Protectorate (Datatilsynet) demanded answers to how the municipalities would comply with The Privacy Act, and this simple demand spured a process in wich all the parties (and their laywers obviously) sat down to redesign the SLA's and the service delivery to comply with European law.

Non of the municipalities would be able to do this on their own. Only because of the audit and demands from the Data Protectorate did these changes occure.

This example show the importance of close cooperations between customers, suppliers and the regulatory sector. And it show how important local and regional adjustments are for cloud providers if they want to do business globally.

Luckily, both Google and Microsoft can be reasoned with. The SLA changes they made opens the EU market to them, with an SLA that is compliant.

Speaking at RSA

Another thing that happend in 2012 was me speaking at the RSA Europe conference in London. I was on a panel to discuss if security awareness training is a waste or a resource. To paraphrase myself - if you do it wrong, don't expect great results. Do it right, and you will get results.

In 2013 I hope to be speaking and training in the US/North America. It seems like I will be traveling to the Great Lakes area early June (confirmation pending), and I would not mind extending my stay to go to other regions! Please consider me for your next training and speaking event!

In Europe, I will be quite busy with training and speaking engagements in Norway and Germany.

I also plan for my next book to publish in 2013. Must get going with that writing, then!

What are your plans for 2013? Which trends in 2012 do you see, and how will they evolve in 2013? When do you plan to invite me to you next event?

via @j4vv4d: A look back over 2012

Fri, 28 Dec 2012 13:04:20 +0100

This isn’t a real video, it’s one of those ones where we just take a look over all the videos we made over 2012 and make random comments. We had a great year making videos, hope you enjoyed watching them too. Leave a comment – what was your favourite video this year?

via @anton_chuvakin: Links for 2012-12-27 [del.icio.us]

Fri, 28 Dec 2012 09:00:00 +0100

Browsing Security Predictions for 2013 « Hackmageddon.com

via @anton_chuvakin: Links for 2012-12-26 [del.icio.us]

Thu, 27 Dec 2012 09:00:00 +0100