Take Sarah Palin. It is said that she made some very simple mistakes in handling her Facebook page. In the wealth of information she made available about herself, she included her wedding date as well. Her email account was with Yahoo! And her password to that account was – her wedding date! No technical expertise was required to hack her mail and the mail did get hacked and scattered all over the Internet.

Close to 66% of US households have a presence on a social networking site such as Facebook or MySpace. Therefore the amount of personal information available to determined searchers is enormous. Many cyber experts feel that we have yet to face the full impact of the criminal exploitation of personal data on the Net.

To be fair, the websites providing social networking platforms have built a number of safeguards. But most users are simply not concerned enough –until their data gets misused.  A recent survey of about 2000 households revealed that nearly 9% had experienced some kind of harassment, malware infection, identity theft or a scam. Nearly half the users had mentioned accurate details about themselves or their families. People had exposed their children and most had not used the privacy features provided by these sites.

Here are a few of the most common errors in using social networking sites –

• Guessable passwords – Do not use passwords such as Sarah Palin did. If your hint question on your email account is the name of your pet poodle, and your facebook wall is plastered with pictures of Buddy and you, then it doesn’t take rocket science to get into your mail.
• Your date of birth is sacred for more reasons than one – the DoB is one step closer to the information one needs to gain access to your bank / credit card details. Yet most people think nothing of putting it prominently on their Facebook page. If you really want your date of birth to be known, at least hide the year.
  • Use the privacy controls the sites give you – don’t give everyone access to all your photos. Why not confine contact information to just your email? There is no need to put your telephone and home address on the page either.
  • Never put your children’s names and details on the site. You could easily be exposing them to danger. While you may have been careful to give access only to trusted friends, how do you know that their accounts are secure?
  • Going on a vacation post – letting the world know you are off to Venice for a week is like putting up a ‘nobody home’ sign on your door. Come back from your vacation and then amaze your friends with the photos.   

The critical issue about social media is the volume of data it has begun to store about us. Most users do not think they will be targeted and possibly one can hide in numbers for a while. But with automated tools to hack accounts, hiding in numbers is not an option.

The only way out is to understand the threat and take corrective action before it is too late.

As an (ISC)² member you can help education young people on these issues by joining Safe and Secure Online program.  The program provides the material and framework for you to teach students at your local elementary school.  For more information go to https://cyberexchange.isc2.org/safe-secure.aspx

Back in the day many of us became the go-to person for tech support in our families.  Do you find that you are now the go-to person for privacy issues in your family?

Comment below or on Intersec.

It seems to me there are just two options:

1. Don't expect employees to blow the whistle on their employers, but rely solely on other governance, compliance and enforcement activities, such as external audits.  This would be bad for society because insiders often have direct knowledge of impropriety that is invisible to, or hidden from, outsiders (remember Barings Bank?  Does Enron ring a bell?) ... Or ...
2. Protect whistleblowers. 

Ensuring whistleblowers' continued employment with the same employer may not be sensible in all cases - in other words, whistleblowers should not have unrealistic expectations of being able to continue in employment with the same organization following a major disclosure.  However, it may be possible to reward whistleblowers with, say, a cut of any fine imposed on their (former) employer, acting as both a financial incentive to blow the whistle and a way to soften the blow of being 'let go' afterwards, if/when that happens.  Furthermore, professional bodies such as (ISC)² and ISACA should, I feel, make special provisions to support any of their members who are placed in such a difficult position. I'm talking about, for example, mechanisms to handle whistleblowing allegations on behalf of their members, and if appropriate providing legal backing to ensure that their members are treated fairly.  Perhaps offering a professional award to recognize members who legitimately blow the whistle despite the personal risk might help them find future employment with organizations that are open-minded enough to welcome them in.

Kind regards,
Gary Hinson CISSP

PS  Thanks to Anton Aylward for pointing out the Forbes piece on CISSPforum.  If you are a CISSP but don't belong to CISSPforum, you're missing out on a valuable benefit.

OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act.

The bill would bar employers from demanding job applicants' Facebook passwords - which recently has become an issue: The ACLU's Maryland branch championed the case of a Baltimore man who says he was told that his prospective bosses needed to make sure he wasn't in a gang.

"We need a federal statute to protect all Americans across the country," Rep. Eliot Engel, D-N.Y., a co-sponsor, wrote on his Web page. "We must draw the line somewhere and define what is private."

Although the opinion piece concerns job applicants, the ethical issue is much wider, for example during employment, in sensitive/trusted positions especially (e.g. any industry segment that routinely conducts intrusive 'positive vetting' - now there's an oxymoron!).  It also potentially extends to other insiders (e.g. consultants) and perhaps outsiders (e.g. the marketing department may have legitimate concerns about the brand damage caused by a customer's adverse comments on a semi-private blog), and in the reverse sense too (e.g. shouldn't employees have full access to all emails and personnel records concerning them, even though the employer may consider them private and sensitive?).

My take on this is that 'the line needs to be drawn' but exactly where the line goes depends on the context and the specific situation, making it very difficult to lay down universal rules on this.  Notions such as equitability and fairness seem to appy, but good luck if you are trying to define them in formal policies.  Making law in this area may be the most awkward and perhaps expensive way of dealing with the issues, but on the other hand there is an inherent imbalance in the power of the individual versus that of the organization, or for that matter the state (e.g. the issue of people being coerced into revealing their passwords and encryption codes 'for reasons of national security'). Legislation may be needed as a backstop against unethical or oppressive organizations.

This may be one of those situations where guidelines, principles and examples are a better way of clarifying the issues and intent than formal policies or laws, leaving the final decisions over the appropriateness or otherwise of potentially intrusive or privacy-threatening demands to those involved.  Case studies, for instance, are a good way to get people to think and talk about the issues, making this a good topic for security awareness programs. 

Caveat: I am neither a lawyer nor a privacy expert.  I'm raising it here to set you thinking about the issues, not show you The Way.

Regards,
Gary

www.NoticeBored.com security awareness
www.ISO27001security.com ISO27k
www.SecurityMetametrics.com security metrics

Software development contracts aim to address all three traits - fast, cheap and quality at the same time. Here when we say quality, we intend to mean that the software has been well tested in terms of functionality, usability and security. Up until now there were very few companies that actually went for a security provision in their contract which implied the company developing the software to have the application or software security tested as well. Based on the provisions made, it was either the developers or the buyer of the software that would bear the ultimate responsibility of the software in case there was a security breach that was reported.

Different companies adopt different course of action in which they want to address the security provision in the software development contract. One may argue that it must the developers’ responsibility to make sure that they software they are putting out and submitting to the original buyer has been tested for security. But, developers have been asked to deliver a product that is complete, does what it is supposed to do and is as per the original design. Having complied to all these, developers would be least bothered of the fact that beyond the natural course of function and operation, the software is vulnerable to attacks which may lead to loss of data or privacy of its customers or both.

On the other hand buyers of the software, who have ordered for the software to be developed, would want to blame the vulnerability onto the developers and come out clean themselves. With design of the software being provided by them, they should be held responsible if the design itself didn’t contain the requisite security provisions that could be put in place by developers at a later stage.

Another facet of this whole discussion is that even though the contract does have the security provision and both parties have adhered to their part of responsibility in making the software secure, there are new methods of attacks that are coming up. With this, even though the software was security initially, new attack vectors may render the software insecure. In this case, what should be the approach? Will the vendor of the software take the blame or will it be the developers who are responsible? Common perception says that as the developers have done their part and delivered secure software, it is the vendor’s responsibility to make sure that the software is resistant to attacks even from new attack vectors. This can only be done by subjecting the software to regular testing which definitely falls under the purview of the vendor.

Something's got to give - fast, cheap, high quality, and secure.  Have you seen security provisions in software contracts?

Join the discussion on Intersec

Lines have been drawn to differentiate the good from the bad from the ‘shady’ viz., White hat hackers, Black hat hackers and the Grey hat hackers that not only intends to define the nature of business of each but, also attempts to differentiate between the underlying ethics of these groups.

In their initial form, hackers were that breed of ‘intellectual’ people who believed in: free information, openness, the ability of computers for betterment of life, doing good for the community in general. Each of the so called sect of the hacking community was derived from the above mentioned principles and the manner in which they adopted these for either the good of the people or for their own benefits, molded their way into the current times thus making them either the Good, the Bad or the Ugly.

Building on these set of ideal or principles – whatever you may wish to call them – the white hat community came out to be the most ‘pious’ of them all, if I may, which took the initial principles of hacking and used them to bring about a positive change to the world of security. Through their ‘tinkering’ abilities, white hats ensured that they utilized their skills for the betterment of the software, hardware and the computing platform as a whole. Helping vendors fix flaws that were discovered by them rather than using those for unlawful gains is what made this community ethically noble.

White hats, by lawfully discovering a vulnerability and reporting it, not only benefit  the vendor of the software, hardware, operating system, etc., they also help build a better and secure infrastructure for day to day users of those systems. Satisfaction of doing something good is one of the main ethics that drives the white hats.

Lately major internet corporations like Google (http://www.itproportal.com/2011/01/14/google-pays-out-14k-rewards-latest-chrome/), Facebook (http://www.itproportal.com/2012/01/05/facebooks-annual-hacker-cup-contest-kicks-off-end-january/) have started shelling out cash prizes for those who help them find vulnerabilities in their platforms. This proves that the ethics followed by the white hat community have been noticed and that co-ordinated disclosure, which ensures that openness of information is achieved, helps these companies stay on top of vulnerabilities which in turn will help the web user community better secure their platforms.

Collaboration is the key and information sharing is what the hackers believe in. White hats achieve these through working with their peers and with the industry to deliver the right information at the right time that proves to be beneficial for all.  Coming soon -- how the white hats learn and develop their skills.

 Hats off to the white hats!

Join us on Intersec to discuss the ethics of white hat hacking.  What do you think?  Follow this link.

“The second phase of the FISMA Implementation Project focuses on the development of a program for credentialing public and private sector organizations to provide security assessment services. Security assessment services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessments may be part of an information system certification and accreditation effort, in support of continuous monitoring of security controls, or for other types of information system security assessments.

Organizations that participate in the credentialing program need to demonstrate competence in the application of the NIST security standards and guidelines and the information security practices consistent with FISMA and OMB requirements. Developing a network of credentialed organizations with demonstrated competence in the provision of security assessment services will give federal agencies and other customers of security assessment services greater confidence in the acquisition and use of such services.”

Although the focus and characteristics of the program may be different, the idea has many similarities.  Following the “NIST FISMA Phase II: Workshop of Credentialing Program for Security Assessment Providers”, NIST published, NISTIR 7328, “Security Assessment Provider Requirements and Customer Responsibilities, a document that was intended to supplement the workshop focused, in part, on establishing criteria for the Security Assessment Team capabilities.  One of the most important criteria for measurement of a Security Assessment Provider was the composition of the Assessment Team in regards to the Knowledge, Skills, and Abilities (KSAs).  The references referred to the Federal Information Systems Controls Audit Manual (FISCAM), the 1999 version which has been superseded in 2009.  FISCAM defined KSAs as follows:

•  Knowledge is the foundation upon which skills and abilities are built. Knowledge is an organized body of information, facts, principles, or procedures which, if applied, makes adequate performance of a job possible.
• A skill is the proficient manual, verbal, or mental manipulation of people, ideas, or things. A skill is demonstrable and implies a degree of proficiency.
• An ability is the power to perform a job function while applying or using the essential knowledge. Abilities are evidenced through activities or behaviors required to do a job.

In the above list, the 3PAO program focused an effort on ensuring the Third Party Assessment Provider Organization (3PAO):

• Maintained knowledge, understanding, and competency in the application of the FedRAMP program security assessment standards, guidelines, and requirements;
• Maintained knowledge, understanding, and competency in the application and assessment of cloud-based information system-related technologies and practices.
• Maintained knowledge and understanding in the use of supporting NIST publications/ programs 
• Maintained instructions, procedures, methods, worksheets, etc., relevant to the work of security assessment of cloud-based information systems that are consistent with the FedRAMP program requirements, and supporting NIST publications/programs. 
• Selected assessment team personnel that collectively have the relevant knowledge, skills, and abilities for conduct of the given security assessment. 
• Prepared a security assessment plan for each assessment consistent with the FedRAMP program requirements. 
• Reviewed the assessment plan with the cloud service provider to ensure that the security assessment plan is appropriate for the assessment; and that all necessary cloud provider information, documentation, data, artifacts, personnel, etc., for the security assessment is (or will be) available. 
• Conducted the security assessment, following the security assessment plan. 
• Prepared a security assessment report consistent with the FedRAMP program requirements.

Of the requirements detailed in the 3PAO Application (above), one in particular, the selection of the assessment team personnel, was left for the Cloud Service Provider and/or the 3PAO to ensure was addressed as part of their hiring practices for the Assessment Team. This requirement focused on ensuring the security assessors had the relevant knowledge, skills, and abilities for conducting the given security assessment of the cloud service.

Placing a focus on knowledge, as we recall from earlier in this article, is the “foundation upon which skills and abilities are built”.  This specific attribute of an assessor requires more than pure security knowledge, but also a supplemental knowledge of cloud computing.  Previously, I have written two articles on the Cloud Security Alliance, Certification of Cloud Knowledge (CCSK). 

• So what is the Certificate of Cloud Security Knowledge (CCSK) anyway?
• Selecting a 3PAO with assessors that have the Certificate of Cloud Security Knowledge (CCSK)

In March 2011, I sent an email to David McClure (Associate Administrator GSA's Office of Citizen Services and Innovative Technologies) noting a similar need for a program focused on the qualifications of third party assessors.

"In reading an article published in the Government Computer News today (http://gcn.com/Articles/2011/03/23/FedRAMP-myths-GSA-McClure.aspx?p=1), a series of 7 specific areas where noted as being focus areas for government improvement of FedRAMP. Specifically #2 ("More guidance on third-party assessors' independence"), something I believe should be expanded to address additionally is the qualifications of the independent assessors. Unlike the PCI Council (PCI DSS) Qualified Security Assessor (QSA) designation for approved companies and providers (https://www.pcisecuritystandards.org/approved_companies_providers/index.php) that can validate a companies adherence to PCI DSS, a qualification is needed for a Cloud Security Assessor that understands cloud-specific security risks (e.g., Cloud Security Alliance's Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/certifyme.html) and adherence to the FedRAMP requirements such the application of the NIST 800 series - the RMF and NIST SP 800-53 security controls (e.g., the (ISC)2 Certified Authorization Professional (https://www.isc2.org/cap/Default.aspx)).

I have specifically highlighted the necessity for criteria to be established for independent assessors on FedRAMP.net (http://www.fedramp.net/selecting-an-independent-third-party-assessor) to include some additional credential that would adequately address some measure of knowledge both about security in general and secuity specific aspects of cloud computing environments which would enable reports submitted to the government to be valuable in facilitating a "credible, risk-based  decision" as necessary to properly authorize a cloud service to operate under the auspice of the FedRAMP program."

Here, the knowledge is not necessarily focused on mastering the CCSK exam, but rather understanding the material to ensure the knowledge created provides a foundation for supporting the skills and abilities many successful auditors/assessors/inspectors already have working within traditional IT environments.  The CCSK provides the 3PAO with the knowledge to support federal agencies in the adoption of secure cloud solutions with confidence.  The CSA has developed a partner training (see sources below) that is structured and delivered through a comprehensive training program geared to ensure instructors provide a consistent and high quality training atmosphere.

1ECG provides classes in the Washington D.C. area.  Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

• CloudSecurityTraining.com
• (ISC)2 and the Cloud Security Alliance Expand Cloud Security Offerings to Their Memberships
• Official CCSK Prep Guide
• Cloud Security Alliance Approved Training Partners
• CCSK FAQ
• Overview of the CSA’s Certificate of Cloud Security Knowledge (CCSK) Exam
• Top 5 Certification for 2012
• Data Security Report: Taking control of the Cloud
• TechAmerica and the Cloud Security Alliance Join Forces to Expand Cloud Offerings to Members
• Cloud Security Knowledge 101
• What about cloud security certifications for cloud providers?
• Selecting an Independent Third Party Assessor (3PAO)
• So what is the Certificate of Cloud Security Knowledge (CCSK) anyway?

Executive Summary

Since March, 2011 more and more Cyber attacks are surfacing across the globe with damaging consequences both for the companies that faced the attacks and for the customers whose details were stolen. One such attack was on Sony’s PlayStation Network that resulted into breach of personal details of nearly 70 Million customers.

Some of the other cyber attacks of 2011 are RSA, Lockheed Martin, Gmail accounts of U.S. politicians, CitiGroup, IMF, etc.

Considering that the above attacks are particularly high profile and are more or less detached from our day to day activities, finally joining the list of above high profile hacks are security breach of networks of Comodo CA, DigiNotar CA and GlobalSign CA.

Attacks that were carried out in almost all of the above cases relied on the most basic of attack vectors that comprised of a combination of Phishing attacks for compromising username/password along with SQL injection, XSS (Cross Site Scripting) and penetration of network by exploiting known vulnerabilities.

The CA hacks were more or less on the same lines when we talk of attack vectors, but after the successful hack, the hacker managed to create fake certificates for sites such as www.google.com, mail.yahoo.com, login.live.com, etc. giving hacker(s) the capability of sniffing into traffic of thousands of users through man-in-the-middle attacks. This breach led to bankruptcy of DigiNotar.

Investigations carried out in most of the hacks points to the fact the almost all companies: a) Failed to regularly maintain all their servers, applications, network equipments with latest updates; b) Failed to carry out regular code review of the web applications on their web servers; c) Failed in Due Care and Due Diligence activities.

Overview

Over the last six months, there have been instances of breach in security of networks of many Certifying Authorities. Comodo, DigiNotar, DigiSign & StartCom are some of those CAs. Hacker(s) have been reported of exploiting common vulnerabilities within poorly maintained servers & firewalls. The hacker(s) have also been reported to have used advanced attack methods to penetrate the HSM (Hardware Security Manager) with only one single open port. Through this document, I intend to highlight the fact about the need for regular maintenance of network equipments, servers as well as need for regular monitoring and awareness to the fact that even proprietary software/hardware such as HSM is not out of reach of determined hackers.

Finding out network information of Certifying Authorities is particularly easy because most of their actives are more or less online. Gaining access to Certifying Authorities networks may be considered harder because, they, in most cases will have fortified networks with latest in hardware as well as software security measures in place. Physical access to such networks is not needed because, again as advised earlier, most of the activities are online and the information systems would be more or less interconnected.

Comodo

Comodo is a well known company in the web security arena whereby it provides services and solutions that cater for creating online trust. SSL Certificates, Code Signing Certificates, Email security certificates, etc. are some of the products provided by Comodo.

On March 23^rd, Comodo revealed that they have suffered a cyber attack which has resulted into a breach of their network. The disclosure came about 8 days after the actual hack (15^th March, 2011) was carried out.

The hacker who has claimed responsibility of the attack is ComodoHacker, through his pastebin account.

Comodo Verdict on the Attack

According to Comodo, one of their RA in South Africa (InstantSSL.it) suffered an attack that resulted into the breach of the account of that particular RA on 15^th March, 2011. The RA account was then used to fraudulently issue 9 certificates across 7 different domains. Some of these domains were mail.google.com, login.yahoo.com, www.google.com, login.live.com, addons.mozilla.org, login.skype.com.

Comodo claims that there was neither a breach in security of their main CA infrastructure nor their HSM or private keys. Other RAs haven’t been compromised either.

Hackers Standpoint

ComodoHacker claims that he managed to gain complete access to the RA network and reverse engineered the DLL (TrustDll.dll) that took care of signing of certification requests. As it seems, the DLL file was coded into C# and the code has been uploaded onto the hackers PasteBin account.

Username and passwords were hardcoded into the DLL file which led the hacker straight to the APIs used for signing of certificates. The hacker generated his own CSR (Certificate Signing Requests) and signed them through the use of the signing APIs he already had access to and managed to fabricate fake certificates for the above mentioned CAs.

Further, the hacker claims that after gaining access to the network of GlobalTrust and has uploaded one database table onto his pastebin account. The hacker also claims that he had access to the RDP of GlobalTrust server for two full days with complete administrator access. He also mentions that he was able to wipe two complete backups of the CA data from LG based backup systems.

Attack Surface

Combining information from both Comodo CA and the hacker, it comes to light that:

• Partner network was hacked into.
• RDP access was open for EVERYONE which definitely is not a good practice.
• Username/Passwords were hard coded into DLL files.
• Language which can be easily decompiled i.e. C# was used to create something as important as DLL files.

No forensic investigation report has been released from Comodo as of now.

Damage

Having access to fake certificates can enable anyone to carry out successful man-in-the-middle attacks and passwords and other important data can be sniffed effectively nullifying all the protection provided by SSL Certificates.

What can we learn?

The things that we may learn out of this attack are:

• Partners should be made aware about the need for security in their own networks.
• Code review of our important sites.
• Remote Desktop Connections should be either disabled of limited to a few specific IPs only.

Where does Comodo Stand?

Comodo is still operational as it claims that its main CA network wasn’t breached.

DigiNotar, a subsidiary of Vasco, based in Netherlands hosts multiple Certifying Authorities ranging from CA for SSL certificates to Government accredited certificates, etc.

It came to light on August 29^th, 2011 that there was a certificate lurking in the open web space for *.google.com, which indicated that effectively all the sub-domains of Google, to the likes of mail.google.com, docs.google.com, code.google.com, a total of 26 were affected by this fake certificate.

The attacker, who goes by the pseudonym comodohacker, took the responsibility of the attack and claimed that he had access to a total of 500+ fake certificates. He had managed to extract certificates for google.com, Mozilla.com, Microsoft updates, etc.

Attack Surface

According to the hacker, there was a series of sophisticated hacks that he used to get into the network of DigiNotar atleast 4-5 layers deep wherein the equipments didn’t have any direct connection to the internet whatsoever.

According to the investigation company, Fox-IT which investigated the hack attack on DigiNotar, there were many network loopholes present, namely:

• No anti-virus software on many servers.
• Anti-virus definitions were not up-to-date.
• All CA servers were part of a single domain which effectively meant that a single domain administrator account compromise opened the door to all servers.
• Famous tools such as Cain-n-Able were used to carry out attack along with some specialized scripts.
• Servers were not patched appropriately and many were missing updates completely.
• Intrusion Prevention System was in place but was not able to block the attacks.
• Password used for administrator account was not strong enough and could have been guessed through brute-force attack.
• No central logging mechanism and no proper review mechanism in place.

Startling facts are disclosed here and they point to the fact that despite being a company linked with a high profile parent, the logical security was at a complete lapse.

Damage

Effectively, having access to these certificates and diverting users’ traffic to hosts that would be hosting sites with these fake certificates, successful man-in-the-middle attacks can be carried out. Only having fake certificates doesn’t have that great an impact, but the mere lapse in security cannot be sidelined and a note should be taken that hacking attempts of this sort are lurking in the wild and effective countermeasures should be in place to nullify such attacks.

What can we learn?

The things that we may learn out of this attack are:

• Need for regular review of traffic hitting the perimeter of the network through firewall log analysis.
• Need for regular review of Windows system logs through event viewer.
• Need for application of windows patches without any delay whatsoever.
• Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
• Complete segregation of network at least virtually if not possible physically.

Where does DigiNotar Stand?

DigiNotar has filed for bankruptcy as on September 20^th, 2011.

GlobalSign

ComodoHacker, the hacker behind Comodo and DigiNotar hacks, claims through his PasteBin account that he has access to GlobalSign network as well and he soon shall start creating fake SSL certificates but, hasn’t declared anything further in this regards.

GlobalSign, after a brief investigation, reported that no major hack has been discovered beyond the fact that one of their Webserver had been hacked and they have taken necessary precautionary measures to prevent reoccurrence of such attacks.

The webserver, according to GlobalSign, was a standalone server without any capabilities linked with issuing of certificates.

ComodoHacker hasn’t released any further information as yet.

What can we learn?

The things that we may learn out of this standalone webserver hack:

• Code review of applications residing onto the webserver.
• Security of the webserver itself needs to be reviewed and server needs to be hardened.
• Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
• Complete segregation of network at least virtually if not possible physically to limit the attack surface.

References

Comodo Hacker PasteBin Account - http://pastebin.com/u/ComodoHacker

Trend Micro Blog - http://blog.trendmicro.com/diginotar-iranians-the-real-target/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+Anti-MalwareBlog+%28Trend+Micro+Malware+Blog

The Register - http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/ and http://www.theregister.co.uk/2011/09/20/diginotar_bankrupt/

Networking4All - http://www.networking4all.com/en/ssl+certificates/ssl+news/time-line+for+the+diginotar+hack/

DigiNotar Investigation Public Report - http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf

GNS Magazine - http://www.gsnmagazine.com/node/22773?c=cyber_security

Comodo - http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Business Insider - http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6#email-marketing-firm-epsilon-was-hacked-to-obtain-emails-for-spear-phishing-campaigns-1

In my experience performing IT audits against ISO/IEC 27002, average scores have been up around 60 to 70%, although these are for large organizations in industries that take information security seriously (financial services, defence, aerospace, pharmaceuticals and hi tech/engineering).  For starters, they employed me to do their IT audits!

The Pwc/Iron Mountain study appears to have been based on a ticklist approach: the report appendix lists 34 topics under the question-stem "Which of the following does your organization have in place?", implying that respondents simply ticked off the ones that apply - things such as a corporate risk register and an employee exit process. It's a simple method that partially compensates for the lack of detail by surveying many organizations at once, although as a metric it is crucially dependent on the wording of the specific questions.

There are no surprises in the study's three recommendations: (1) make information security a boardroom issue; (2) change the workplace culture through security awareness; and (3) put security policies and procedures in place.  Many of us have been promoting these for years.  Unfortunately, the study didn't address the issue of why these are not already near-universal practices.  Why isn't information security on every board's agenda already?  Why is security awareness still seen by many organizations as a once-a-year thing, if ever?  Why do so many managers evidently not appreciate the need for clarity around security policies and processes? 

I'm reminded at this point of the N-whys method, pioneered for Kaizen and the Toyota Production System.  The method is brilliantly simple: ask why something occurs, then explore the response with another why, and carry on asking why to get to the root cause - or rather causes since, if done well, the method reveals an extensive root system of causative factors rather than a single root cause.

For example here's one possible line of reasoning using N-whys:

1. Why isn't information security on every board's agenda already?  Because there are too many other pressing demands on the board's valuable time.
2. Why are there too many other pressing demands on the board's valuable time?  Because information security is just one of many strategic/governance/compliance/risk management issues. 
3. Why is information security just one of many strategic/governance/compliance/risk management issues?  Because it is diffuse and ill-defined.
4. Why is information security diffuse and ill-defined?  Because many people are confused between IT security and information security.
5. Why are many people confused between IT security and information security?  Because general news coverage and business reporting does not draw a distinction.
6. Why doesn't general news coverage and business reporting does draw a distinction between IT security and information security?  Because hacking, privacy and malware incidents make effective headlines, whereas information security is mostly unglamorous and humdrum.
7. Why is information security mostly unglamorous and humdrum?  Because the information security profession does a poor job at explaining and justifying its existence.
8. Why does the information security profession do a poor job ... OK, enough already, you get the idea.

I'm certain you would have followed a different path from the initial why, and in fact I would probably take a different route every time through the same analysis, quite deliberately because I get bored so easily!  As a brainstorming technique, however, I suspect a diverse group of people would soon converge on a common set of causative factors, along with some uniques that might prove interesting in themselves.  PwC/Iron Mountain evidently homed-in on three key factors, and that's fair enough, but I encourage you to take a look at the survey's findings, draw your own conclusions, and see what you would recommend.  Seriously, it's not hard to come up with many more than three, and it's an interesting exercise in its own right.

For bonus marks, run this as a workshop with a collection of business managers and GRC specialists, and in so doing make a great start on recommendation 2!

Gary Hinson

1. What is a 3PAO? A 3PAO is an organization that performs initial and periodic assessment of security and privacy controls deployed in cloud information systems. 
2. When is a 3PAO required? CSPs that go through FedRAMP must use a 3PAO to provide an independent verification and validation of the security implementations required by FedRAMP. FedRAMP provisional authorizations must include an assessment by a FedRAMP accredited 3PAO to ensure a consistent assessment process.

The CCSK is not a guarantee but does offer one source to ensure that the assessor has the essential knowledge of cloud computing and security/risk management “best practices” as be applied within a cloud environment (across all of the different deployment and service models, and derivatives).

The FedRAMP PMO 3PAO limits the application of measurement to a response of six (6) key areas as applied to a SaaS environment within a private, public, hybrid, or community deployment model categorized as Moderate-Impact to determine the technical competence and capability of the 3PAO.  The six areas include:

1. methodology
2. documentation of 9 controls: (i) account management, (ii) remote access, (iii) auditable events, (iv) configuration settings, (v) information system backup, (vi) incident handling, (vii) vulnerability scanning, (viii) transmission confidentiality, and (viiii) flaw remediation in a sample security plan
3. development of a security assessment plan (SAP)
4. documented evidence of a simulated execution of the assessment procedures in the SAP, 
5. a report documenting the output of the execution of the SAP 
6. critical success factors

Although a broad coverage of the application of the NIST standards and guidance, it does not specifically highlight the qualification of the individuals that will be hired by the 3PAO to conduct the assessment on the CSP.  This is where the CCSK provides a useful tool for a CSP when selecting a 3PAO for their assessment RFP.  By establishing minimum personnel requirements such as the CCSK with other credentials like the CISSP, CAP, CSSLP, etc., the CSP could have some level of assurance that the assessor conducting the assessment has evidence of cloud security knowledge.

As I wrote in my section of FedRAMP.net on selecting an independent third party assessor,

“The criteria of an independent assessor(s) or assessment team within the Cloud should include a mix of skills and proficiencies…”

“…a key criteria that should be included as part of the selection criterion when identifying qualified and “capable” independent assessors or members of an assessment team is certifications that establish a baseline of cloud security knowledge.”[1]

However, the CCSK is not only valuable to CSP, but also the 3PAO.  As an important hiring criterion for 3PAOs seeking to find qualified candidates, the CCSK can be used as part of the candidate evaluation/selection criteria in jobs announcements.  It is important to note that not all candidates will score the same or achieve the same level of cloud security knowledge when taking the CCSK, but at minimum, the CCSK does establish that a candidate has at least a core understanding of a broad range of topics covering the security of cloud computing environments.

As quoted by Stuart Lisk, Senior Manager, Product Management and Marketing at Hubspan in 2010 when the exam was still in the early stages:

“You might think this is just one more pay-for-play certificate to add to your wall. However, when you further examine what it takes to pass this certification, you quickly realize the CSA has ensured this is no cakewalk.”[2]

Sources:
[1] http://www.fedramp.net/selecting-an-independent-third-party-assessor
[2] http://www.hubspan.com/cloud-security/cloud-security-test-makes-hubspan-techies-certifiable/

1ECG will be holding classes in the Washington D.C. area starting April 1, 2012.  Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

• CloudSecurityTraining.com
• (ISC)2 and the Cloud Security Alliance Expand Cloud Security Offerings to Their Memberships
• Official CCSK Prep Guide
• Cloud Security Alliance Approved Training Partners
• CCSK FAQ
• Overview of the CSA’s Certificate of Cloud Security Knowledge (CCSK) Exam
• Top 5 Certification for 2012
• Data Security Report: Taking control of the Cloud
• TechAmerica and the Cloud Security Alliance Join Forces to Expand Cloud Offerings to Members
• Cloud Security Knowledge 101
• What about cloud security certifications for cloud providers?
• Selecting an Independent Third Party Assessor (3PAO)
• So what is the Certificate of Cloud Security Knowledge (CCSK) anyway?