Thursday, December 31, 2009

Cloud computing - Security issues and remediation steps - Part 2

In Part1, we looked at the defentitions and some of the basic offerings in cloud computing. In this part, we will look at the security issues and some of the questions that organizations can ask the providers to assess the risk.

What are the risks?


Before we get to the risk part, we need to understand the requirements from the security perspective. Security requirements are not different when we discuss cloud computing, the basic security requirements are applicable to cloud computing as well, which are:

 
• Preserve confidentiality, integrity, and availability
• Access Control
• Compliance
• Protect the assets and the organization against malicious agents
• Ensure business runs smoothly with optimal security

ENISA, the European information security agency, recently published an excellent document listing the clod computing risks, some of the major risks include:

  1. LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security.
  2. LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment.
  3. ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks).
  4. COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:  a) if the CP cannot provide evidence of their own compliance with the relevant requirements b) if the CP does not permit audit by the cloud customer (CC).
  5. MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
  6. DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers.
  7. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data.
  8. MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater.

   What are the things to check?

Now, let's take a look at some of the things to check before an organization selects a provider, here are some of the quetions that you can ask the provider to assess the security posture. It is not a comprehensive list but this will give you a good idea about the providers's information security capabilities.
 
  • Does the provider have any information security certifications like ISO 27001?
  • What are the hiring practices and background checks on the employees and administrators of the provider?
  • How is access control enforced and privilege access controlled?
  • What are the provider’s business continuity and disaster recovery plans? Does it involve any locations that your organizations may have an issue with?
  • Does the provider have any responsibility for complying with any regulations (data breach, privacy, etc)?
  • Can the provider’s access control methodologies satisfy the internal requirements?
  • Does the provider use data encryption in transit, storage, and tape? More importantly identify how it is used and keys managed.
  • Does the provider log all access to data?
  • Does the provider have direct control over their servers and infrastructure or is it outsourced again?
  • Does the provider ensure data separation with other customers?
  • Does the provider have incident response and incident notification policies?
  • How does the provider ensure customer data does not get leaked out from the provider’s network?
  • What type of intrusion monitoring (IDS/IPS, malware protection, log monitoring, database monitoring, etc) is in place?
  • How often the devices and applications are scanned for vulnerabilities and patches applied?
  • What is the SDLC process of the provider?
  • How often does the provider test the security posture by the use of a penetration test?
  • During an e-discovery request, how is the provider going to support the investigative activities?

In the third and final part of this series, I will discuss how the organizations can prepare for eventually moving some of the services to cloud.

Wednesday, December 30, 2009

Cloud computing - Security issues and remediation steps - Part 1

As we are coming to an end of 2009, I think it is appropriate to discuss the most talked about computing method and security concerns associated with that. Yes, I am talking about cloud computing and cloud security. Take a look at the Google trends data for this:



As you can see, cloud security has been getting lot of importance this year and it is going to continue though 2010 as well. It also made the number one in the list of Gartner’s top 10 technologies and trends that will be strategic for most organizations in 2010.



In this two part series, I will try to explain what cloud computing is, the benefits, security aspects, risks that comes with it, and what are the important things to check before an organizations decides to go in that direction.

What is cloud computing?

There are multiple definitions available, some of them are below:

NIST:

Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models.

The Economist:

“Cloud-computing"-the delivery of computer services from vast warehouses of shared machines-enables companies and individuals to cut costs by handing over the running of their [enterprise applications] to someone else, and then accessing it over the internet.

Gartner

Cloud Computing. Cloud computing is a style of computing that characterizes a model in which providers deliver a variety of IT-enabled capabilities to consumers.

ENISA

 Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.


What are some of the benefits?


Having defined cloud computing, let's look at why organizations are moving towards cloud computing. Some of the benefits are:
  • Cost benefits
  • Performance improvements
  • Availability improvements
  • Availability of support personnel and expertise
  • Strong SLAs with the provider may be a risk mitigation strategy

 What are some of the basic offerings?

 Even though there are many types of offerings within cloud computing, they all can be divided into three main categtories.

 1. Software as a Service (SaaS)


This type of service lets the consumer use the various applications running on provider’s infrastructure using a web browser. In this scenario, the provider manages the network, servers, operating systems, storage, and the applications. Vendors include Salesforce, Concur, Google, etc

2. Platform as a Service (PaaS)

This type of service lets the consumer deploy their own applications onto the cloud infrastructure. In this scenario, the provider manages the network, servers, operating systems, and storage, but the consumer has control over the deployed applications. Vendors include Google App Engine, Force.com, Intuit, etc

3. Infrastructure as a Service (IaaS)

This type of service lets the consumer use the infrastructure, which may include, the network, servers, operating systems, or storage. The consumers get to deploy any part of the infrastructure and they get to manage it as well. Vendors offering this type of service include Amazon EC2, rPath, Microsoft Azure, etc.

 
In the second part of the series, I will cover the security issues associated with this type of computing technology and identify a series of questions that organizations can ask the potential vendors.



Saturday, December 19, 2009

Changes in Facebook Privacy settings

I wrote about privacy issues with social networking sites, here and here. Here is another instance of why you should be careful what you post on these sites.

Facebook recently changed the privacy settings available to the users and in that process they made many of the information visible to "everyone" group. General users does not track such announcements or changes exposing their personal information to be searchable by everyone.

Read about the changes here and here.

URL shortening services - is it safe to use?

You probably noticed the increased use of URL shortening sites such as TinyURL, Bit.Ly, ShortURL, and the new goo.gl. Such services helps writers in blogs and twitter to list urls as a short word, the listed word does not show the real url but clicking on the short url will take you to the actual web site.

Is it safe to use and what are the dangers behind it? 

Some of the risks include:

  • We don't know where the link is taking us.
  • The real site could be a malware hosting site, which could be mapped to a popular and known site.
  • Such urls could be used for a phishing attack.
So how do you protect yourself? 

Use online services such as LongURL or  Expandmyurl. If Firefox is your browser,  add this add-on, which uses  the LongURL online url expansion service to verify. Above all, try not to use such services.




Wednesday, December 9, 2009

Cenzic announced their latest trend Report on Web Application Security for the first half of 2009, the report is based on the analysis performed on the vulnerability reports from various sources such as SecurityFocus, CVE, SANS, USCERT, SecurityTracker, and other third party databases.  


Some key highlights from the report include:
  • The biggest surprise was Firefox that had 44% more vulnerabilities than the other browsers. Another surprise was Safari - as it usually contains few vulnerabilities, but came in at 35%; significantly higher than IE, which came in at 15%
  • Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities
  • 78% of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX.
  • Information Leaks, XSS, Authentication / Authorization and Session Management flaws continue to dominate.

The complete report is available here



Saturday, December 5, 2009

SANS courses coming to India

Suresh from SANS Asia Pacific sent me this message




SANS is pleased to be bringing two popular and important security courses to Bangalore with SANS India 2010 on 22-27 February 2010.  These two six-day courses go beyond the basics and will ramp up your hacking/incident handling or forensics skills:

-  Security 504: Hacker Techniques, Exploits & Incident Handling - Bryce Galbraith
-  Security 508: Computer Forensics, Investigation, and Response - Chad Tilbury

Event Link:
http://www.sans.org/info/51273

As a special initiative for this event only, SANS is launching a Colleague Rebate to make these classes accessible and affordable to as many students as possible in India. Simply register with your friends and colleagues to earn rebates on tuition. The larger your group, the larger the rebate each group member will receive!

For example:
If you register as a group of 3 to 5 students for our classes at SANS India 2010, each member of the group will receive a 10% rebate of tuition paid.

If you register as a group of 6 to 10 students for our classes at SANS India, each member of the group will receive a 15% rebate of tuition paid.

If you register as a group of 11 students or more for our classes at SANS India, each member of the group will receive a 20% rebate of tuition paid.

Note that group members can come from different organizations so feel free to link up with your current and former classmates, work colleagues, and fellow association members and register as a group in order to qualify for the Colleague Rebate!

How do you take advantage of the Colleague Rebate for SANS India 2010?

 1. Register for your selected course at SANS India 2010 via the SANS webpage at http://www.sans.org/info/51273

 2. Start spreading the word via your professional, personal and social networks to get your colleagues interested in attending a course at SANS India 2010 to join your Colleague Rebate Group.

 3. Contact us at AsiaPacific@sans.org for a Colleague Rebate Group Registration Form. Complete the form in full with the names and contact information of your Colleague Rebate Group and return it to us via e-mail at AsiaPacific@sans.org.

 4. Once SANS has received registrations and payment from all the members of your group according to the Terms and Conditions below, SANS will then reduce/rebate the fee for each individual.

 5. Colleague Rebates will be calculated on the number of paid students from your list attending SANS India 2010 per the terms and conditions in the following section.

Did you get SHODAN'ed?

A new unique search engine came up last week, which shows the vulnerable services on various Internet facing hosts. Basically someone scanned many IP addresses that are accessible from the Internet, indexed it, and put up as a free service. You must be thinking that this is a goldmine for hackers, yes it is.  

One simple query you can run is http://shodan.surtri.com/?q=hostname%3.com and replace the company name with your company name.