ICSA Certified Network Firewall for Data Centers
The BIG-IP platform is now ICSA Certified as a Network Firewall. Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer. Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users. Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress. Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect. Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack. Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting. An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive. There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective. The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors. BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence. Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack. Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying. DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7. DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads. Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released. Resource cloaking and content security: Prevent leaks of error codes and sensitive content. F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall. ps Resources: F5’s Certified Firewall Protects Against Large-Scale Cyber Attacks on Public-Facing Websites F5 BIG-IP Data Center Firewall – Overview BIG-IP Data Center Firewall Solution – SlideShare Presentation High Performance Firewall for Data Centers – Solution Profile The New Data Center Firewall Paradigm – White Paper Vulnerability Assessment with Application Security – White Paper Challenging the Firewall Data Center Dogma Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMPF5 BIG-IP Platform Security
When creating any security-enabled network device, development teams must fully investigate security of the device itself to ensure it cannot be compromised. A gate provides no security to a house if the gap between the bars is large enough to drive a truck through. Many highly effective exploits have breached the very software and hardware that are designed to protect against them. If an attacker can breach the guards, then they don’t need to worry about being stealthy, meaning if one can compromise the box, then they probably can compromise the code. F5 BIG-IP Application Delivery Controllers are positioned at strategic points of control to manage an organization’s critical information flow. In the BIG-IP product family and the TMOS operating system, F5 has built and maintained a secure and robust application delivery platform, and has implemented many different checks and counter-checks to ensure a totally secure network environment. Application delivery security includes providing protection to the customer’s Application Delivery Network (ADN), and mandatory and routine checks against the stack source code to provide internal security—and it starts with a secure Application Delivery Controller. The BIG-IP system and TMOS are designed so that the hardware and software work together to provide the highest level of security. While there are many factors in a truly secure system, two of the most important are design and coding. Sound security starts early in the product development process. Before writing a single line of code, F5 Product Development goes through a process called threat modeling. Engineers evaluate each new feature to determine what vulnerabilities it might create or introduce to the system. F5’s rule of thumb is a vulnerability that takes one hour to fix at the design phase, will take ten hours to fix in the coding phase and one thousand hours to fix after the product is shipped—so it’s critical to catch vulnerabilities during the design phase. The sum of all these vulnerabilities is called the threat surface, which F5 strives to minimize. F5, like many companies that develop software, has invested heavily in training internal development staff on writing secure code. Security testing is time-consuming and a huge undertaking; but it’s a critical part of meeting F5’s stringent standards and its commitment to customers. By no means an exhaustive list but the BIG-IP system has a number of features that provide heightened and hardened security: Appliance mode, iApp Templates, FIPS and Secure Vault Appliance Mode Beginning with version 10.2.1-HF3, the BIG-IP system can run in Appliance mode. Appliance mode is designed to meet the needs of customers in industries with especially sensitive data, such as healthcare and financial services, by limiting BIG-IP system administrative access to match that of a typical network appliance rather than a multi-user UNIX device. The optional Appliance mode “hardens” BIG-IP devices by removing advanced shell (Bash) and root-level access. Administrative access is available through the TMSH (TMOS Shell) command-line interface and GUI. When Appliance mode is licensed, any user that previously had access to the Bash shell will now only have access to the TMSH. The root account home directory (/root) file permissions have been tightened for numerous files and directories. By default, new files are now only user readable and writeable and all directories are better secured. iApp Templates Introduced in BIG-IP v11, F5 iApps is a powerful new set of features in the BIG-IP system. It provides a new way to architect application delivery in the data center, and it includes a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center. iApps provide a framework that application, security, network, systems, and operations personnel can use to unify, simplify, and control the entire ADN with a contextual view and advanced statistics about the application services that support business. iApps are designed to abstract the many individual components required to deliver an application by grouping these resources together in templates associated with applications; this alleviates the need for administrators to manage discrete components on the network. F5’s new NIST 800-53 iApp Template helps organizations become NIST-compliant. F5 has distilled the 240-plus pages of guidance from NIST into a template with the relevant BIG-IP configuration settings—saving organizations hours of management time and resources. Federal Information Processing Standards (FIPS) Developed by the National Institute of Standards and Technology (NIST), Federal Information Processing Standards are used by United States government agencies and government contractors in non-military computer systems. FIPS 140 series are U.S. government computer security standards that define requirements for cryptography modules, including both hardware and software components, for use by departments and agencies of the United States federal government. The requirements cover not only the cryptographic modules themselves but also their documentation. As of December 2006, the current version of the standard is FIPS 140-2. A hardware security module (HSM) is a secure physical device designed to generate, store, and protect digital, high-value cryptographic keys. It is a secure crypto-processor that often comes in the form of a plug-in card (or other hardware) with tamper protection built in. HSMs also provide the infrastructure for finance, government, healthcare, and others to conform to industry-specific regulatory standards. FIPS 140 enforces stronger cryptographic algorithms, provides good physical security, and requires power-on self tests to ensure a device is still in compliance before operating. FIPS 140-2 evaluation is required to sell products implementing cryptography to the federal government, and the financial industry is increasingly specifying FIPS 140-2 as a procurement requirement. The BIG-IP system includes a FIPS cryptographic/SSL accelerator—an HSM option specifically designed for processing SSL traffic in environments that require FIPS 140-1 Level 2–compliant solutions. Many BIG-IP devices are FIPS 140-2 Level 2–compliant. This security rating indicates that once sensitive data is imported into the HSM, it incorporates cryptographic techniques to ensure the data is not extractable in a plain-text format. It provides tamper-evident coatings or seals to deter physical tampering. The BIG-IP system includes the option to install a FIPS HSM (BIG-IP 6900, 8900, 11000, and 11050 devices). BIG-IP devices can be customized to include an integrated FIPS 140-2 Level 2–certified SSL accelerator. Other solutions require a separate system or a FIPS-certified card for each web server; but the BIG-IP system’s unique key management framework enables a highly scalable secure infrastructure that can handle higher traffic levels and to which organizations can easily add new services. Additionally the FIPS cryptographic/SSL accelerator uses smart cards to authenticate administrators, grant access rights, and share administrative responsibilities to provide a flexible and secure means for enforcing key management security. Secure Vault It is generally a good idea to protect SSL private keys with passphrases. With a passphrase, private key files are stored encrypted on non-volatile storage. If an attacker obtains an encrypted private key file, it will be useless without the passphrase. In PKI (public key infrastructure), the public key enables a client to validate the integrity of something signed with the private key, and the hashing enables the client to validate that the content was not tampered with. Since the private key of the public/private key pair could be used to impersonate a valid signer, it is critical to keep those keys secure. Secure Vault, a super-secure SSL-encrypted storage system introduced in BIG-IP version 9.4.5, allows passphrases to be stored in an encrypted form on the file system. In BIG-IP version 11, companies now have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive. Secure Vault can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. In the absence of hardware support like FIPS/SEEPROM (Serial (PC) Electrically Erasable Programmable Read-Only Memory), Secure Vault will be implemented in software. Even if an attacker removed the hard disk from the system and painstakingly searched it, it would be nearly impossible to recover the contents due to Secure Vault AES encryption. Each BIG-IP device comes with a unit key and a master key. Upon first boot, the BIG-IP system automatically creates a master key for the purpose of encrypting, and therefore protecting, key passphrases. The master key encrypts SSL private keys, decrypts SSL key files, and synchronizes certificates between BIG-IP devices. Further increasing security, the master key is also encrypted by the unit key, which is an AES 256 symmetric key. When stored on the system, the master key is always encrypted with a hardware key, and never in the form of plain text. Master keys follow the configuration in an HA (high-availability) configuration so all units would share the same master key but still have their own unit key. The master key gets synchronized using the secure channel established by the CMI Infrastructure as of BIG-IP v11. The master key encrypted passphrases cannot be used on systems other than the units for which the master key was generated. Secure Vault support has also been extended for vCMP guests. vCMP (Virtual Clustered Multiprocessing) enables multiple instances of BIG-IP software to run on one device. Each guest gets their own unit key and master key. The guest unit key is generated and stored at the host, thus enforcing the hardware support, and it’s protected by the host master key, which is in turn protected by the host unit key in hardware. Finally F5 provides Application Delivery Network security to protect the most valuable application assets. To provide organizations with reliable and secure access to corporate applications, F5 must carry the secure application paradigm all the way down to the core elements of the BIG-IP system. It’s not enough to provide security to application transport; the transporting appliance must also provide a secure environment. F5 ensures BIG-IP device security through various features and a rigorous development process. It is a comprehensive process designed to keep customers’ applications and data secure. The BIG-IP system can be run in Appliance mode to lock down configuration within the code itself, limiting access to certain shell functions; Secure Vault secures precious keys from tampering; and optional FIPS cards ensure organizations can meet or exceed particular security requirements. An ADN is only as secure as its weakest link. F5 ensures that BIG-IP Application Delivery Controllers use an extremely secure link in the ADN chain. ps Resources: F5 Security Solutions Security is our Job (Video) F5 BIG-IP Platform Security (Whitepaper) Security, not HSMs, in Droves Sometimes It Is About the Hardware Investing in security versus facing the consequences | Bloor Research White Paper Securing Your Enterprise Applications with the BIG-IP (Whitepaper) TMOS Secure Development and Implementation (Whitepaper) BIG-IP Hardware Updates – SlideShare Presentation Audio White Paper - Application Delivery Hardware A Critical Component F5 Introduces High-Performance Platforms to Help Organizations Optimize Application Delivery and Reduce Costs Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, coding, iApp, compliance, FIPS, internet, TMOS, big-ip, vCMPSecurity’s FUD Factor
Had a short but interesting twitter exchange with @securityincite@Gillis57and @essobi(Mike Rothman, Gillis Jones andnot sure (sorry!!)respectively) about usingFear,Uncertainty andDoubt when talking IT security services. @Gillis57initially asked, ‘Question: We discuss FUD constantly (and I agree that it's too prominent) But isn't security inherently built upon fear?’ I sent an‘09 Rothman article(@securityincitesaid it was ‘old school’ but still has some great comments) about that very topic. Soon, @essobichimed in with, ‘Our foundation shouldn't be fear, it should be education. :D,’ @Gillis57responded, ‘So, look. I agree wholeheartedly, but why do people need to be educated?’ @essobianswered, ‘imo? Bad programming/exploitable logic processes. we need to raise the bar or lower expectations.’ @Gillis57added, ‘I really don't think we need to keep selling fear, but denying that we are a fear based industry isn't helping.’ @securityincitewizdom’d with, ‘Fear is a tactic like anything else. Depends in situation, context, catalyst. And use sparingly.’And Iconceded that, ‘splitting hairs but I try to talk about risk rather than fear - what's the risk if...which often generates fear.’ Most of the time when we talk about security there is a fear factor because we are talking about risk. Risk is the potential for something Bad happening and typically those things scare or make us uncomfortable. Often when vendors talk about things like protection, benefits, etc, it’s measured in terms of numbers, stats, performance…metrics. Security is also about Peace of Mind; a feeling that you have. Those military people who can get some good sleep even with bullets flying over their heads have peace of mind. Even in a very high risk, dangerous, vulnerable and insecure environment, they feel secure. I saw an article about the difference betweenselling insurance and the lottery – Fear vs. Dreams. Maybe we should discuss IT Security in terms of how it has made an IT guy’s life better? I think it would be cool if ‘security’ case studies included a side bar or something with a quote that brags, ‘Now that we have this solution installed, I’m able to attend my daughter’s piano recitals.’ ‘I’m able to get a good night’s sleep knowing that our web site is ok/won’t get paged at 3AM/won’t have to work for 16hrs.’ Adding to the quality of life over and above the usual ROI/TCO/performance/$$. How it may have enhanced life. How it gave peace of mind. How it Reduced Stress. How it allowed someone to be home for dinner. How it allowed someone to enjoy the weekend, do that Science Fair thing with the kid, take a longer vacation… It might be cool for the industry (and the general public) to read how another’s life improved when security is deployed along with all the breaches and headaches. Ultimately, that’s what we are all chasing as humans anyway – that harmony, balance, peace of mind, quality of life, family, love…the cores of our being rather than what we do for a job – even though our work does have a lot to do with quality of life. I also think that education is part of our duty. Not in the ‘Knights of the Roundtable’ duty but if someone needs our security expertise and is willing to learn, sharing (and ultimately, awareness) is important to ensure a more informed public. That is simply being a good internet citizen. And yes, fear does have it’s place especially when someone is not getting it or ignoring that others are at risk. We frequently talk in terms of rational thinking ($$/performance) when security is quite often about an emotional feeling. That’s why some often use FUD to sell security:Fear: emotional,Uncertainly: more emotional than rational,Doubt: gut feeling with little data. But instead of tapping those negative emotions, we should shoot for the Feel Good emotions that provide safety and security. The Dream. -eh, just an idea. And many Mahalos to @securityincite@Gillis57and @essobifor a blog idea. ps References Abandon FUD, Scare Tactics and Marketing Hype Are you Selling Fear or Dreams? Death to FUD Selling FUD creeping back into security sell Time To Deploy The FUD Weapon? How To Sell Security Solutions Without Using Fear, Uncertainty And Doubt Researchers Warn Against Selling On Security Hype How to Sell Security, Externality and FUD How to Sell Security The Four Horsemen of the Cyber-Apocalypse: Security Software FUD(awesome article) Technorati Tags:F5,smartphone,insiders,byod,PeteSilva,security,business,education,technology,fud,threat,human behavior,kiosk,malware,fear,web,internet,twitterYou’ll Shoot Your Eye Out…
…is probably one of the most memorable lines of any Holiday Classic. Of course I’m referring to A Christmas Story, where a young Ralphie tries to convince his parents, teachers and Santa that the Red Ryder BB Gun is the perfect present. I don’t know of there was a warning label on the 1940’s edition box but it is a good reminder from a security perspective that often we, meaning humans, are our own worst enemy when it comes to protecting ourselves. Every year about 100 or so homes burn down due to fried turkeys. A frozen one with ice crystals straight in or the ever famous too much oil that overflows and toasts everything it touches. Even with the warnings and precautions, humans still take the risk. Warning: You can get burned badly. As if the RSA breach wasn’t warning enough about the perils of falling for a phishing scam, we now learn that the South Carolina Department of Revenue breach was also due to an employee, and it only takes one, clicking a malicious email link. That curiosity lead to over 3.8 million Social Security numbers, 3.3 million bank accounts, thousands of credit cards along with 1.9 million dependant’s information being exposed. While the single click started it all, 2-factor authentication was not required and the stored info was not encrypted, so there is a lot of human error to go around. Plus a lot of blame being tossed back and forth – another well used human trait – deflection. Warning: Someone else may not protect your information. While working the SharePoint Conference 2012 in Vegas a couple weeks ago, I came across a interesting kiosk where it allows you to take a picture and post online for free to any number of social media sites. It says ‘Post a picture online for free.’ but there didn’t seem to be a Warning: ‘You are also about to potentially share your sensitive social media credentials or email, which might also be tied to your bank account, into this freestanding machine that you know nothing about.’ I’m sure if that was printed somewhere, betters would think twice about that risk. If you prefer not to enter social media info, you can always have the image emailed to you (to then share) but that also (obviously) requires you to enter that information. While logon info might not be stored, email is. Yet another reason to get a throw away email address. I’m always amazed at all the ways various companies try to make it so easy for us to offer up our information…and many of us do without considering the risks. In 2010, there were a number of photo kiosks that were spreading malware. Warning: They are computers after all and connected to the internet. Insider threats are also getting a lot of attention these days with some statistics indicating that 33% of malicious or criminal attacks are from insiders. In August, an insider at Saudi Aramco released a virus that infected about 75% of the employee desktops. It is considered one of the most destructive computer sabotages inflicted upon a private company. And within the last 2 days, we’ve learned that the White House issued an Executive Order to all government agencies informing them of new standards and best practices around gathering, analyzing and responding to insider threats. This could be actual malicious, disgruntled employees, those influenced by a get rich quick scheme from an outsider or just ‘compromised’ employees, like getting a USB from a friend and inserting it into your work computer. It could even be simple misuse by accident. In any event, intellectual property or personally identifiable information is typically the target. Warning: Not everyone is a saint. The Holidays are still Happy but wear your safety glasses, don’t click questionable links even from friends, don’t enter your logon credentials into a stray kiosk and a third of your staff is a potential threat. And if you are in NYC for the holidays, a limited run of "Ralphie to the Rescue!" A Christmas Story, The Musical is playing at the Lunt-Fontanne Theatre until Dec 30th. ps References How One Turkey Fryer Turned Into A 40-foot Inferno That Destroyed Two Cars And A Barn S.C. tax breach began when employee fell for spear phish 5 Stages of a Data Breach Thinking about Security from the Inside Out Obama issues insider threat guidance for gov't agencies National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Insiders Big Threat to Intellectual Property, Says Verizon DBIR Negligent Insiders and Malicious Attacks Continue to Pose Security Threat Infographic: Protect Yourself Against Cybercrime The Exec-Disconnect on IT Security "Ralphie to the Rescue!" A Christmas Story, The Musical Opens On Broadway Nov. 19Holiday Shopping SmartPhone Style
Close to 70% of smartphone owners plan to use the devices for holiday shopping, according to Deloitte (pdf). Smartphone ownership has jumped from 39.7% last year to 46.1% this year and tablet owners have doubled from 10.5% to 22.4% according to 9,000 shoppers surveyed by BIGinsught. This will probably also spur an increasing number of people colliding heads and walking into fountains as everyone in the mall will be looking down at their mobile devices instead of watching where they are walking. Knowing that these devices have become permanent fixtures on our bodies, retailers are using the technology in an attempt to enhance the shopping experience. As soon as you cross the mall threshold, your phone will buzz with merchant coupons or even better, your online shopping cart has been paid and converted to real items for you walk out, bags in hand, without standing in the check-out aisle. You’ll be able to browse inventory to know if that incredible deal is in stock or simply purchasing the item on the smartphone while standing in the store and have it arrive, already wrapped, the next day. Retailers are trying to combat the behavior of looking for the best deals on an item, only to go home and purchase online elsewhere. Many retailers are equipping employees with tablets and checkout areas with mobile payment systems. Employees have apps that offer richer information in case a shopper wants to know what a coat is made of, or specific warranty info on an electronic item. These employee handhelds could also check-out a shopper in the middle of the store, avoiding any lines. Some stores have even installed iPads in the dressing room so shoppers can choose what music to listen to while parading their selections in the mirror. Hopefully on those, the cameras are disabled since I can already see a remote ‘Peeping in the Dressing Room’ breach in the headlines. Coupon sites are starting to deploy Geofencing, or the ability to offer deals that are within range. You cross a digital boundary and the phone lights up with scan-able deals from area merchants. While retailers will be trying to entice the shopper, mobile technology also helps the shopper. They can look up items, prices and reviews; see who has the best selection/inventory/deals; who offers free shipping and a host of other data to help complete Santa’s list while staying under budget. More stores will also be offering free WiFi for shoppers. Boingo Wireless indicates that 20%-30% of retailers have deployed wireless in the stores and they expect that to grow to 30%-40% in the coming years. While it’s wonderful not to be ‘connected’ while shopping, most of these WiFi zones are not secure and all the security rules of open WiFi still apply. Watch the type of sensitive info you enter while connected since there is virtually no protection. In other Holiday Shopping news, Consumer Reports released its 2011 Naughty & Nice Holiday List, which looks at the good and not-so-good shopping policies and the companies behind them. And, Toy sales down after early rush. psBYOD Policies – More than an IT Issue Part 5: Trust Model
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device Choice, Economics, User Experience & Privacy and a Trust Model. Today we look at Trust Model. Trust Model Organizations will either have a BYOD policy or forbid the use all together. Two things can happen if not: if personal devices are being blocked, organizations are losing productivity OR the personal devices are accessing the network (with or without an organization's consent) and nothing is being done pertaining to security or compliance. Ensure employees understand what can and cannot be accessed with personal devices along with understanding the risks (both users and IT) associated with such access. While having a written policy is great, it still must be enforced. Define what is ‘Acceptable use.’ According to a recent Ponemon Institute and Websense survey, while 45% do have a corporate use policy, less than half of those actually enforce it. And a recent SANS Mobility BYOD Security Survey, less than 20% are using end point security tools, and out of those, more are using agent-based tools rather than agent-less. According to the survey, 17% say they have stand-alone BYOD security and usage policies; 24% say they have BYOD policies added to their existing policies; 26% say they "sort of" have policies; 3% don't know; and 31% say they do not have any BYOD policies. Over 50% say employee education is one way they secure the devices, and 73% include user education with other security policies. Organizations should ensure procedures are in place (and understood) in cases of an employee leaving the company; what happens when a device is lost or stolen (ramifications of remote wiping a personal device); what types/strength of passwords are required; record retention and destruction; the allowed types of devices; what types of encryption is used. Organizations need to balance the acceptance of consumer-focused Smartphone/tablets with control of those devices to protect their networks. Organizations need to have a complete inventory of employee's personal devices - at least the one’s requesting access. Organizations need the ability to enforce mobile policies and secure the devices. Organizations need to balance the company's security with the employee's privacy like, off-hours browsing activity on a personal device. Whether an organization is prepared or not, BYOD is here. It can potentially be a significant cost savings and productivity boost for organizations but it is not without risk. To reduce the business risk, enterprises need to have a solid BYOD policy that encompasses the entire organization. And it must be enforced. Companies need to understand: • The trust level of a mobile device is dynamic • Identify and assess the risk of personal devices • Assess the value of apps and data • Define remediation options • Notifications • Access control • Quarantine • Selective wipe • Set a tiered policy Part of me feels we’ve been through all this before with personal computer access to the corporate network during the early days of SSL-VPN, and many of the same concepts/controls/methods are still in place today supporting all types of personal devices. Obviously, there are a bunch new risks, threats and challenges with mobile devices but some of the same concepts apply – enforce policy and manage/mitigate risk As organizations move to the BYOD, F5 has the Unified Secure Access Solutions to help. ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD Policies – More than an IT Issue Part 3: Economics BYOD Policies – More than an IT Issue Part 4: User Experience and Privacy BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? Worldwide smartphone user base hits 1 billion SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSAThe Venerable Vulnerable Cloud
Ever since cloud computing burst onto the technology scene a few short years ago, Security has always been a top concern. It was cited as the biggest hurdle in many surveys over the years and in 2010, I covered a lot of those in my CloudFucius blog series. A recent InformationWeek 2012 Cloud Security and Risk Survey says that 27% of respondents have no plans to use public cloud services while 48% of those respondents say their primary reason for not doing so is related to security - fears of leaks of customer and proprietary data. Certainly, a lot has been done to bolster cloud security, reduce the perceived risks associated with cloud deployments and even with security concerns, organizations are moving to the cloud for business reasons. A new survey from Everest Group and Cloud Connect, finds cloud adoption is widespread. The majority of the 346 executive respondents, 57%, say they are already using Software as a Service (SaaS) applications, with another 38% adopting Platform as a Service (PaaS) solutions. The most common applications already in the cloud or in the process of being migrated to the cloud include application development/test environments (54%), disaster recovery and storage (45%), email/collaboration (41%), and business intelligence/analytics (35%). Also, the survey found that cloud buyers say the two top benefits they anticipate the most is a more flexible infrastructure capacity and reduced time for provisioning and 61% say they are already meeting their goals for achieving more flexibility in their infrastructures. There’s an interesting article by Dino Londis on InformationWeek.com called How Consumerization is Lowering Security Standards where he talks about how Mob Rule or the a democratization of technology where employees can pick the best products and services from the market is potentially downgrading security in favor of convenience. We all may forgo privacy and security in the name of convenience – just look at loyalty rewards cards. You’d never give up so much personal info to a stranger yet when a store offers 5% discount and targeted coupons, we just might spill our info. He also includes a list of some of the larger cloud breaches so far in 2012. Also this week, the Cloud Security Alliance (CSA) announced more details of its Open Certification Framework, and its partnership with BSI (British Standards Institution). The BSI partnership ensures the Open Certification Framework is in line with international standards. The CSA Open Certification Framework is an industry push that offers cloud providers a trusted global certification scheme. This flexible three-stage scheme will be created in line with the CSA's security guidance and control objectives. The Open Certification Framework is composed of three levels, each one providing an incremental level of trust and transparency to the operations of cloud service providers and a higher level of assurance to the cloud consumer. Additional details can be found at: http://cloudsecurityalliance.org/research/ocf/ The levels are: CSA STAR Self Assessment: The first level of certification allows cloud providers to submit reports to the CSA STAR Registry to indicate their compliance with CSA best practices. This is available now. CSA STAR Certification: At the second level, cloud providers require a third-party independent assessment. The certification leverages the requirements of the ISO/IEC 27001:2005 management systems standard together with the CSA Cloud Controls Matrix (CCM). These assessments will be conducted by approved certification bodies only. This will be available sometime in the first half of 2013. The STAR Certification will be enhanced in the future by a continuous monitoring-based certification. This level is still in development. Clearly the cloud has come a long way since we were all trying to define it a couple years ago yet, also clearly, there is still much to be accomplished. It is imperative that organizations take the time to understand their provider’s security controls and make sure that they protect your data as good or better as you do. Also, stop by Booth 1101 at VMworld next week to learn how F5 can help with Cloud deployments. psFreedom vs. Control
No sooner had I posted BYOD–The Hottest Trend or Just the Hottest Term, last week than yet another BYOD survey hit the news. The full results will be released in a webinar tomorrow but SANS announced their First Annual Survey Results on Mobility Security. Last December, SANS launched its first ever mobility survey to discover if and how organizations are managing risk around their end user mobile devices. The survey of 500 IT pros found that a meager 9% of organizations felt they were fully aware of the devices accessing corporate resources, while 50% felt only vaguely or fairly aware of the mobile devices accessing their resources. In addition, more than 60 % of organizations allow staff to bring their own devices. With so many companies allowing BYOD, controls and policies are very important to securing business environments. Courtesy: SANS Mobility BYOD Security Survey Deb Radcliff, executive editor, SANS Analyst Program said, ‘Another interesting note is that organizations are reaching for everything at their disposal to manage this risk,…Among them are user education, MDM (mobile device management), logging and monitoring, NAC and guest networking, and configuration controls.’ Less than 20% are using end point security tools, and out of those, more are using agent-based tools rather than agent-less. According to the survey, 17% say they have stand-alone BYOD security and usage policies; 24% say they have BYOD policies added to their existing policies; 26% say they "sort of" have policies; 3% don't know; and 31% say they do not have any BYOD policies. Over 50% say employee education is one way they secure the devices, and 73% include user education with other security policies. The BYOD challenges, I think, falls under an age old dilemma: Freedom vs. Control. We see this clash in world politics, we’ve seen it pertaining to the internet itself, we may even experience it at home with our offspring. The freedom to select, use, work and play with the desired mobile device of our choosing bumping up against a company’s mandate to protect and secure access to sensitive corporate information. There can be tension between a free and open culture verses the benefits of control and information management. Sometimes people equate freedom with having control over things yet when it comes to controlling others, many of us feel slightly uncomfortable on either end of the leash. Sometimes oversight is necessary if someone does not have self-control. BYOD is a revolution, a drastic change in how organizations manage devices and manage access to information. If you look at revolutions through the years, often it’s about freedom vs. control. I’m certainly not suggesting an employee coup of the executive floor but remember there are two distinct and diverse powers at play here and successful BYOD deployments need to involve both people and technology. ps Resources SANS Mobility BYOD Security Survey Are your employees on a BYOD binge? SANS Survey: BYOD Widespread But Lacking Sufficient Oversight SANS First Annual Survey Results on Mobility Security: Lack of Awareness, Chaos Pervades with BYOD BYOD–The Hottest Trend or Just the Hottest Term Only 9 Percent of Organizations Are Aware of the Devices Accessing Their Corporate Data Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Audio Tech Brief - Secure iPhone Access to Corporate Web Applications Freedom vs Control – important lessons to be learned New security flaws detected in mobile devices Freedom and Control | Psychology Today Devo - Freedom Of Choice (Video)Surfing the Surveys: Cloud, Security and those Pesky Breaches
While I’m not the biggest fan of taking surveys, I sure love the data/reports that are generated by such creatures. And boy has there been a bunch of recent statistical information released on cloud computing, information security, breaches and general IT. Since this prologue is kinda lame, let’s just get into the sometimes frightening, sometimes encouraging and always interesting results from a variety of sources. 2012 Verizon Data Breach Report: If you haven’t, read Securosis' blog about how to read and digest the report. It’s a great primer on what to expect. An important piece mentioned is that it’s a Breach report, not a cybercrime or attack report. It only includes incidents where data was taken – no data loss, not included. And with that in mind, according to the report, there were 855 incidents with 174 million compromised records, the 2nd highest data loss total since they’ve been tracking (2004). This coming after a record low 4 million lost records last year. The gold record of stolen records. While hacktivism exploded, accounted for 100 million of that 174 mill of stolen records and 58% of all data theft along with untraditional motives; credit cards, intellectual property, classified info and trade secrets were all still hot targets. 81% of the breaches used some sort of hacking with 69% involving malware. 79% were targets of opportunity meaning they had an exploitable vulnerability rather than being ‘on a list.’ 96% of the breaches were not that difficult and 97% could have been avoided using simple to standard protection mechanisms. Unfortunately, organizations typically don’t discover the breach until weeks later. As Securosis points out, don’t be flustered by the massive increase in lost data but focus on the attack and defense trends to help protect against becoming a statistic and as Verizon mentions, ‘this study reminds us that our profession has the necessary tools to get the job done. The challenge for the good guys lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time. Evidence shows when that happens, the bad guys are quick to take advantage of it.’ BMC Software Survey: Conducted by Forrester Consulting on behalf of BMC, ‘Delivering on High Cloud Expectations’ found that while 81% of the respondents said that a comprehensive cloud strategy is a high priority, they are facing huge challenges in accomplishing that task – mainly complexity. Even with cost reduction as a top IT priority, 43% reported using three or more hypervisor technologies as they try to reduce complexity. CIOs are concerned that cloud technologies offer an avenue for groups to circumvent IT which may hinder IT’s ability to meet overall business expectations. When groups deploy unmanaged public cloud services without IT involvement it can add to the complexity that they are trying to avoid. While 79% of respondents do plan on supporting mission-critical workloads on unmanaged public cloud services over the next two years, only 36% allow this today. No surprise that hybrid-cloud deployments, at 37%, was the most desired deployment. The full study results will be announced on Thursday, April 26, 2012 at 11 a.m. CDT as part of a BMC webinar. CSC Cloud Usage Index: Late last year, Independent research firm TNS surveyed more than 3,500 cloud computing users in eight countries around the world to find answers to cloud usage, expectations, attitudes and other cloud related questions. The survey focused on capturing user information about outcomes and experiences rather than predictions and intentions. In an interesting shift from the typical ‘cost savings’ and ‘business agility’ usually cited as a top motivator, one-third of respondents cite their need to better connect employees who use a multitude of computing devices as the number one reason they adopt cloud. 17% claim agility and only 10% indicate cost savings as a top reason for cloud adoption. 82% of respondents said they saved money on their most recent cloud project but 35% of U.S organizations reported a payback of less that $20,000. In terms of overall IT performance, 93% of respondents say cloud improved their data center efficiency/utilization and 80% see similar improvements within six months of moving to the cloud. Zenoss 100 Best Cloud Stats of 2011: Admittedly, this came out last year but it is still a great statistical overview of Cloud Computing. It starts with data growth stats, like 48 hours of video uploaded to youtube every minute; that 74% of Data Centers have increased their server count over the last three years accounting for 5.75 million new servers every year yet 15% do not have data backup and recovery plans; that, on average, cloud users report saving 21% annually on those applications moved to the cloud; that a delay of 1 second in page load times equals 7% loss of conversions, 11% fewer pages viewed and a 16% decrease in customer satisfaction; that Agility is the top driver for cloud adoption and Scalability the top factor influencing cloud use; that 74% of companies are using some sort of cloud service today yet 79% do not have an IT roadmap for cloud computing and a whole slew of others. All the stats appear to be attributed and run the gamut from storage to cloud to apps. Cloud Industry Forum (CIF) study: As enterprises continue to embrace cloud adoption, it is important for service providers to understand motivators for cloud adoption to ensure those services are being offered. This study, USA Cloud Adoption & Trends 2012 shows that smaller U.S. companies indicate that flexibility as their main driver for cloud adoption while large enterprises cite cost savings as their main reason for cloud deployments. This survey also noted that ‘Cloud’ is no longer a nebulous buzzword with 76% of polled organizations already using some sort of cloud computing for at least one service. Organizations are happy about it also – 98% said they were satisfied with the results of their cloud services with 94% expecting to increase their use in the next 12 months. Data security and data privacy were tagged as the top concerns with 56% and 53% respectively. By no means an exhaustive list of all the recent survey results pertaining to cloud and/or IT security, but they do offer some interesting data points to consider as organizations continue to strive to deliver their available applications as fast and secure as possible. psSecurity’s Rough Ride
1 if by land, 2 of by sea, 0 if by IP I know I’ve said this before but it sure seems like almost daily there is a security breach somewhere. Over the years, the thought process has changed from prevent all attacks to, it is inevitable that we will be breached. The massive number of attacks occurring daily makes it a statistical reality. Now organizations are looking for the right solution (both technology and practice) to quickly detect a breach, stop it, identify what occurred and what data may have been compromised. Over the last couple of days various entities have had their security breached. As you are probably already aware either due to the headlines or a direct note in your email inbox, Zappos, a popular online shoe site, was compromised exposing information on 24 million customers. While a good bit of info was taken, like usernames, passwords, addresses, email and other identifiable information, Zappos claims that the stored credit card information was apparently spared due to being encrypted. There are still many details that are unknown like how it occurred and how long it had been exposed but all users are being required to change their passwords immediately. Users might also want to change similar passwords on other websites since I’m sure the criminals are already trying those stolen passwords around the web. These days it's entirely too easy to use information from one hack in many others. It doesn't even matter if passwords were compromised. Your can change your password, but the make and model of your first car, and your mother's maiden name can't be changed. Yet, online service providers continue to rely on these relatively weak forms of secondary authentication. The interesting thing is Zappos is/was apparently PCI-DSS compliant, proving once again, PCI compliance is a first step, not the goal. Being PCI compliance does not mean that one is secure and this also underscores importance of using WAF like BIG-IP ASM. And if it was not a web app that was owned on the server in Kentucky, then Section 6.6 is irrelevant. But again, all the details are still to be uncovered and as far as I know, no-one has claimed responsibility. Overseas, there is an ongoing cyber-war between a Saudi (reported) hacker and Israel. 0xOmar, as news articles have identified him, claims to have posted details of 400,000 Israeli-owned credit cards and Israel’s main credit card companies have admitted that 20,000 cards have been exposed. Along the way, he has also attacked the Tel Aviv Stock Exchange and Bank Massad. In an interesting and potentially scary turn of events, a group of Israeli hackers, IDF-Team, took down the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) as a counter-attack. Another Israeli hacker going by Hannibal claims to have 30 million Arab e-mail addresses, complete with passwords (including Facebook passwords), and says he’s received e-mails not only from potential victims but from officials in France and other countries asking him to stop. This cyber-conflict is escalating. In a very different type of breach, you’ve probably also seen the cruise ship laying on it’s side a mere 200 yards from the Italian shore. While not necessarily a data security story, it is still a human security story that, so far, has been attributed to human error – like many data security breaches. Like many data breach victims, people put their trust in another entity. Their internal risk-analysis tells them that it is relatively safe and the probability of disaster is low. But when people make bad decisions which seems the case in this situation, many others are put at greater risk. Put on your virtual life vests, 2012 is gonna be a ride. ps References: Zappos Hacked: What You Need to Know 10 Security Trends To Watch In 2012 Hackers swipe Zappos data; customers should change password Zappos Hack Exposes Passwords Zappos Hacked: Internal Systems Breached in Cyber Attack Delivering Unhappiness Alleged Saudi hacker discloses more Israeli credit card numbers Israeli hackers bring down Saudi, UAE stock exchange websites Cruise disaster: captain neared rocks in Facebook stunt for friend's family Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, technology, application delivery, cruise, cyber war, ddos, hackers, iPhone, web, internet, security, breach, privacy, PCI-DSS,
