Does Social Media Reflect Society?
A Community within our Society You are what you eat; You become what you believe; I am not my art. A 2011 study from the University of Texas at Austin's Department of Psychology titled "Manifestations of Personality in Online Social Networks: Self-Reported Facebook-Related Behaviors and Observable Profile Information" found that Facebook users are no different online than they are offline. The study also declared a strong connection between someone’s real personality and their Facebook-related behavior. Social and personality processes, according to the study, accurately mirror non-virtual environments. It was published in the academic journal Cyberpsychology, Behavior, and Social Networking. Professor Samuel D. Gosling and his team looked at the big five personality traits - openness, conscientiousness, extraversion, agreeableness and neuroticism and found that self-reported personality traits are accurately reflected in online social networks such as Facebook. Extroverted users reported the most friends and the highest engagement while conscientious types had the least. Simply, extroverts engaged more than introverts. Merriam-Webster defines society in part as, companionship or association with one's fellows : a voluntary association of individuals for common ends : an organized group working together or periodically meeting because of common interests, beliefs, or profession : an enduring and cooperating social group whose members have developed organized patterns of relationships through interaction with one another : a community, nation, or broad grouping of people having common traditions, institutions, and collective activities and interests. Social media has changed society in many ways. We used to just live in a society – our neighborhood, town, city – and (hopefully) looked out for each other, cared for each other and got together for specific causes. This is our community. The human social creature needed human contact/interaction and participated within that society…but the circle was somewhat limited to a geographic region. Granted, some societies are nationwide clubs, groups, memberships or associations that span greater distances – Toastmasters, Kiwanis or college alumni for instance. Now, our circle of friends or association with one’s fellows requires no physical gathering. We live in our physical geographic society but also engage in our cyber communities that span cities, states, countries and with SETI, universes. Years ago I often wondered if the internet would create a society of hermits since no one really needed to go outside and interact with others in the real world. But we are social creatures and our survival requires us to participate in a non-cyber way. Of course there are people that do not want anything to do with society and live in secluded locations to avoid any human interaction. Most of us, however, like it or not, must interact in society on a daily basis. Often our social cyber-interaction is in response to events in the physical society. We use social media as a way to report, learn and engage with those who are experiencing anything from turmoil to joy in their physical society. World events. Even the Occupiers, who have used social media to great extent, still came together physically – within their geographic circle(s) – to form their mini-societies. In some situations, social media has been the only avenue for ‘breaking’ news getting out to the masses. (Incidentally, it seems like every story on news websites is ‘breaking’ these days – it seems to have lost it’s power) Breaking Bad, on the other hand, is a darn good show. In societies we often share – information, goods, ideas, secrets – for the benefit of the society. Many of us have heard the warnings from security experts about keeping passwords a secret. Now, as a form of affection and devotion, teens are sharing their passwords to email, social networks and other accounts. Since it is risky and relationships can quickly sour via social media, they feel that the symbolism is powerful. Apparently, the world’s first divorce by Facebook occurred back in 2009 and more recently Deion Sanders announced his divorce on Facebook this past December. In addition, a survey conducted by UK divorce website www.divorce-online.co.uk in December 2009 found that 20% of behavior petitions contained the word “Facebook.” A follow up survey in December 2011 found that number has greatly increased during 2011 to 33% of behavior allegations in petitions. Even the crooks are involved. We’ve seen the stories about hijacked accounts, malware distribution and the ever popular, ‘I’m stuck in some foreign country, lost my wallet and need to pay the hotel’ scam. I’m amazed that just a decade ago, security experts warned that you shouldn’t say, ‘We’re not home right now,’ on your answering machine. That tells riff-raff that the property is ripe for the pickings. Yet, just a few years later people are posting that they are over the river and through the woods to grandmother’s house some 300 miles away. Their coordinates are available, their home town and sometimes a picture of the actual empty home are posted on the social network. And then they wonder how they could have been burglarized. It’s has also caught/captured the idiot criminals who feel the need to share their misdeeds. In some cases, we share too much and don’t even realize that we’re diminishing our own privacy. And, of course, there are some who can’t get enough exposure with 24 hour cams following their every move. Social networks have become one of our society’s primary tools for communication and as a society it is important to communicate effectively. I’ve always felt that the internet, particularly the web, was a reflection of society. It’s chronicled, reflected and magnified our lives along with automatically storing and archiving almost every move we make. People have fallen in love, ordered goods, started movements, spread rumors, gotten arrested/fired/dumped, done banking, filed complaints/kudos, kept in touch, tracked progress, committed crimes, shared ideas and pretty much anything else that didn’t require physical contact. It’s our journal, reminder, mirror, confidant and has certainly wiggled it’s way into and become part of society. A community within our society. But remember, What Happens on the Internet, Stays on the Internet. ps Related: Your Parents on Facebook: To friend or not to friend? Alarming increase in Facebook related divorces in 2011 Teens, kindness and cruelty on social network sites Young, in Love and Sharing Everything, Including a Password Study: Your Facebook Personality Is The Real You Husband dumps his wife with online message in 'world's first divorce by Facebook' Employers, workers navigate pitfalls of social media 6 painful social media screwups The effect of social media on Occupy Our Digital Life Deciphered Best Day to Blog Experiment – The Results How Terms Have Changed over Time Technorati Tags: blog, social media, comscore, music, statistics, society, web traffic, digital media, mobile device, analyticsBait Phone
You may be familiar with the truTV program Bait Car, where the police place a vehicle equipped with hidden cameras and radio trackers in various areas to catch a would be car thief in the act. It’s kinda fun to watch people ‘check out’ the car, check out the surroundings and decide to jump in and drive off. You get to see their excitement as they think that they’ve just won the jackpot along with the utter despair as officers remotely kill the car and the thief is surrounded. Even the excuses as to why they are driving it are hilarious. ‘I was just moving it for my friend, so they wouldn’t get a ticket, whose name I forgot and I also can’t remember where they live.’ In the UK, they got something similar except with mobile phones called ‘Operation Mobli.’ Plain clothes police purposely left "bait" phones embedded with tracking devices in nine pubs and bars across the towns of Hastings and St Leonards in Sussex. I’m not sure what makes and models of phones were left for the taking but none of the baited devices were stolen. In every case, an honest patron noticed the ‘forgotten’ phone and turned in to the bar staff. Some might describe this sting as a failure but according to the Sussex Police’s press release Sgt Ché Donald said, ‘This was an excellent result and my faith has been restored as the phones were honestly handed in.’ I often write about the potential perils of losing a smartphone crammed with private data and all the unfortunate circumstances that follow. If it gets into the wrong hands then that is the case yet we must also remember that there are plenty of good, honest folks out there who will do the right thing when they find something that doesn’t belong to them. Maybe they’ve seen police sting shows, maybe they’ve lost something themselves, maybe their parents raised them right or maybe it’s simply kindness and honesty that’s built into every one of us. Human’s are capable of the greatest good and the nastiest of evil, it’s all how we decide to play it. ps References: Operation Mobli deters mobile phone thieves in Hastings Police mobile phone sting fails when.. err.. no handsets stolen Mobile-phone 'sting' reveals honesty of Sussex pubgoers Police Sting Operation Yields No Mobile Phone Thefts It's legal: cops seize cell phone, impersonate owner What’s in Your Smartphone? Freedom vs. Control BYOD–The Hottest Trend or Just the Hottest Term Will BYOL Cripple BYOD?ICSA Certified Network Firewall for Data Centers
The BIG-IP platform is now ICSA Certified as a Network Firewall. Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer. Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users. Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress. Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect. Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack. Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting. An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive. There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective. The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors. BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence. Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack. Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying. DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7. DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads. Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released. Resource cloaking and content security: Prevent leaks of error codes and sensitive content. F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall. ps Resources: F5’s Certified Firewall Protects Against Large-Scale Cyber Attacks on Public-Facing Websites F5 BIG-IP Data Center Firewall – Overview BIG-IP Data Center Firewall Solution – SlideShare Presentation High Performance Firewall for Data Centers – Solution Profile The New Data Center Firewall Paradigm – White Paper Vulnerability Assessment with Application Security – White Paper Challenging the Firewall Data Center Dogma Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMPInfographic: Protect Yourself Against Cybercrime
Maybe I’ll start doing an ‘Infographic Friday’ to go along with Lori’s F5 Friday. This one comes to us from Rasmussen College's School of Technology and Design Cyber Security Program and shows the online risks and offers some good tips on how to better protect your computer and avoid being a victim of cybercrime. psThe Exec-Disconnect on IT Security
Different Chiefs give Different Security Stories. A recent survey shows that there is a wide gap between CEOs and Chief Security Officers when it comes to the origin and seriousness of security threats. They differ on how they view threats to IT Infrastructure and remain far apart on how to best address an issue that according to analyst reports, costs organizations more than $30 billion annually. The survey of 100 CEOs and 100 CISO (or other C-levels with security responsibility), shows that the discrepancy is often due to lack of communication. 36% of CEOs said that they never get a security report from their CISO and only 27% receive updates on a regular basis. Is it the CISO that doesn’t report back or the CEO that is not interested? Let’s look at some more data. The CISO felt that the biggest threat was from internal (their employees) due to lack of education and attention while the CEO felt that the biggest threat was from the outside, such as phishing attacks. Thus, 61% of CEOs said they did have enough time and resources to adequately train the staff on how to mitigate threats while Only 27% of CISOs felt the same. It’s opposite day. When asked if their IT systems were ‘definitely’ or ‘probably’ under attack without their knowledge, 58% of CISOs said yes while only 26% of CEOs agreeing. The chasm grows. What percentage of each, do you think, said they were very concerned about their IT systems getting hacked? 30 seconds on the clock, please. Don’t peek. Only 15% of CEOs and ‘only’ 62% of CISOs are anxious about breaches. 15%? That’s it? Maybe they have great confidence in their security team…or, they don’t have the information. 65% of CEOs admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk. Wow, the very day-to-day operations. Granted, the CEO is further removed from the specific threats and how they are handled but there is clearly a distance between how each views threats and the company’s ability to successfully mitigate them. Lack of interest or lack of understanding/information? Probably both. An old adage was that a great boss hired people who were good at the things he/she wasn’t so good at. Surround yourself with those who know their areas better. Or maybe there is a culture that you don’t alert the top unless it’s dire, critical or unstoppable. Communication or interest, it is evident that the C-suite isn’t really talking about these critical business issues especially when 3 times as many CEOs worried about losing their jobs following an attack than did CISOs. ps References SECURITY: A LACK OF CEO INSIGHT OR CEO INTEREST? CEOs Lack Visibility Into Origin and Seriousness of Security Threats Talking About Security Bores the Boss, Survey Shows Myth or Fact? Debunking 15 of the Biggest Information Security Myths The CEO/CISO Disconnect InfographicOde to FirePass
A decade ago, remote VPN access was a relatively new concept for businesses; it was available only to a select few who truly needed it, and it was usually over a dial-up connection. Vendors like Cisco, Check Point, and Microsoft started to develop VPN solutions using IPsec, one of the first transport layer security protocols, and RADIUS Server. At first organizations had to launch the modem and enter the pertinent information, but soon client software was offered as a package. This client software had to be installed, configured, and managed on the user’s computer. As high-speed broadband became a household norm and SSL/TLS matured, the SSL VPN arrived, allowing secure connections via a browser-based environment. Client pre-installation and management hassles were eliminated; rather the masses now had secure access to corporate resources with just a few browser components and an appliance in the data center. These early SSL VPNs, like the first release of F5’s FirePass, offered endpoint checks and multiple modes of access depending on user needs. At the time, most SSL VPNs were limited in areas like overall performance, logins per second, concurrent sessions/users, and in some cases, throughput. Organizations that offered VPN extended it to executives, frequent travelers, and IT staff, and it was designed to provide separated access for corporate employees, partners, and contractors over the web portal. But these organizations were beginning to explore company-wide access since most employees still worked on-site. Today, almost all employees have multiple devices, including smartphones, and most companies offer some sort of corporate VPN access. By 2015, 37.2 percent of the worldwide workforce will be remote and therefore mobile—that’s 1.3 billion people. Content is richer, phones are faster, and bandwidth is available—at least via broadband to the home. Devices need to be authenticated and securely connected to corporate assets, making a high-performance Application Delivery Controller (ADC) with unified secure access a necessity. As FirePass is retired, organizations will have two ADC options with which to replace it: F5 BIG-IP Edge Gateway, a standalone appliance, and BIG-IP Access Policy Manager (APM), a module that can be added to BIG-IP LTM devices. Both products are more than just SSL VPNs—they’re the central policy control points that are critical to managing dynamic data center environments. A Little History F5’s first foray into the SSL VPN realm was with its 2003 purchase of uRoam and its flagship product, FirePass. Although still small, Infonetics Research predicted that the SSL VPN market will swell from around $25 million [in 2002] to $1 billion by 2005/6 and the old meta Group forecasted that SSL-based technology would be the dominant method for remote access, with 80 percent of users utilizing SSL by 2005/6. They were right—SSL VPN did take off. Using technology already present in web browsers, SSL VPNs allowed any user from any browser to type in a URL and gain secure remote access to corporate resources. There was no full client to install—just a few browser control components or add-on to facilitate host checks and often, SSL-tunnel creation. Administrators could inspect the requesting computer to ensure it achieved certain levels of security, such as antivirus software, a firewall, and client certificates. Like today, there were multiple methods to gain encrypted access. There was (and still is) the full layer-3 network access connection; a port forwarding or application tunnel–type connection; or simply portal web access through a reverse proxy. SSL VPNs Mature With more enterprises deploying SSL VPNs, the market grew and FirePass proved to be an outstanding solution. Over the years, FirePass has lead the market with industry firsts like the Visual Policy Editor, VMware View support, group policy support, an SSL client that supported QoS (quality of service) and acceleration, and integrated support with third-party security solutions. Every year from 2007 through 2010, FirePass was an SC Magazine Reader Trust finalist for Best SSL VPN. As predicted, SSL VPN took off in businesses; but few could have imagined how connected the world would really become. There are new types of tablet devices and powerful mobile devices, all growing at accelerated rates. And today, it’s not just corporate laptops that request access, but personal smartphones, tablets, home computers, televisions, and many other new devices that will have an operating system and IP address. As the market has grown, the need for scalability, flexibility, and access speed became more apparent. In response, F5 began including the FirePass SSL VPN functionality in the BIG-IP system of Application Delivery Controllers, specifically, BIG-IP Edge Gateway and BIG-IP Access Policy Manager (APM). Each a unified access solution, BIG-IP Edge Gateway and BIG-IP APM are scalable, secure, and agile controllers that can handle all access needs, whether remote, wireless, mobile, or LAN. The secure access reigns of FirePass have been passed to the BIG-IP system; by the end of 2012, FirePass will no longer be available for sale. For organizations that have a FirePass SSL VPN, F5 will still offer support for it for several years. However those organizations are encouraged to test BIG-IP Edge Gateway or BIG-IP APM. Unified Access Today The accelerated advancement of the mobile and remote workforce is driving the need to support tens of thousands concurrent users. The bursting growth of Internet traffic and the demand for new services and rich media content can place extensive stress on networks, resulting in access latency and packet loss. With this demand, the ability of infrastructure to scale with the influx of traffic is essential. As business policies change over time, flexibility within the infrastructure gives IT the agility needed to keep pace with access demands while the security threats and application requirements are constantly evolving. Organizations need a high-performance ADC to be the strategic point of control between users and applications. This ADC must understand both the applications it delivers and the contextual nature of the users it serves. BIG-IP Access Policy Manager BIG-IP APM is a flexible, high-performance access and security add-on module for either the physical or virtual edition of BIG-IP Local Traffic Manager (LTM). BIG-IP APM can help organizations consolidate remote access infrastructure by providing unified global access to business-critical applications and networks. By converging and consolidating remote access, LAN access, and wireless connections within a single management interface, and providing easy-to-manage access policies, BIG-IP APM can help free up valuable IT resources and scale cost-effectively. BIG-IP APM protects public-facing applications by providing policy-based, context-aware access to users while consolidating access infrastructure. BIG-IP Edge Gateway BIG-IP Edge Gateway is a standalone appliance that provides all the benefits of BIG-IP APM—SSL VPN remote access security—plus application acceleration and WAN optimization services at the edge of the network—all in one efficient, scalable, and cost-effective solution. BIG-IP Edge Gateway is designed to meet current and future IT demands, and can scale up to 60,000 concurrent users on a single box. It can accommodate all converged access needs, and on a single platform, organizations can manage remote access, LAN access, and wireless access by creating unique policies for each. BIG-IP Edge Gateway is the only ADC with remote access, acceleration, and optimization services built in. To address high latency links, technologies like intelligent caching, WAN optimization, compression, data deduplication, and application-specific optimization ensure the user is experiencing the best possible performance, 2 to 10 times faster than legacy SSL VPNs. BIG-IP Edge Gateway gives organizations unprecedented flexibility and agility to consolidate all their secure access methods on a single device. FirePass SSL VPN Migration A typical F5 customer might have deployed FirePass a few years ago to support RDP virtual desktops, endpoint host checks, and employee home computers, and to begin the transition from legacy IPsec VPNs. As a global workforce evolved with their smartphones and tablets, so did IT's desire to consolidate their secure access solutions. Many organizations have upgraded their FirePass controller functionality to a single BIG-IP appliance. Migrating any system can be a challenge, especially when it is a critical piece of the infrastructure that global users rely on. Migrating security devices, particularly remote access solutions, can be even more daunting since policies and settings are often based on an identity and access management framework. Intranet web applications, network access settings, basic device configurations, certificates, logs, statistics, and many other settings often need to be configured on the new controller. FirePass can make migrating to BIG-IP Edge Gateway or BIG-IP APM a smooth, fast process. The FirePass Configuration Export Tool, available as a hotfix (HF-359012-1) for FirePass v6.1 and v7, exports configurations into XML files. Device management, network access, portal access, and user information can also all be exported to an XML file. Special settings like master groups, IP address pools, packet filter rules, VLANS, DNS, hosts, drive mappings, policy checks, and caching and compression are saved so an administrator can properly configure the new security device. It’s critical that important configuration settings are mapped properly to the new controller, and with the FirePass Configuration Export Tool, administrators can deploy the existing FirePass configurations to a new BIG-IP Edge Gateway device or BIG-IP APM module. A migration guide will be available shortly. SSL VPNs like FirePass have helped pave the way for easy, ubiquitous remote access to sensitive corporate resources. As the needs of the corporate enterprise change, so must the surrounding technology tasked with facilitating IT initiates. The massive growth of the mobile workforce and their devices, along with the need to secure and optimize the delivery of rich content, requires a controller that is specifically developed for application delivery. Both BIG-IP Edge Gateway and BIG-IP APM offer all the SSL VPN functionality found in FirePass, but on the BIG-IP platform. ps Resources: 2011 Gartner Magic Quadrant for SSL VPNs F5 Positioned in Leaders Quadrant of SSL VPN Magic Quadrant SOL13366 - End of Sale Notice for FirePass SOL4156 - FirePass software support policy Secure Access with the BIG-IP System | (whitepaper) FirePass to BIG-IP APM Migration Service F5 FirePass to BIG-IP APM Migration Datasheet FirePass Wiki Home Audio Tech Brief - Secure iPhone Access to Corporate Web Applications In 5 Minutes or Less - F5 FirePass v7 Endpoint Security Pete Silva Demonstrates the FirePass SSL-VPN Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet
Apache Server Status–> Status Secured
You know, working at F5 has some real perks. Cool gatherings, good workspace and my favorite part, really really REALLY smart people. I often tell people who as why I love working at F5 “The best part about it, is standing up, looking around, and realizing, I am surrounded by really smart, knowledgeable people.” A great example of this came across my virtual desk in the tubes just last friday. A group of our FSE (Field support engineers) and SA’s (Solution Architects) put out a great advisory regarding in information disclosure vulnerability from Apache server status. Check out the highlights below: ------------------------------------------------------------------------------ Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing. It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good. However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and sometimes even find hidden (obscure) admin panels or files that should not be visible to the outside. http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html http://urlfind.org/?server-status Below is a simple iRule to mitigate against this issue. This was written for v11 F5 TMOS. Step 1 Create a String-type data group called “bad_uris” containing the string of “/server-status/” (without quotations). No value is necessary. Also if you wanted to block other common attacks you could add /cmd.exe to this list… ltm data-group internal /Common/bad_uris { records { /server-status/ { } } type string } Step 2 Create the following irule and modify the page below to point to an errorpage or maintenance page on your site when HTTP_REQUEST { if { [class match [URI::decode [string tolower [HTTP::uri]]] contains bad_uris] } { HTTP::respond 302 Location "http://company.com/errorpage.html" Cache-Control No-Cache Pragma No-Cache } Step 3 Apply the irule to your web app Virtual Server, under resources. Example of Apache Server Status Data: ------------------------------------------------------------------------------ End of Original Transmission Pretty cool eh? What this really allows us to do is protect all the apache servers in the environment that come through the F5. This helps protect us from the little mistakes that can/are made spinning up a new server. If the new intern spins up the new server and forgets that they left this page out there, the F5 can make sure that external forces can’t access it. Give it a shot, it’s a very low overhead iRule. Major shoutouts to the crew: Matt Fearnow Rob Eberhardt Aaron Hooley David Remington for this great doc! Peace out all! Josh5 Stages of a Data Breach
One thing I’ve noticed over the last couple years is that there are 5 Stages of a Data Breach: Denial: We do not believe these attacks breached our critical servers. Anger: We want to make it clear that we take security seriously! Bargaining: We’d like to offer our affected customers a credit monitoring service. Depression: We wish we could have done things differently. Acceptance: Well, it just shows that no one is safe from hackers. ps Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, 5 stages, cyber war, hackers, breach, verisign, internet, security, privacy,FedRAMP Ramps Up
Tomorrow June 6th, the Federal Risk and Authorization Management Program, the government’s cloud security assessment plan known as FedRAMP will begin accepting security certification applications from companies that provide software services and data storage through the cloud. On Monday, GSA issued a solicitation for cloud providers, both commercial and government, to apply for FedRAMP certification. FedRAMP is the result of government’s work address security concerns related to the growing practice of cloud computing and establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products. By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services, according to Katie Lewin, director of the federal cloud computing program at the General Services Administration. As both the cloud and the government’s use of cloud services grew, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud. FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government. And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud. This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment. Recently, the GSA released a list of nine accredited third-party assessment organizations—or 3PAOs—that will do the initial assessments and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing part in ensuring providers meet requirements. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service. The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future. After receiving the initial applications, FedRAMP program officials will develop a queue order in which to review authorization packages. Officials will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services that align with the administration’s Cloud First policy. F5 has an iApp template for NIST Special Publication 800-53 which aims to make compliance with NIST Special Publication 800-53 easier for administrators of BIG-IPs. It does this by presenting a simplified list of configuration elements together in one place that are related to the security controls defined by the standard. This makes it easier for an administrator to configure a BIG-IP in a manner that complies with the organization's policies and procedures as defined by the standard. This iApp does not take any actions to make applications being serviced through a BIG-IP compliant with NIST Special Publication 800-53 but focuses on the configuration of the management capabilities of BIG-IP and not on the traffic passing through it. ps Resources: Cloud Security With FedRAMP CLOUD SECURITY ACCREDITATION PROGRAM TAKES FLIGHT FedRAMP comes fraught with challenges FedRAMP about to hit the streets FedRAMP takes applications for service providers Contractors dealt blanket cloud security specs FedRAMP includes 168 security controls New FedRAMP standards first step to secure cloud computing GSA to tighten oversight of conflict-of-interest rules for FedRAMP What does finalized FedRAMP plan mean for industry? New FedRAMP standards first step to secure cloud computing GSA reopens cloud email RFQ NIST, GSA setting up cloud validation process FedRAMP Security Controls Unveiled FedRAMP security requirements benchmark IT reform FedRAMP baseline controls released Federal officials launch FedRAMP
True DDoS Stories: SSL Connection Flood
#adcfw I have a particular fascination with DDoS and I collect what I call True DDoS Stories. This isn’t to say that I ignore traditional smash-and-grab penetrations or SQL injection incidents, but there’s something about an actor (or cast of actors) harnessing thousands of machines to attack a target that reminds me of a Wizard conjuring a thunderstorm and directing it to attack an encamped enemy. SSL Termination at the Server I was on the road and was approached by a firm that had suffered a particularly severe DDoS attack that kept their high-profile site down for multiple weeks. Here’s a quick sketch of the general layout of their network. Unlike most of their competitors, they are flowing SSL traffic all the way through the data center to be terminated at the application servers. Lori MacVittie has posted multiple blogs entries about why it’s better to terminate it at the Application Delivery Controller (ADC), but let’s overlook that for now. This particular site had a service level agreement (SLA) whereby any SSL connection that was initiated by the client must stay active for a particular interval before timing out. The Attack The identity of the attackers remains unknown, but the firm suspected Anonymous. Whoever the attackers were, they began opening thousands of legitimate SSL connections. The connections were passed all the way through the DDoS prevention system, to the load balancers, through the firewall and IPS, and to the application servers that then established sessions and began the long time-outs. The SSL sessions contained no payload and were never closed by the client side. It was a classic connection flood, except this time within established SSL sessions. The application server stacks were provisioned well enough to handle the load, and the number of empty SSL sessions climbed into the millions. With SSL terminated at the application server, the front-side device with the smallest capacity to handle concurrent connections will fail. In this case it was the load balancer (a competitor of ours who I won’t name). Like many devices, when it reached it concurrent connection limit, it failed hard and stopped processing traffic. Normally load balancers can act as DDoS mitigation devices in that they divide the attack load by the number of active servers. This can mitigate smaller attacks, but here the load-balancer became the weak link in the chain. Usually we see the firewall fail first. The attack continued for weeks and service was not fully restored until the DDoS attack ended. Incorrect Mitigation Strategy #1 – Point Solutions There are several firms out there that are making a name for themselves in DDoS mitigation – Arbor and Prolexic and the old Cisco Guard product (now discontinued). I won’t specify which solution the firm was using, but it didn’t help in this case. None of those solutions terminate SSL traffic so all are blind to the SSL connection floods. If you insist on architecture that terminates SSL at the application servers, you can pay your ISP $6,000 / hour for cloud-based scrubbing and it won’t help. Even if cloud-based services did terminate SSL, financial firms couldn’t use them, as it would mean sending their unencrypted traffic into someone else’s cloud. Most financial firms have policies that prohibit that. Incorrect Mitigation Strategy #2 – More Weak Links When I talk with customers about a unified security solution, one common rebuttal that I hear is “I don’t want to put all my eggs in one basket, and I don’t want to trust a single vendor.” This attack is an excellent example of the danger of that strategy. The problem isn’t the eggs-in-a-basket. The problem is which-is-the-weakest-link? Breaking one egg of many doesn’t matter that much, but when a link in a chain breaks, the whole chain becomes useless. So if you want to keep device sprawl as an architectural benefit then you have to ensure that all devices in the chain can handle an attack. More devices = more weak links. Correct Mitigation Strategy – Full Proxy A full-proxy architecture with dynamic reaping would have prevented this firm’s attack. An intelligent, full-proxy ADC with SSL termination will wait for application payload (usually HTTP) before it establishes a connection to the back-end servers. Often it does this so that it can insert load-balancing cookies or other HTTP headers. In such architecture, all the empty SSL sessions would have piled up at the ADC. Should the ADC connection table become full, dynamic reaping closes inactive connections to free up new ones for authentic SSL connections. There are other benefits to terminating SSL at the full proxy application delivery controller. Some firms terminate SSL at a full proxy ADC and then invoke DDoS scrubbing services behind it (because those services can now see the decrypted payload). However, financial firms are often required to re-encrypt the traffic as it leaves the ADC, so for them; the ADC is the only device that can mitigate an SSL attack. Lastly, the ADC can be an ideal device to locate hardware-protected FIPS 140 level 3 key services. Often these services can be expensive and consolidating them from dozens of servers into a pair of ADC controllers makes a lot of sense. In my travels I hear about firewalls failing under attack quite often. It’s ironic that you buy firewalls to protect you, but lately they are becoming the weak-link in an attack. When an SSL infrastructure fails due to an SSL attack it feels like the same thing. SSL is supposed to be a technology that protects good data, but when deployed incorrectly, it can become a vector for mischief. The New Certificate 2048 My Performance Following Google's Lead on Security? Don't forget to Encrypt Cookies. Dispelling the New SSL Myth The 2048-bit Keys to the Kingdom Dear Slashdot: You get what you pay for F5 Friday: Speed Matters Block Attack Vectors, Not Attackers RSA 2012 - BIG-IP Data Center Firewall Solution Making Security Understandable: A New Approach to Internet Security F5 at RSA: Multilayer Security without Compromise
