Tag Archives: security

Anonymous, HaaS, Hacking, Hacking-as-a-Service, High Tech Security, Malware, McAfee, Opinion

Let’s Hope Not: Least Favorite 2013 Prediction is “Hacking-as-a-Service”

Among all the pundit predictions for the coming year in cloud computing the one that caught my eye was this one by BusinessInsider’s Julie Bort in an article entitled “5 Totally Odd Tech Predictions That Will Probably Come True Next Year

1. Bad guys start offering “hacking as a service”

Security company McAfee says that criminal hackers have begun to create invitation-only forums requiring registration fees. Next up, these forums could become some sort of black-market software-as-a-service. Pay a monthly fee and your malware is automatically updated to the latest attack. Don’t pay, and it would be a shame if something happened to your beautiful website …

HaaS? Let’s hope not.

encryption, Miscellaneous IT

When Encryption Doesn’t Mean More Secure

By Ken Smith

I have had a number of clients reach out to me about how to implement whole disk encryption, SQL transparent data encryption, and encryption of VMware VMDK files in order to satisfy “data at rest” security requirements. My response is usually something like “Say that again?”

These types of encryption approaches are designed to better protect data at rest on media that may be accessible to individuals who are not authorized to access such data. This is usually some form of portable media such as a hard drive in the notebook computer, a portable USB hard drive, a USB stick, a backup tape, etc. And by “at rest” we are talking about files that have been saved to media and are not currently open or active. So to summarize, these types of encryption solutions are intended to protect data at rest on some form of portable media or media that is generally accessible to individuals that should not have access to sensitive data stored on that media. What I’m seeing, however, is that this type of encryption is being adopted to address “encrypt sensitive data” compliance requirements such as PCI DSS.

The intent of such “encryption of data at rest” requirements is to protect specific data from unauthorized access whether it be via application access, network file system access, or physical access. If the sensitive information is on storage media that is physically secured in a data center and this data is protected with appropriate network file system access controls, then the only thing remaining is to render the data unreadable to any unauthorized party at the application access level. This is where column or field level encryption comes in. Only authorized individuals or processes have access to the sensitive information in unencrypted form, and only authorized individuals or processes have access to the decryption keys that allow such access.

Let’s switch back to whole disk encryption and SQL transparent data encryption. When a system that’s running either of these is brought online, all users of the system have access to unencrypted data. Not just specific users who have been authorized to access specific sensitive information, but all users. When a server running BitLocker has finished booting, every process and user running on that host has access to data that BitLocker is decrypting for them on the fly every time it’s read from disk. A SQL database server running TDE makes all of its data accessible to all processes and users that have access to the database. While the database is running, the encrypted data is decrypted on-the-fly for all to see. The decryption keys are automatically presented regardless of who is requesting them. This isn’t really “protecting specific data from unauthorized access with encryption” is it?

With the proliferation of virtualization and cloud-based systems, we are now seeing this same thinking applied to protecting sensitive virtual systems. For a VMware environment, VMDK files can be encrypted to protect them from unauthorized access and use, but this is also a method that’s identical to solutions like whole disk encryption and SQL TDE. The data is only protected after it’s been written to disk, the VM is not actually running, and the decryption keys are only accessible to specific services and users that require access to the sensitive data. In most environments, this is not the case.

This type of encryption does have its place. For example, in multi-tenant or public cloud environments, it may be desirable to only allow specific authorized hypervisors to use certain virtual instances. It may make sense for SQL TDE to encrypt every database write to disk if you are using a public cloud providers’ storage and backup solutions. It might be a good idea to use whole disk encryption on a system that is physically at risk of being stolen. But just throwing these types of solutions at a system because they have the word encryption in them and they are easy doesn’t always mean that you’re actually doing a better job protecting sensitive information.

 

Lifeline, Research

UK Survey: Public Cloud Not Considered Safe Enough by 87 Per Cent of Businesses

City Lifeline, the central London colocation data centre, has found that private Cloud is the more popular choice for businesses, with 63 per cent choosing private over public. Although the results, which come from an on-stand survey carried out at this year’s IP Expo, also demonstrated a growing understanding of Cloud in general (only 4 per cent of businesses claimed not to understand it), 87 per cent felt that private was safer than public.

Roger Keenan, managing director at City Lifeline said, “With technology, security risks should always be considered, but they do not need to become obstacles. Our aim at this year’s IP Expo was to increase understanding of Cloud among businesses, so they can make the most of all it affords. Both public and private Cloud have merits, but security should not be a concern with either if you are working with a reputable provider”.

Although acceptance of the Cloud as a concept continues to increase, the Federal Cloud Computing Survey recently found that security was one of the top challenges facing businesses when they consider the Cloud. However, City Lifeline found that privacy and security issues surrounding the Cloud in general are quickly becoming a thing of the past, with only 37 per cent of respondents letting this stand in their way. 41 per cent of businesses believe there are no obstacles at all, so why is there such a discrepancy around public over private?


Authentication, Network security, Secure channel, Swivel, Swivel Secure

Swivel Secure Launches University Licensing in UK, North America

Tokenless authentication provider Swivel Secure today announced the launch of its university licensing scheme, which enables universities in both the UK and North America to secure their network infrastructures at a fraction of the typical costs, regardless of whether their data is stored in the cloud or on a virtual private network.

Under the terms of the scheme, Swivel Secure channel partners are able to offer free licences for Swivel’s tokenless authentication platform to a university’s student population, when full licences are purchased for staff members. The scheme enables budget conscious universities to add an additional level of security to their network infrastructure without the need for extensive additional investment.

In both markets, data and network security is a growing concern amongst university IT administrators. Compliance with strict data protection regulations, together with increasing demands from students to access the campus network from a range of different devices and applications, is creating a complex environment that is putting pressure on existing access controls. Additionally, many campuses are also looking to realise the cost savings offered by migrating to a cloud-based infrastructure, which raises fresh concerns about authenticating off-premise users of the campus network.

“Cloud is already an attractive cost saving option for universities and Microsoft’s recent offer of free university licences for Office 365 will undoubtedly encourage more campuses to adopt the model,” comments Chris Russell, VP Engineering at Swivel Secure. “But universities should tread carefully. The ubiquitous reuse of username and password combinations is a real threat to cloud security. Often, all a hacker needs to do is to obtain and reuse a student’s login details for, say, Facebook, in order to gain unauthorised access to the campus network.

“Universities need to be implementing an authentication solution that requires an additional piece of information so if a user’s password is compromised the network remains protected. Our new licensing scheme enables universities to secure their VPN or cloud-based infrastructures in this manner using the only tokenless authentication platform approved for the Microsoft Office 365 environment. Providing free licences to all students should put the technology within reach of most, if not all universities, even those working hard to contain additional costs.”

The Swivel authentication platform was first launched in 2003. It is now used by local government, the NHS, major global enterprises and hundreds of smaller businesses, in over 35 countries, to remotely access their business networks, virtual desktops and cloud-based applications. Offering the widest range of user deployment options according to Gartner, the Swivel authentication platform offers the choice of mobile apps, SMS and interactive voice response channels when full two-factor authentication is mandatory.


Computer security, Information security, NorseCorp

NorseCorp Launches Context-Aware Cyber Risk Intelligence Solution

NorseCorp, the provider of live cyber risk intelligence and solutions for businesses to reduce eCommerce fraud and secure their high-value data, today announced the launch of its flagship cloud security service, IPViking™. IPViking is the first solution to harness Big Data analytics of live Internet traffic to deliver contextually-aware and actionable cyber risk intelligence, a missing layer in today’s security technology stack that levels the playing field for developers and enterprises in their fight against cyber crime, hacking, and ecommerce fraud.

In recent years the security landscape has changed dramatically. Companies are now spending more money on security solutions than ever, while breaches and data losses continue to rise. Meanwhile the total cost of these breaches has also increased. A recent study of U.S. companies sponsored by Hewlett Packard and conducted by the Ponemon Institute indicates that the cost and frequency of cybercrime have both continued to rise for the third straight year, with the occurrence of cyber attacks more than doubling over a three-year period and the financial impact increasing by nearly 40 percent. The study also revealed a 42 percent increase in the number of cyber attacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.

“Today’s security solutions lack the dedicated computing power to process the massive volume of cyber threats, something that hackers have exploited for years,” said Tommy Stiansen, CTO at Norse. “Norse developed a unique system combined of global infrastructure hardware and powerful proprietary software to acquire live threat data, delivering to customers in milliseconds as actionable intelligence. Because of Big Data tools, GPU computational clusters and IPViking, companies can secure their infrastructure, network transactions and applications more effectively than ever.”

To address this challenging security landscape, Norse created IPViking, a SaaS technology and service that reduces strain on existing reactive security solutions, while increasing their effectiveness by providing live intelligence that is context-aware and adaptive to the continually changing nature of the Internet threat landscape.

IPViking does this in three ways:

  • True Big Data Analytics – The ability to continuously collect and
    analyze vast amounts of live Internet traffic and turn it into
    actionable insight and cyber risk intelligence supported by over 1,500
    criterion
  • Internet-Scaled Global Infrastructure – A purpose-built ultra fast
    private cloud infrastructure that delivers intelligence to businesses
    in milliseconds before a potential network connection can become an
    attack, massively scalable to meet the demands of enterprises,
    datacenters, managed security providers, public and private cloud
    providers, and ISPs.
  • Flexible RESTful and JSON APIs – IPViking enables enterprises and
    developers to easily add live context-aware and adaptive security
    intelligence to any website, app, or device via flexible APIs that
    support virtually all programming languages.

“To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made,” said Neil MacDonald, “Using ‘Big Data’ to Address the Next Generation of Information Security Problems,” Gartner Symposium/ITxpo, October 21, 2012. “This is the heart of adaptive and context-aware security.”

As networking and security evolve toward new software defined architectures, IPViking gives enterprises and networking vendors the ability and flexibility to make intelligent risk weighted decisions and policy enforcement at the hardware, software, virtual machine, and cloud level via integration through new emerging standards such as OpenFlow.

”While security solution providers have developed increasingly complex solutions to help companies defend against today’s attacks and breaches, they’ve never been more vulnerable, said Sam Glines, Norse CEO. “The massive increase in the possible attack vectors resulting from the broadening of the online corporate footprint and the increasing costs of managing today’s complex security solution stack have placed unprecedented demands on CISOs and IT security staff. IPViking’s adaptive defense capabilities mitigate risks caused by today’s highly sophisticated attacks, as well as vacant or unenforced policies unpatched servers and software, and human error by providing millisecond awareness of harmful inbound traffic that today’s reactive security solutions miss.”


Authentication, Microsoft Office 365, Swivel Secure, Virtual Private Network

Swivel Secure launches in North America

Swivel Secure, a provider of tokenless authentication technology that is capable of securing Microsoft Office 365 as well as other cloud and virtual private network (VPN) remote access solutions, announced its expansion into North America and the opening of its first office in Seattle, Washington.

Swivel Secure is a UK network security solutions provider that has pioneered the development of tokenless, multi-factor authentication technology. The Swivel authentication platform, first launched in 2003, is now used in over 35 countries by governments and global enterprises in a range of sectors including healthcare, pharmaceuticals and logistics as well as in hundreds of smaller businesses around the world.

Swivel’s strategic entry into North America marks the launch of an aggressive channel expansion programme targeting value added resellers (VARs) in the Washington State area and beyond.

“The market for tokenless authentication is growing rapidly as US businesses start to take cloud solutions seriously,” comments Fraser Thomas, VP International, Swivel Secure, who is spearheading the US expansion and VAR recruitment programme. “Given that Swivel is an approved tokenless provider for Microsoft Office 365, a Swivel partnership will enable VARs to offer a compelling remote access proposition for businesses that are migrating to the cloud, together with those that are employing more traditional VPN solutions.”

The unauthorised access of sensitive corporate data is one of the biggest fear factors holding businesses back from migrating to the cloud. Securing a corporate infrastructure with multi-factor authentication means that business owners can be assured that only permitted individuals will be able to gain access to their corporate systems.


Anti-Virus, Data center, Information security, Internet security, McAfee

McAfee Launches New Data Center Security Suites

Image representing McAfee as depicted in Crunc...

McAfee today announced four new Data Center Security Suites to help secure servers and databases in the data center. The suites offer a unique combination of whitelisting, blacklisting and virtualization technologies for protecting servers and virtual desktops. These solutions provide optimal security for servers and databases in physical, virtualized and cloud-based data centers, with minimal impact on server resources which is a key demand for data centers.

“Performance and security are key concerns for servers in the physical, virtualized or cloud-based data centers,” said Jon Oltsik, Senior Principal Analyst, Information Security and Networking at Enterprise Security Group. “The new server security suites from McAfee, based on its application whitelisting, virtualization and blacklisting and AV technologies, provide an enhanced security posture while maintaining the high server performance needs of the data center.”

The suites offer customers the ability to protect their physical and virtual servers and virtual desktops with a unique combination of technologies in a single solution.

  • McAfee Data Center Security Suite for Server provides a
    complete set of blacklisting, whitelisting, and optimized
    virtualization support capabilities for basic security on servers of
    all types
  • McAfee Data Center Security Suite for Server–Hypervisor Edition
    provides a complete set of blacklisting, whitelisting, and optimized
    virtualization support capabilities for basic security on servers of
    all types and is licensed per Hypervisor
  • McAfee Data Center Security Suite for Virtual Desktop
    Infrastructure     provides comprehensive security for virtual desktop
    deployments without compromising performance or the user experience
  • McAfee Database Server Protection provides data base activity
    monitoring and vulnerability assessment in a single suite, for all
    major database servers in the data center

“McAfee is leading the industry with these new solutions for protecting servers in the data center,” said Candace Worley, senior vice president and general manager of endpoint security at McAfee. “The combination of whitelisting, blacklisting and virtualization in a single solution, offers an optimal security posture for protecting servers in the data centers. These solutions address the need in the industry to offer solutions that provide the highest level of protection with minimal impact on the resources they are deployed on and in a wide range of customized licensing options.”

 


Information security, Information security management system, International Organization for Standardization, ISO/IEC 27001, Standards

London City Lifeline Colo Gets ISO27001 Security Certification

City Lifeline, the central London colocation data centre, has today been awarded ISO27001 Information Security Management Certification. This accreditation confirms that City Lifeline’s security systems and processes meet the highest recognised international standards for physical security and information security.

Security, both of equipment operation and data integrity, is critical for all companies and organisations. When asked, organisations using data centre and colocation services consistently rate security as their number one priority. The internationally administered and recognised ISO27001 certification gives customers confidence that a data centre operates at the highest level of security and that it consistently delivers what it claims.

Commenting on the achievement, Roger Keenan, managing director at City Lifeline said: “We are thrilled to have been awarded the prestigious ISO27001 accreditation. Achieving ISO27001 took us over a year of hard work. All of our existing processes and procedures were reviewed and overhauled where needed and comprehensively documented. City Lifeline has always been strong on security and this new certification confirms that companies and organisations can trust and rely on us to keep their equipment and data 100 per cent secure.”

ISO27001 is an internationally recognized certification that sets out specific physical and information security standards, which must be continuously maintained by those to whom it is awarded.


compliance, LogRhythm, Payment card industry, Payment Card Industry Data Security Standard, Qualified Security Assessor, Regulatory compliance, VMware, VMware vSphere

LogRhythm Partners with VMware to Automate Regulatory Compliance in Virtualized Environments

LogRhythm today announced that it has partnered with VMware to contribute to its newly introduced VMware Compliance Reference Architectures, a set of resources including solution guides and design architectures intended to simplify compliance for business-critical applications in the cloud era. As part of this initiative, LogRhythm has published the LogRhythm Solution Guide for Payment Card Industry (PCI), an addendum to the VMware Solution Guide for PCI. The LogRhythm solution addendum is a QSA-reviewed guide that outlines how the company’s SIEM 2.0 platform complements existing VMware security capabilities to help customers assure PCI compliance when virtualizing mission-critical business applications with VMware vSphere®.

“Security and compliance are top concerns for organizations seeking to virtualize critical business systems such as PCI payment processing,” said Parag Patel, vice president, Global Strategic Alliances, VMware. “We’re committed to helping customers address these concerns on their journey to the cloud, and partners like LogRhythm extend our native security capabilities to make this possible. Through our solution guides, VMware and LogRhythm are delivering a validated roadmap that details how organizations can achieve PCI compliance in virtualized environments.”

LogRhythm’s SIEM 2.0 platform delivers the visibility and insight needed to detect, defend against and respond to increasingly sophisticated cyber threats, efficiently meet compliance requirements, and proactively respond to operational challenges. The company provides out-of-the box compliance solutions that enable organizations to meet their requirements for log data collection, review, archive, reporting, and alerting under mandates such as PCI, HIPAA, NERC-CIP, GLBA, Sarbanes Oxley, GPG 13, and other regulatory regimes. LogRhythm’s PCI compliance package features specific investigations, alarms and reports designed to meet PCI reporting requirements, and directly addresses or augments at least 80 individual PCI controls. With fully integrated file integrity monitoring, advanced multi-tenant support, robust reporting, and rapid search and drill-down capabilities, LogRhythm is an ideal solution for addressing PCI compliance requirements in virtual environments. LogRhythm can ensure that sensitive data, such as credit card account information, is not inappropriately accessed by shared virtual resources or unauthorized individuals. LogRhythm is field-proven in numerous deployments where the solution is being used to automate and assure regulatory compliance in virtual environments.

“We’re very pleased to have been selected by VMware to help address the compliance requirements of customers moving their critical systems to virtual and private cloud environments,” said Matt Winter, vice president corporate and business development at LogRhythm. “LogRhythm has a significant track record helping customers meet their regulatory compliance obligations in virtual, physical and hybrid environments. Our compliance capabilities dovetail well with VMware’s native security offerings to create a robust and comprehensive solution. With the VMware Solution Guide for PCI and LogRhythm’s addendum solution guide, organizations can have confidence that there is a detailed, validated path to maintaining PCI compliance in virtualized environments.”

The LogRhythm Solution Guide for PCI has been reviewed by Coalfire, an independent Qualified Security Assessor specializing in IT audit, risk assessment and compliance management, and is available for download on the LogRhythm website and VMware Solution Exchange.