Is 2013 Half Empty or Half Full?

It certainly has been a wild ride thus far for 2013 as we head into the second half.  Breaches, hacks, exposures, leaks, along with things like BYOD and SDN should make the next 6 months interesting.  From the many headlines in 2012, you'd think organizations would be locked down tight but alas, intruders are still kicking a$$ and taking names...literally.

Media and news organizations, like the New York Times and Wall Street Journal, experienced data breaches due to spear fishing and malware.  According to various news articles, certain journalists were targeted based on their story coverage but more interesting to me is the fact that the anti-virus along with the IPS/IDS in place failed to catch the malware.  Unless there is a signature in place for a known piece of evil code, that demon will make it's way through.

Financial institutions up to and including the Federal Reserve were breached.  While many bank hacks are driven by monetary gain, sometimes they are the targets of political activists.  Humans are very passionate about their beliefs and like to express those feelings.  There have always been protesters and activists - some write letters, some picket on the sidewalk, some throw rocks and with the advent of the internet, now you can protest by creating digital havoc.  Instead of hoping that people boycott a particular entity, you can simply take it out yourself so no one can get to the site. 

Social media networks continue to feel the heat from breaches.  Many social media sites are now deploying two-factor authentication to help reduce password exposures and increase verification checks.  Many news stories have talked about password usage and it's good that two factor is being deployed...but,in many cases, it is only after the bad news hits the media.  Why wait?

To help organizations understand the various web threats, OWASP has released their Top 10 for 2013 (with changes from 2010 Edition):

• A1 Injection
• A2 Broken Authentication and Session Management (was formerly 2010-A3)
• A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration (was formerly 2010-A6)
• A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
• A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
• A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
• A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
• A10 Unvalidated Redirects and Forwards

Along with their Top 10 Mobile Risks:

• M1: Insecure Data Storage
• M2: Weak Server Side Controls
• M3: Insufficient Transport Layer Protection
• M4: Client Side Injection
• M5: Poor Authorization and Authentication
• M6: Improper Session Handling
• M7: Security Decisions Via Untrusted Inputs
• M8: Side Channel Data Leakage
• M9: Broken Cryptography
• M10: Sensitive Information Disclosure

These are guides to help organizations understand the threats but always make sure you understand you own risks and focus on mitigating those first whether they are on the OWASP Top 10 or not.  Then make sure you're covered on the rest.

So far, 2013 has been full of breaches that empties an organization's information.

ps

Related:

• Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
• US Federal Reserve confirms it was hacked during the Super Bowl
• Does Lax Network Security Lead To Cyber Attacks: 2013’s Top Hacks
• Twitter introduces 'two-factor authentication' to stop password hacking
• Motorola shows off tattoo and swallowable password hardware
• OWASP Top 10 2013 - PDF
• OWASP Mobile Security Project

Technorati Tags: 2013,breach,owasp,hacks,vulnerabilities,threats,security,risk,malware,f5,silva,exposure,authentication,2fa,web security

Connect with Peter:	Connect with F5:

Small Business is a Big Target

If you think that small businesses are not an enticing enough target to breach, think again.  While the media has certainly upped it's coverage over the last couple years pertaining to data loss, many of the headlines involved global brands and tens of thousands records...not the corner deli, the mom/pop shop or the new start up.  Yet a couple of recent reports show that small businesses and start-ups are prime targets for data loss.

The annual, chuck full of stats, Verizon Data Breach Report noted that of the 621 confirmed data breaches, almost half happened at companies with less than 1000 employees and almost 200 at companies with less than 100 employees.  A Symantec report echoed the finding.  In theirs, small businesses with less than 250 employees accounted for 31% of the attacks in 2012, up 18% from 2011.  Symantec also notes that start-ups are especially vulnerable in the early going.

Why are these groups targets?

They have valuable data - intellectual property, financial information, digital identities - but may not have the resources to properly protect that data.  Many large, global companies have beefed up their security in fear of becoming the next headline in a major newspaper.  Thieves usually go after the easiest target - those with limited resources to protect against such an attack.  Thieves may also infiltrate a smaller organization to jump on a global network if a partnership is in place. Take out the villages before entering the capital.  In a start-up's situation, as they quickly launch, employees may be enticed to click a malicious link in an email...which then spreads.  Most startups get infected with malware within the first year.

From marketing organizations to cleaning products to credit repair services, here are some stories of how cyber attacks almost destroyed 5 small businesses.

ps

Related:

• Targets of Opportunity
• Cyberattacks devastated my business!
• Cybercrime's easiest prey: Small businesses
• New startups prime targets for cyberattacks
• Cybercrime, the Easy Way
• Ride The Crime Coaster
• Offering Secure Managed Access Services with BIG-IP Devices

Technorati Tags: crime,cyber security,risk,safety,ddos,breach,attacks,digital,physical,personal,police,law enforcement,afm,silva,security

Connect with Peter:	Connect with F5:

TechEd2013 – The Video Outtakes

The bloops, cuts, laughs, mistakes and outtakes from #MSTechEd 2013. We’re all human.

ps

Related:

• TechEd2013 – Find F5
• TechEd2013 – Network Virtualization & Cloud Solutions
• TechEd2013 – Secure Windows Azure Access
• TechEd2013 – The Top 5 Questions
• TechEd2013 – NVGRE with Microsoft’s System Center 2012 VMM (feat. Korock)
• TechEd2013 – Gimme 90 Seconds Betcha Didn’t Know Edition (feat. Simpson)
• TechEd2013 – That’s a Wrap
• F5® Scales and Optimizes Windows Server 2012 Hyper-V Network Virtualization and Cloud Environments
• F5 Bridges the Physical and Virtual Worlds at Microsoft Tech Ed
• F5's YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5 Series

Technorati Tags: f5,teched,microsoft,video,outtakes,bloopers,mistakes,humor,fun,silva

Connect with Peter:	Connect with F5:

TechEd2013 – That’s a Wrap

I wrap it up from the Microsoft TechEd North America 2013 Conference. Special thanks to Jeff Bellamy, Greg Coward, Ryan Korock and Phil Simpson along with my camera operators Courtney, Natasha and Robert. Reporting from New Orleans, thanks for watching!

ps

Related:

• TechEd2013 – Find F5
• TechEd2013 – Network Virtualization & Cloud Solutions
• TechEd2013 – Secure Windows Azure Access
• TechEd2013 – The Top 5 Questions
• TechEd2013 – NVGRE with Microsoft’s System Center 2012 VMM (feat. Korock)
• TechEd2013 – Gimme 90 Seconds Betcha Didn’t Know Edition (feat. Simpson)
• F5® Scales and Optimizes Windows Server 2012 Hyper-V Network Virtualization and Cloud Environments
• F5 Bridges the Physical and Virtual Worlds at Microsoft Tech Ed
• F5's YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5 Series

Technorati Tags: f5,teched,microsoft,msteched,azure,nvgre,network virtualization,silva,video,trade show,Hyper-V

Connect with Peter:	Connect with F5:

TechEd2013 – Gimme 90 Seconds Betcha Didn’t Know Edition (feat. Simpson)

The coolest trade show game show is back! F5 Business Development Manager Phil Simpson tests his F5 knowledge in this special ‘Betcha Didn’t Know’ Edition. When people hear of the many BIG-IP capabilities their response is often, ‘I didn’t know you could do that!’ Let’s see if Phil can win the limited edition psilva autographed F5 ball by sharing some unique BIG-IP features that you may not have known about. These are always fun.

ps

Related:

• TechEd2013 – Find F5
• TechEd2013 – Network Virtualization & Cloud Solutions
• TechEd2013 – Secure Windows Azure Access
• TechEd2013 – The Top 5 Questions
• TechEd2013 – NVGRE with Microsoft’s System Center 2012 VMM (feat. Korock)
• F5® Scales and Optimizes Windows Server 2012 Hyper-V Network Virtualization and Cloud Environments
• F5 Bridges the Physical and Virtual Worlds at Microsoft Tech Ed
• F5's YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5 Series

Technorati Tags: f5,teched,microsoft,msteched,azure,nvgre,network virtualization,silva,video,trade show,Hyper-V,big-ip

Connect with Peter:	Connect with F5:

TechEd2013 – NVGRE with Microsoft’s System Center 2012 VMM (feat. Korock)

After resisting for over 3 years, F5 Technical Director Ryan Korock finally joins me on camera to discuss the new NVGRE solution. This new solution—along with F5’s broader solution set—aims to help customers assure reliable performance regardless of how individual organizations choose to architect their systems. Through integration with Microsoft’s System Center 2012 Virtual Machine Manager, the F5 solution will dynamically serve as a bridge between customers’ virtualized and non-virtualized environments. F5 solutions can augment Windows Server 2012 Hyper-V Network Virtualization environments, providing notable benefits for organizations deploying Microsoft and F5 technologies in concert, including cloud and service providers.

ps

Related:

• TechEd2013 – Find F5
• TechEd2013 – Network Virtualization & Cloud Solutions
• TechEd2013 – Secure Windows Azure Access
• TechEd2013 – The Top 5 Questions
• F5® Scales and Optimizes Windows Server 2012 Hyper-V Network Virtualization and Cloud Environments
• F5 Bridges the Physical and Virtual Worlds at Microsoft Tech Ed
• F5's YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5 Series

Technorati Tags: f5,teched,microsoft,msteched,azure,nvgre,network virtualization,silva,video,trade show,Hyper-V

Connect with Peter:	Connect with F5:

TechEd2013 – The Top 5 Questions

I review the top 5 questions being asked in booth 816 at #MSTechEd 2013. Azure, NVGRE and TMG all make the list. There is a surprise at #5 but not to those of us in the booth. :-)

ps

Related:

• TechEd2013 – Find F5
• TechEd2013 – Network Virtualization & Cloud Solutions
• TechEd2013 – Secure Windows Azure Access
• F5® Scales and Optimizes Windows Server 2012 Hyper-V Network Virtualization and Cloud Environments
• F5's YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5 Series

Technorati Tags: f5,teched,microsoft,msteched,azure,nvgre,silva,video,trade show,Hyper-V,tmg

Connect with Peter:	Connect with F5: