Tuesday, December 20, 2016

Blog Roll 2016

It’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2016 entries.

After 12 years at F5, I had a bit of a transition in 2016, joining the amazing DevCentral team in February as a Sr. Solution Developer. You may have noticed a much more technical bent since then…hopefully. We completed our 101 Certification Exam this year and will be shooting for the 201 next quarter. We started highlighting our community with Featured Member spotlight articles and I finally started contributing to the awesome LightBoard Lessons series. I also had ACDF surgery this year, which is why November is so light. Thanks to the team for all their support this year. You guys are the best!

If you missed any of the 53 attempts including 7 videos, here they are wrapped in one simple entry. I read somewhere that lists in articles are good. I broke it out by month to see what was happening at the time and let's be honest, pure self-promotion. I truly appreciate the reading and watching throughout 2016.

Have a Safe and Happy New Year!


January
February
March
April
May
June
July
August
September
October
November
December

And a couple special holiday themed entries from years past.
ps
Related

Wednesday, December 14, 2016

Lightboard Lessons: SSO to Legacy Web Applications

IT organizations have a simple goal: make it easy for workers to access all their work applications from any device. But that simple goal becomes complicated when new apps and old, legacy applications do not authenticate in the same way.

In this Lightboard Lesson, I draw out how VMware and F5 helps remove these complexities and enable productive, any-device app access. By enabling secure SSO to Kerberos constrained delegation (KCD) and header-based authentication apps, VMware Workspace ONE and F5 BIG-IP APM help workers securely access all the apps they need—mobile, cloud and legacy—on any device anywhere.



ps

Related:

Tuesday, December 13, 2016

F5 DevCentral Asks, ‘How Can We Help in 2017?’

Back in 2003, DevCentral was one of the early/first corporate social media sites dedicated to serving, sharing, supporting and engaging our user community. Some 14 years later, we have MVPs, Featured Members and You all contributing to a lively, engaged community. We have some cool stuff planned for 2017 and we recently asked a few of our Featured Members what they’d like help with in 2017. They share their time, knowledge & tips with the community and we thought, what can we (the collective DevCentral ‘we’) offer back.

The question was: What do you think will be some of your biggest IT challenges in the coming year and how can the DevCentral community help you achieve your goals in 2017?

Here’s what they said:
Yann Desmarest (Innovation Center Manager, e-Xpert Solutions SA): My biggest IT challenges for the coming year will be API security, Oauth and OpenID Connect integration, Data Loss Prevention and CASB (Cloud Access Security Brokers). Through DevCentral, I hope to get resources, code and articles that guide me in the right direction to solve those challenges. I would love to get more dissections of known attacks (DDoS, ransomware, etc.) by security researchers. Some BIG-IP ASM and APM hands-on virtual labs on tricky features along with some tutorials to integrate F5 products with Microsoft Office suite. One request is chat capabilities with DevCentral members to ask questions or interact for sharing feedback.

Koman Vijay Emarose (Network Architect, Rackspace): My team would like an article series from F5 Engineers sharing interesting support cases & solutions on how they resolved it. We’d also like some information around F5’s place within the world of network virtualization and public cloud. Some guidance on F5 supported and recommended automation platform (Ansible, Python, TCL, etc.) examples around usage would be great. Some of the automation works great for certain code versions yet not so much for other versions. F5’s stance on a specific automation tool would be helpful for us to devote our time and resource to master the automation tool. Lastly, some articles on new technologies including but not limited to, Network Virtualization, 5G, IoT and public cloud integration. 
Joel Newton (Senior DevOps System Engineer, SpringCM): We'd like to start thinking about architecting a solution that utilizes Windows containers, so I’d like to understand how best to configure and utilize our BIG-IP LTM devices in a container-based architecture. Maybe publish some research and/or examples from the F5 lab of what F5 folks have done with Windows containers would be cool.
I know the DevCentral team has some ideas and if you’d like to engage with Joel, Vijay or Yann, please reach out to them…or post a comment here.

Finally, we’re conducting a site survey on DevCentral and would appreciate your feedback. If you get a pop-up that looks like:


Please give your feedback on 8 simple questions. Should easily take less than 5 minutes and helps us, help you.

Thanks!

The DevCentral Team

Friday, December 9, 2016

The Top 10, Top 10 Predictions for 2017

The time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

8 Predictions About How the Security Industry Will Fare in 2017 – An eWeek slideshow looking at areas like IoT, ransomware, automated attacks and the security skills shortage in the industry. Chris Preimesberger (@editingwhiz), who does a monthly #eweekchat on twitter, covers many of the worries facing organizations.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyberattacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Catastrophic botnet to smash social media networks in 2017 – At the halfway point the Mirai botnet rears its ugly head and ZDNet explains how Mirai is far from the end of social media disruption due to botnets. With botnets-for-hire now available, there will be a significant uptick in social media botnets which aim not only to disrupt but also to earn money for their operators in 2017. Splendid.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 Security Predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!
Bonus Prediction!
Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

ps

Wednesday, December 7, 2016

Managing Your Vulnerabilities

I recently recovered from ACDF surgery where they remove a herniated or degenerative disc in the neck and fuse the cervical bones above and below the disk. My body had a huge vulnerability where one good shove or fender bender could have ruptured my spinal cord. I had some items removed and added some hardware and now my risk of injury is greatly reduced.


Breaches are occurring at a record pace, botnets are consuming IoT devices and bandwidth, and the cloud is becoming a de-facto standard for many companies. Vulnerabilities are often found at the intersection of all three of these trends, so vulnerability and risk management has never been a greater or more critical challenge for organizations.

Vulnerabilities come in all shapes and sizes but one thing that stays constant – at least in computer security - is that a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. It is the intersection where a system is susceptible to a flaw; whether an attacker can access that flaw; and whether an attacker can exploit that flaw within the system. For F5, it means an issue that results in a confidentiality, integrity, or availability impact of an F5 device by an unauthorized source. Something that affects the critical F5 system functions - like passing traffic.

You may be familiar with CVE or Common Vulnerabilities and Exposures. This is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure gets a name or CVE ID and allows organizations to reference it in a public way. It enables data exchange between security products and provides a baseline index point for evaluating coverage of tools and services. MITRE is the organization that assigns CVEs. There are also CVE Numbering Authorities (CNA). Instead of sending a vulnerability to MITRE for numbering, a CNA gets a block of numbers and can assign IDs as needed. The total CVE IDs is around 79,398.

Most organizations are concerned about CVEs and the potential risk if one is present in their environment. This is obviously growing with the daily barrage of hacks, breaches and information leaks. Organizations can uncover vulnerabilities from scanner results; from media coverage like Heartbleed, Shellshock, Poodle and others; or from the various security related standards, compliance or internal processes. The key is that scanning results need to be verified for false positives, hyped vulnerabilities might not be as critical as the headline claims and what the CVE might mean for your compliance or internal management.

For F5, we keep a close eye on any 3rd party code that might be used in our systems. OpenSSL, BIND or MySQL are examples. For any software, there may be bugs or researcher’s reports or even non-CVE vulnerabilities that could compromise the system. Organizations need to understand the applicability, impact and mitigation available.

Simply put: Am I affected? How bad is it? What can I do? 


With Applicability, research typically determines if an organization should care about the vulnerability. Things like, is the version of software noted and are you running it. Are you running the vulnerable function within the software? Sometimes older or non-supported versions might be vulnerable but you’ve upgraded to the latest supported code or you are simply not using the vulnerable function at all. The context is also important. Is it being used in default, standard or recommended mode? For instance, many people don’t change the default password of their Wi-Fi device and certain functionality is vulnerable. It gets compromised and becomes part of a botnet. But if the password was changed, as recommended, and it becomes compromised some other way, then that is a different situation to address.



For Impact, there are a couple ways to decide how bad it is. First, you can look at the severity of the vulnerability - is it low, medium, high or critical. You can also see if there is a Common Vulnerability Scoring System (CVSS) score tied to the vulnerability. The CVSS score can give you a gauge to the overall risk. To go a bit deeper, you can look at the CVSS Vector.

There are 3 sections to the CVSS. There are the constant base metrics covering the exploitability of the issue, the impact that it may have and the scope that it is in. There are the temporal metrics, which may change over time, giving the color commentary of the issue. And there are the environmental metrics which look at the specific, individual environment and how that is impacted. Areas explored here include things like the attack vector and complexity; whether elevated privileges are required or any user interaction along with the scope and how it affects the confidentiality, integrity and availability of the system. One can use the CVSS calculator to help determine a vector score. With a few selections you can get a base, temporal and environmental score to get an overall view of the severity. With this, you can get an understanding as to how to handle the vulnerability. Every organization has different levels of risk based on their unique situation. The vulnerability base score may have a critical listing yet based on your environmental score, the severity and risk may be nil.

Lastly, the Mitigation taken is not an exact science and truly depends on the issue and the organization’s situation. Mitigation is not necessarily prevention. For example, compensating controls, such as restricting root level access might mean that a vulnerability simply isn’t exploitable without a privileged account.
Vulnerability management and information security is about managing risk. Risk analysis, risk management, risk mitigation and what that risk means to the business. Patching a vulnerability can introduce other risks, so the old refrain of “patch your $#!+” is not the panacea we’re often led to believe. Risk is not limited to the severity of the vulnerability alone, but also to the required vector for exploiting that vulnerability where it exists within a specific organization’s infrastructure.

It’s important to understand your risk and focus on the important pieces.


ps