Wednesday, March 30, 2011

The Big Attacks are Back…Not That They Ever Stopped

As we've seen with some of the recent high profile internet attacks, like HBGary, RSA, Google, Comodo and others, no one is immune from being a target and the perpetrators are exceedingly organized, exceptionally skilled and extremely well-funded. Often, the culprits might be better trained than the IT staff deployed to thwart the attacks. The attacks are targeted, elaborate and aggressive, not to mention a bit creative. The attacks are multi-layered in that once one type of attack settles in, another can and will crop up. They are not simply looking to deface a website but they are attempting to steal valuable data. Customer data, intellectual property, state secrets, SSL certificates and other proprietary, highly sensitive information are the top targets. The malware and other penetration techniques are custom made, can adapt and can cover the tracks of those seeking the information. They may start at the network level with DNS, ICMP or SYN flood attacks, then move to the application with Layer 7 DoS, SQL injection, or Cross-site scripts and once compromised, go after the data. Often they try to leave 'back-doors' so they can come and go as they please before being detected.  And the targets are changing.  A couple years ago it was retail and financial, like Target and Heartland, that were getting attacked and while those industries are still coveted kills, security companies, sensitive corporate secrets, and the internet’s overall infrastructure seem to be especially savory these days.

Many organizations do a decent job of securing their infrastructure components but are challenged when it comes to securing their web applications, whether they are hosted in a cloud environment, in-house or both. Forester reported that in 2009, 79% of breached records were the result of web application attacks. An application breach can cost companies significant amounts of money and seriously damage brand reputation. The 2010 Symantec/Ponemon Data Breach Loss Report calculated that the average cost to a company was $214 per compromised record and $7.2 million over the entire organization. Other areas that an organization may have to address as part of the breach include compliance issues, legal actions, public scrutiny and loss of trust.

BIG-IP ASM provides the application protection you require to block the evolving threats no matter where your applications are deployed in today's dynamic environments. One such threat is the recent ‘Slow HTTP DOS attack,’ which allows attackers to launch a DDoS attack by first sending a POST request with valid ‘content-length’ information and then slowly sending the POST message body, which leaves the server connection open depleting resources and eventually crippling the server’s ability to accept new connections.  BIG-IP ASM, a high performance, ICSA certified web application firewall (WAF) can protect against this HTTP vulnerability out of the box with HF-1.  Most of our competitors have addressed it through signature updates, or not at all.  Signatures are great when they discover Slowloris, not so great when they encounter 5l0wl0ri5.32a.   

Today, IT faces a variety of changes that require control points that can adapt dynamically and secure applications and their content as its being delivered from a variety of locations to a mass of users. This is especially true for cloud computing deployments and infrastructures that span between the cloud and the organization's data center.  F5 has the solutions to make any application deployment endeavor swift, successful and secure.

ps

Resources:

Technorati Tags: BIG-IP, F5, silva, Oracle, Oracle Database Firewall, ASM, WAF, web application firewall, security, application security, database security, infrastructure 2.0

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Thursday, March 24, 2011

Has The Sky Cleared on Cloud Security?

Last year I embarked on a blog series, lead by my trusty advisor CloudFucius, that evolved into an exploration of the numerous cloud computing surveys, reports, statistics and other feelings about the technology.  At the time, 4-5 surveys a week were being released covering some aspect of cloud computing and security was cited as the biggest hurdle in almost 90% of the surveys.  I also found that availability, control and a general lack of understanding were also drivers in challenges to cloud adoption.   Almost 6 months have passed since the last CloudFucius entry and I wanted to see if the same fears were still lingering or at least, were the current surveys reporting the same concerns from a year ago about Cloud Computing.

First up, is UK based technology publication, Computing.   Working with Symantec.cloud, they surveyed 150 IT decision makers and learned that as more companies embrace Cloud Computing, they are finding that the cloud solutions meet or beat, not only their expectations but also their own existing in-house solutions.  While on-premise security solutions might be adequate today, as the security threats evolve, the cloud providers may have the advantage over time due to the infrastructure investments in advanced filtering and detection along with 24/7 trained staff.  Last year, availability and uptime also emerged as concerns and today there is great interest in the contractual SLAs offered by cloud providers since it often surpasses what they are capable of in-house.  Resiliency and disaster recovery across multiple data centers can ensure that if there is an outage in one location, the customers can still access their data.  Management and control still create some anxiety but many IT teams are happy to abdicate routine maintenance, like OS patching and hardware upgrades, in exchange for management SLAs.  Now that the hype of cloud services has passed and many providers are proving themselves worthy, it is now becoming part of the overall IT strategy.  As the perceived threats to data security in the cloud dwindle, trust in the cloud will grow.

The Cloud Connect Conference in Santa Clara also released a survey during their gathering.  In that one, elasticity and speed of deployment were the top motivators to using cloud services.  Elasticity or the flexibility to quickly add or reduce capacity, can greatly influence the availability of data.  These folks however were less motivated by improved security or access to the provider’s IT staff.  Their top concerns were data privacy and infrastructure control.  I do find it interesting that last year the term ‘security,’ which can encompass many things, was the primary apprehension of going to the cloud while today, it has somewhat narrowed to specifically data privacy.  That too can mean several things but areas like outsider’s physical access to systems doesn’t seem to worry IT crews as much any more.

When it comes to our school/educational system, Panda Security released a study that focused on IT security in K-12 school districts.  Like many companies, they must deal with unauthorized user access, malware outbreaks and admit that IT security is time and resource intensive.  They do believe however that the cloud can offer security benefits and improve their overall infrastructure.  91% see value in cloud solutions and are planning to implement over the next couple years with 80% saying improved security was a main reason to deploy cloud-based security.

Finally on the consumer front, GfK Business & Technology surveyed 1000 adults about cloud services and storing content in the cloud.  With all of our connected devices – cell phone, computer, tablet, etc. – there will be a greater demand to move data to the cloud.  Not real surprising, less than 10% of the consumers surveyed fully understand what the cloud actually does.  The know of it, but not what it accomplishes.  With what you don’t understand comes fear.  61% said that they were concerned about storing their data in the cloud and almost half said they would never use the cloud unless it was easy to store and retrieve data.  As businesses begin to feel content with the cloud, they then need to both educate and communicate cloud benefits to their consumers.

So it does appear like comfort with the cloud is beginning to take hold and as cloud offerings mature, especially around security, err ah, I mean data privacy solutions, the fear, uncertainty and doubt from last year is starting to loosen and it sure seems like greater adoption is on the horizon.

And one from Confucius: They must often change who would be constant in happiness or wisdom.

ps

Resources:

Technorati Tags: F5, infrastructure 2.0, integration, cloud computing, Pete Silva, security, business, education, technology, application delivery, cloud, cloud survey, infrastructure 2.0, web, internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, March 22, 2011

Audio White Paper - Streamlining Oracle Web Application Access Control

Web application security is critical—the data that web servers and their back-end databases house is invaluable to an enterprise. An organization must be able to control who can access their resources and when, as well as audit that information. F5 BIG-IP Access Policy Manager (APM), in conjunction with Oracle Access Management (OAM), helps centralize web application authentication and authorization services, streamline access management, and reduce infrastructure costs.  Running Time: 17:58  Read full white paper here.  And click here for more F5 Audio.

ps

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Technorati Tags: F5, integration, data center, Pete Silva, security, business, authentication, sso, application delivery, oracle, cloud, consolidation, OAM, web, internet, IAM, identity, audio, whitepaper, big-ip

Wednesday, March 16, 2011

Defense in Depth in Context

In the days of yore, a military technique called Defense-in-Depth was used to protect kingdoms, castles, and other locations where you might be vulnerable to attack. It's a layered defense strategy where the attacker would have to breach several layers of protection to finally reach the intended target. It allows the defender to spread their resources and not put all of the protection in one location. It's also a multifaceted approach to protection in that there are other mechanisms in place to help; and it's redundant so if a component failed or is compromised, there are others that are ready to step in to keep the protection in tack.

Information technology also recognizes this technique as one of the 'best practices' when protecting systems. The infrastructure and systems they support are fortified with a layered security approach. There are firewalls at the edge and often, security mechanisms at every segment of the network. Circumvent one, the next layer should net them. There is one little flaw with the Defense-in-Depth strategy - it is designed to slow down attacks, not necessarily stop them.  It gives you time to mobilize a counter-offensive and it's an expensive and complex proposition if you are an attacker. It's more of a deterrent than anything and ultimately, the attacker could decide that the benefits of continuing the attack outweigh the additional costs.

In the digital world, it is also interpreted as redundancy. Place multiple iterations of a defensive mechanism within the path of the attacker. The problem is that the only way to increase the cost and complexity for the attacker is to raise the cost and complexity of your own defenses. Complexity is the kryptonite of good security and what you really need is security based on context. Context takes into account the environment or conditions surrounding an event to make an informed decision about how to apply security. This is especially true when protecting a database. Database firewalls are critical components to protecting your valuable data and can stop a SQL Injection attack, for instance, in an instant. What they lack is the ability to decipher contextual data like userid, session, cookie, browser type, IP address, location and other meta-data of who or what actually performed the attack.  While it can see that a particular SQL query is invalid, it cannot decipher who made the request.  Web Application Firewalls on the other hand can gather user side information since many of its policy decisions are based on the user's context.  A WAF monitors every request and response from the browser to the web application and consults a policy to determine if the action and data are allowed. It uses such information as user, session, cookie and other contextual data to decide if it is a valid request.  Independent technologies that protect against web attacks or database attacks are available, but they have not been linked to provide unified notification and reporting.

Now imagine if your database was protected by a layered, defense-in-depth architecture along with the contextual information to make informed, intelligent decisions about database security incidents.  The integration of BIG-IP ASM with Oracle's Database Firewall offers the database protection that Oracle is known for and the contextual intelligence that is baked into every F5 solution.  Unified reporting for both the application firewall and database firewall provides more convenient and comprehensive security monitoring. Integration between the two security solutions offers a holistic approach to protecting web and database tiers from SQL injection type of attacks.  The integration gives you the layered protection many security professionals recognize as a best practice, plus the contextual information needed to make intelligent decisions about what action to take. This solution provides improved SQL injection protection to F5 customers and correlated reporting for richer forensic information on SQL injection attacks to Oracle database customers.  It’s an end-to-end web application and database security solution to protect data, customers, and their businesses.

ps

Resources:

Technorati Tags: BIG-IP, F5, silva, Oracle, Oracle Database Firewall, ASM, WAF, web application firewall, security, application security, database security, infrastructure 2.0

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, March 8, 2011

Our Digital Life Deciphered

comScore always has some very interesting statistics when measuring the digital world and these recent reports are no different.  The 2010 U.S. Digital Year in Review has great info both in understanding media trends and knowing what the end user is actually doing out there.  The 2010 Mobile Year in Review is also interesting in looking at mobile device and OS trends and the differences worldwide, both in models and what users are utilizing them for.  There are tons of graphs and analysis covering areas like U.S. Retail E-Commerce Spending, Percent of Time Spent for Top 5 U.S. Web Properties,  U.S. Unique Visitor Trend for Leading Social Networking Sites, Percent Share of Searches Among U.S. Core Search Engines, Growth in Total U.S. Online Video Market, Top Mobile Activities in the U.S. and many more.

These were a few that I found interesting - taken directly from the reports.

* 9 out of every 10 U.S. Internet users now visit a social networking site each month.

* Facebook now accounts for 12.3% of time spent online in the US - up 7.2% just a year ago. 

image

* After Portals, Social Networking now ranks as the next most engaging activity at 14.4 percent of time spent online (up 3.8 percentage points), while Entertainment ranks third at 12.6 percent (up 0.8 percentage points). As communication continues to shift to other channels, including social media and mobile, usage of web-based email declined 1.5 percentage points to 11.0 percent of time spent.

* An average of 179 million Americans watch video each month and the average American spent more than 14 hours watching online video in December, a 12-percent increase from last year, and streamed a record 201 videos, an 8-percent increase.

image

* In September 2010, smartphone ownership crossed the 25 percent threshold, marking a significant milestone in smartphone adoption in the U.S. By December 2010, smartphone penetration had reached 27 percent of the mobile market.

* Samsung unseated last year’s OEM (original equipment manufacturer) leader, Motorola, to rank as top OEM provider with 24.8 percent of devices owned by mobile subscribers in December 2010, up 3.6 percentage points from the previous year.

ps

Related:

Technorati Tags: blog, social media, comscore, music, statistics, blog traffic, web traffic, digital media, mobile device, analytics, video

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, March 2, 2011

Where Do You Wear Your Malware?

The London Stock Exchange, Android phones and even the impenetrable Mac have all been malware targets recently.  If you’re connected to the internet, you are at risk.  It is no surprise that the crooks will go after whatever device people are using to conduct their life – mobile for example, along with trying to achieve that great financial heist….’if we can just get this one big score, then we can hang up our botnets and retire!’  Perhaps Homer Simpson said it best, ‘Ooh, Mama!  This is finally really happening.  After years of disappointment with get-rich-quick schemes, I know I'm gonna get Rich with this scheme...and quick!  Maybe we call this the Malware Mantra!

Malware has been around for a while, has changed and evolved over the years and we seem to have accepted it as part of the landmines we face when navigating the internet.  I would guess that we might not even think about malware until it has hit us….which is typical when it comes to things like this.  Out of sight, Out of mind.  I don’t think ‘absence makes the heart grow fonder’ works with malware.  We certainly take measures to guard ourselves, anti-virus/firewall/spoof toolbars/etc, which gives us the feeling of protection and we click away thinking that our sentinels will destroy anything that comes our way.  Not always so.

It was reported that the London Stock Exchange was delivering malvertising to it’s visitors.  The LSE site itself was not infected but the pop-up ads from the site delivered some nice fake warnings saying the computer was infected and in danger.  This is huge business for cybercriminals since they insert their code with the third-party advertiser and never need to directly attack the main site.  Many sites rely on third-party ads so this is yet another area to be cautious of.  One of the things that Web 2.0 brought was the ability to deliver or feed other sites with content.  If you use NoScript with Firefox on your favorite news site (or any major site for that matter), you can see the amazing amount of content coming from other sources.  Sometimes, 8-10 or more domains are listed as content generators so be very careful as to which ones you allow.

With the success of the Android platform, it also becomes a target.  This particular mobile malware looks and acts like the actual app.  The problem is that it also installs a backdoor to the phone and asks for additional permissions.  Once installed, it can connect to a command server and receive instructions; including sending text messages, add URL’s/direct a browser to a site along with installing additional software.  The phone becomes part of a botnet.  Depending on your contract, all these txt can add up leading to a bill that looks like you just bought a car.  In fact, Google has just removed 21 free apps from the Android Market saying its malware designed to get root access to the user’s device.  They were all masquerading as legitimate games and utilities.  If you got one of these, it’s highly recommended that you simply take your phone back to the carrier and swap it for a new one, since there’s no way of telling what has been compromised.  As malware continues to evolve, the mobile threat is not going away.  This RSA2011 recap predicts mobile device management as the theme for RSA2012.  And in related news, F5 recently released our Edge Portal application for the Android Market – malware free.

Up front, I’m not a Mac user.  I like them, used them plenty over the years and am not opposed to getting one in the future, just owned Windows devices most of my life.  Probably due to the fact that my dad was an IBM’r for 30 years.  Late last week, stories started to appear about some beta malware targeting Macs.  It is called BlackHole RAT.  It is derived from a Windows family of trojans and re-written to target Mac.  It is spreading through torrent sites and seems to be a proof-of-concept of what potentially can be accomplished.  Reports say that it can do remote control of an infected machine, open web pages, display messages and force re-boots.  There is also some disagreement around the web as to the seriousness of the threat but despite that, criminals are trying.

Once we all get our IPv6 chips installed in our earlobes and are able to take calls by pulling on our ear, a la Carol Burnett style, I wonder when the first computer to human virus will be reported.  The wondering is over, it has already happened.

ps

Resources:

Technorati Tags: F5, mobile, android, Pete Silva, security, malware, education, technology, apple, mac, cloud, trojan, virus, blackhole, web, internet, cybercrime, identity theft, scam, google, data breach

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]