Tuesday, January 31, 2012

Vulnerability Assessment with Application Security

The longer an application remains vulnerable, the more likely it is to be compromised.

Protecting web applications is an around-the-clock job. Almost anything that is connected to the Internet is a target these days, and organizations are scrambling to keep their web properties available and secure. The ramifications of a breach or downtime can be severe: brand reputation, the ability to meet regulatory requirements, and revenue are all on the line.  A 2011 survey conducted by Merrill Research on behalf of VeriSign found that 60 percent of respondents rely on their websites for at least 25 percent of their annual revenue.

And the threat landscape is only getting worse. Targeted attacks are designed to gather intelligence; steal trade secrets, sensitive customer information, or intellectual property; disrupt operations; or even destroy critical infrastructure.  Targeted attacks have been around for a number of years, but 2011 brought a whole new meaning to advanced persistent threat. Symantec reported that the number of targeted attacks increased almost four-fold from January 2011 to November 2011.

In the past, the typical profile of a target organization was a large, well-known, multinational company in the public, financial, government, pharmaceutical, or utility sector.  Today, the scope has widened to include almost any size organization from any industry. The attacks are also layered in that the malicious hackers attempt to penetrate both the network and application layers.  To defend against targeted attacks, organizations can deploy a scanner to check web applications for vulnerabilities such as SQL injection, cross site scripting (XSS), and forceful browsing; or they can use a web application firewall (WAF) to protect against these vulnerabilities. However a better, more complete solution is to deploy both a scanner and a WAF.  BIG-IP Application Security Manager (ASM) version 11.1 is a WAF that gives organizations the tools they need to easily manage and secure web application vulnerabilities with multiple web vulnerability scanner integrations.

As enterprises continue to deploy web applications, network and security architects need visibility into who is attacking those applications, as well as a big-picture view of all violations to plan future attack mitigation.  Administrators must be able to understand what they see to determine whether a request is valid or an attack that requires application protection.  Administrators must also troubleshoot application performance and capacity issues, which proves the need for detailed statistics.  With the increase in application deployments and the resulting vulnerabilities, administrators need a proven multi-vulnerability assessment and application security solution for maximum coverage and attack protection.  But as many companies also support geographically diverse application users, they must be able to define who is granted or denied application access based on geolocation information.

 
Application Vulnerability Scanners

To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner.  The scanning schedule might depend on a change control, like when an application is initially being deployed, or other factors like a quarterly report.  The vulnerability scanner scours the web application, and in some cases actually attempts potential hacks to generate a report indicating all possible vulnerabilities.  This gives the administrator managing the web security devices a clear view of all the exposed areas and potential threats to the website. It is a moment-in-time report and might not give full application coverage, but the assessment should give administrators a clear picture of their web application security posture.  It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not.  Many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings.

Another challenge is that every web application is different.  Some are developed in .NET, some in PHP or PERL. Some scanners execute better on different development platforms, so it’s important for organizations to select the right one.  Some companies may need a PCI DSS report for an auditor, some for targeted penetration testing, and some for WAF tuning.  These factors can also play a role in determining the right vulnerability scanner for an organization.  Ease of use, target specifics, and automated testing are the baselines.  Once an organization has considered all those details, the job is still only half done.  Simply having the vulnerability report, while beneficial, doesn’t mean a web app is secure.  The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since re-coding an application is expensive and time-consuming, and may generate even more errors, many organizations deploy a web application firewall like BIG-IP ASM.

A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until it has an opportunity to properly close the hole.  Often, organizations use the vulnerability scanner report to then either tighten or initially generate a WAF policy.  Attackers can come from anywhere, so organizations need to quickly mitigate vulnerabilities before they become threats. They need a quick, easy, effective solution for creating security policies.  Although it’s preferable to have multiple scanners or scanning services, many companies only have one, which significantly impedes their ability to get a full vulnerability assessment.  Further, if an organization’s WAF and scanner aren’t integrated, neither is its view of vulnerabilities, as a non-integrated WAF UI displays no scanner data.  Integration enables organizations both to manage the vulnerability scanner results and to modify the WAF policy to protect against the scanner’s findings—all in one UI.

Integration Reduces Risk

While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate found vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised.  F5 BIG-IP ASM, a flexible web application firewall, enables strong visibility with granular, session-based enforcement and reporting; grouped violations for correlation; and a quick view into valid and attack requests. BIG-IP ASM delivers comprehensive vulnerability assessment and application protection that can quickly reduce web threats with easy geolocation-based blocking—greatly improving the security posture of an organization’s critical infrastructure.

imageBIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, building more integrity into the policy lifecycle and making it the most advanced vulnerability assessment and application protection on the market.  In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM enables  organizations to mitigate threats in a timely manner and greatly reduce the overall risk of attacks and solve most vulnerabilities.

With multiple vulnerability scanner assessments in one GUI, administrators can discover and remediate vulnerabilities within minutes from a central location.  BIG-IP ASM offers easy policy implementation, fast assessment and policy creation, and the ability to dynamically configure policies in real time during assessment.  To significantly reduce data loss, administrators can test and verify vulnerabilities from the BIG-IP ASM GUI, and automatically create policies with a single click to mitigate unknown application vulnerabilities. 

Security is a never-ending battle.  The bad guys advance, organizations counter, bad guys cross over—and so the cat and mouse game continues.  The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application can help organizations contain possible points of exposure.  BIG-IP ASM v11.1 offers unprecedented web application protection by integrating with many market-leading vulnerability scanners to provide a complete vulnerability scan and remediate solution.  BIG-IP ASM v11.1 enables organizations to understand inherent threats and take specific measures to protect their web application infrastructure.  It gives them the tools they need to greatly reduce the risk of becoming the next failed security headline.

ps

Resources:

Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, waf, web scanners, compliance, application security, internet, TMOS, big-ip, asm

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Thursday, January 26, 2012

Evolving (or not) with Our Devices

IMG_0095When I talk on the phone, I’ve always used my left ear to listen.  Listening in the right ear just doesn’t sound right.  This might be due to being right handed, doing the shoulder hold to take notes when needed.  As corded turned to cordless and mobile along with the hands-free ear-plugs, that plug went into the left ear whenever I was on the phone.  Recently, I’ve been listening to some music while walking the dog and have run into an issue.  The stereo ear plugs do not fit, sit or stay in my right ear.  I have no problem with the nub in my left ear but need to keep re-inserting, adjusting and holding the plug in my right ear.  I’m sure I was born with the same size opening for both ears years ago and my only explanation is that my left ear has evolved over the years to accommodate an ear plug.  Even measuring each indicates that the left is opened more ever so slightly.  I seem to be fine, or at least better, with the isolation earphone style but it’s the ear-bud type that won’t fit in my right ear.  I realize there are tons of earplug types for various needs and I could just get one that works for me but it got me thinking.  If my ears or specifically my left ear has morphed due to technology, what other human physical characteristics might evolve over time.

As computers became commonplace and more people started using keyboards, we started to see a huge increase of carpal tunnel syndrome.  Sure, other repetitive tasks of the hand and wrist can cause carpal tunnel but typing on a computer keyboard is probably the most common cause.  Posture related injuries like back, neck, shoulder and arm pain along with headaches are common computer related injuries.  Focusing your eyes at the same distance over extended periods of time can cause fatigue and eye strain.  It might not do permanent damage to your eyesight but you could experience blurred vision, headaches and a temporary inability to focus on faraway objects.  Things like proper design of your workstation and taking breaks that encourage blood flow can help reduce computer related injuries.  Of course, every profession has their specific repetitive tasks which can lead to some sort of injury and, depending on your work, the body adjusts and has it’s own physical memory to accomplish the task.  Riding a bike.  Often smokers who are trying to quit can tolerate the nicotine deduction but it’s the repetitive physical act of bringing the dart up that causes grief.  That’s why many turn to straws or toothpicks or some other item to break the habit. 

We’ve gotten use to seeing people walking around with little blue-tooth ear apparatus attached to their heads and think nothing of it.  They’ll leave it in all day even if they are not talking on the phone.  Many probably feel ‘naked’ if they forgot it one day, almost like a watch or ring that we wear daily.  I mentioned a couple years ago in IPv6 and the End of the World that with IPv6, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere.  Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter.  Who would have thought that Carol Burnett's ear tug would come back.

Now that many of us have mobile devices with touch-screens, we’re tapping away with index fingers and thumbs.  I know my thumb joints can get sore when tapping too much.  Will our thumbs grow larger or stronger over time to accommodate the new repetitive movement or go smaller and pointy to make sure we’re able to click the the correct virtual keypad on the device.  We got video eyewear so it’s only a matter of time that our email and mobile screens could simply appear while wearing shades or as heads up on the car windshield.  With special gloves or an implant under our hand, we can control the device through movement or tapping the steering wheel.

Ahhh, anyway, I’m sure things will change again in the next decade and we’ll have some other things happening within our evolutionary process but it’ll be interesting to see if we can maintain control over technology or will technology change us.  In the meantime, I’ll be ordering some new earphones.

ps

Technorati Tags: F5, humans, people, Pete Silva, security, behavior, education, technology, mobile, earphone, ipv6, computer injury, iPhone, web,

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, January 24, 2012

ICSA Certified Network Firewall for Data Centers

The BIG-IP platform is now ICSA Certified as a Network Firewall.
Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer.  Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users.  

Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress.  Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect.  Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack.

Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting.  An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive.  There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective.

The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors.  BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure.  BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers.  In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence.

  • Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack.
  • Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying.
  • DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7.
  • DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections.
  • SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads.
  • Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released.
  • Resource cloaking and content security: Prevent leaks of error codes and sensitive content.
F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall.

ps

Resources:
Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMP


Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, January 17, 2012

Security’s Rough Ride

1 if by land, 2 of by sea, 0 if by IP

I know I’ve said this before but it sure seems like almost daily there is a security breach somewhere.  Over the years, the thought process has changed from prevent all attacks to, it is inevitable that we will be breached.  The massive number of attacks occurring daily makes it a statistical reality.  Now organizations are looking for the right solution (both technology and practice) to quickly detect a breach, stop it, identify what occurred and what data may have been compromised.  Over the last couple of days various entities have had their security breached.

As you are probably already aware either due to the headlines or a direct note in your email inbox, Zappos, a popular online shoe site, was compromised exposing information on 24 million customers.  While a good bit of info was taken, like usernames, passwords, addresses, email and other identifiable information, Zappos claims that the stored credit card information was apparently spared due to being encrypted.  There are still many details that are unknown like how it occurred and how long it had been exposed but all users are being required to change their passwords immediately.  Users might also want to change similar passwords on other websites since I’m sure the criminals are already trying those stolen passwords around the web.  These days it's entirely too easy to use information from one hack in many others.  It doesn't even matter if passwords were compromised.  Your can change your password, but the make and model of your first car, and your mother's maiden name can't be changed.  Yet, online service providers continue to rely on these relatively weak forms of secondary authentication.  The interesting thing is Zappos is/was apparently PCI-DSS compliant, proving once again, PCI compliance is a first step, not the goal.  Being PCI compliance does not mean that one is secure and this also underscores importance of using WAF like BIG-IP ASM.  And if it was not a web app that was owned on the server in Kentucky, then Section 6.6 is irrelevant.  But again, all the details are still to be uncovered and as far as I know, no-one has claimed responsibility.

Overseas, there is an ongoing cyber-war between a Saudi (reported) hacker and Israel.  0xOmar, as news articles have identified him, claims to have posted details of 400,000 Israeli-owned credit cards and Israel’s main credit card companies have admitted that 20,000 cards have been exposed.  Along the way, he has also attacked the Tel Aviv Stock Exchange and Bank Massad.  In an interesting and potentially scary turn of events, a group of Israeli hackers, IDF-Team, took down the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) as a counter-attack.  Another Israeli hacker going by Hannibal claims to have 30 million Arab e-mail addresses, complete with passwords (including Facebook passwords), and says he’s received e-mails not only from potential victims but from officials in France and other countries asking him to stop.  This cyber-conflict is escalating.

In a very different type of breach, you’ve probably also seen the cruise ship laying on it’s side a mere 200 yards from the Italian shore.  While not necessarily a data security story, it is still a human security story that, so far, has been attributed to human error – like many data security breaches.  Like many data breach victims, people put their trust in another entity.  Their internal risk-analysis tells them that it is relatively safe and the probability of disaster is low.  But when people make bad decisions which seems the case in this situation, many others are put at greater risk.

Put on your virtual life vests, 2012 is gonna be a ride.

ps

References:

Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, technology, application delivery, cruise, cyber war, ddos, hackers, iPhone, web, internet, security, breach, privacy, PCI-DSS,

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, January 10, 2012

Cloud Security With FedRAMP

Want to provide Cloud services to the federal government?  Then you’ll have to adhere to almost 170 security controls under the recently announced Federal Risk and Authorization Management Program.  The program, set to go live in June, is designed to analyze/audit cloud computing providers for federal government agencies, expedite security clearances for cloud providers and foster the adoption of cloud computing by the Federal government.  FedRAMP is meant to provide a baseline for low to moderate risk systems and is based on the NIST cyber-security Special Publication 800-53 Revision 3.  FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted.  Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies.  The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls.  Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution.  There may be instances where additional controls are added by agencies to address specific needs.

Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment.  Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan.  Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service.

The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online.  All government information stored on a provider's servers must be encrypted.  When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption.  Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats.  Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future.

More details of the FedRAMP program will be available from the General Services Administration by February 8th, but they have already started accepting applications for third party assessment vendors.

ps

Resources:

Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web, internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, January 4, 2012

355 Shopping Days Left

After just being bombarded with the endless options of gifts for your loved ones, a simple reminder that the next blitz is just around the corner.  And you are a target.  2011 started relatively tame for breaches but when hacktivism and a few other entities decided to take hold, it became a massive year for lost data.  From retail to healthcare to government to schools to financial institutions – no one was immune.  Household names like Sony, RSA, Lockheed and Sega were all hit.   Privacy Rights Clearinghouse reports that 535 security breaches in 2011 exposed 30 million sensitive records to identity thieves and other rip-off artists.  Since 2005, 543 million records have been breached – almost double the US population and about 7% of the entire world’s population.  Looking at the entire Privacy Rights Clearinghouse list is staggering both in numbers and names. 

It might not get better any time soon.  Since mobile devices have become fixed appendages and continue to dominate many areas of our lives (phone, entertainment, email, GPS, banking, work, etc), the crooks will look for more ways to infiltrate that love affair.  I suspect that mobile financial (payment/banking) apps will get a lot of attention this year as will malware laced apps.  Our health information is also at risk.  Medical records are being digitized.  A 2009 stimulus bill included incentives for doctors and hospitals who embrace electronic health records.  The CDC saw a 12% increase from last year – now 57% of office-based physicians use electronic health records.  The inadvertent result is that the number of reported breaches is up 32% this year according to Ponemon Institute.  That cost the health care industry somewhere in the neighborhood of $6.5 Billion.  Now you might think that you have less control over a health provider’s systems than your own mobile device.  While mostly true, close to half of those case involved a lost or stolen phone or personal computer.  Some sort of human element involved. 

It is really up to each of us to practice safe computing and, if you’re knowledgeable, share insight with those who are not tech savvy.  Yes, you can be the most cautious internet citizen and still be a victim due to someone else’s mistake, oversight or vulnerability.  Even so, it is still important to be aware and do what you can.  For centuries we’ve been physically protecting our property, neighbors, towns, identity and anything else important to us.  At times, the thieves, enemies and otherwise unwanted still got in and created havoc.  Advances and admissions, plus the value of whatever needed protection kept the battle going.  It continues today in the digital universe.

ps

References

Technorati Tags: F5, banking, trojan, Pete Silva, security, business, education, technology, application delivery, ipad, cloud, context-aware, mobile, iPhone, web, internet, security, android, privacy, smartphone

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]