STE WILLIAMS

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Apple has switched on its controversial iBeacon snooping system across 254 US stores.

The fruity firm’s iSpy network allows Apple to watch fanbois as they walk around an Apple store and then send them various messages depending on where they are in the shop.

This might come in handy when visiting an Apple store, for instance, which is offering the latest iStuff. Glance in its direction or wander past and your iPhone will suddenly spring to life, filled with messages about products you haven’t bought yet.

Apple’s iBeacon transmitters use Bluetooth to work out customers’ location, because GPS doesn’t work as well indoors. This functionality was quietly snuck into iOS 7.

To take part all you need to do is download the Apple Store app and agree to let it track your location.

Apple claimed iBeacon offers “a whole new level of micro-location awareness, such as trail markers in a park, exhibits in a museum, or product displays in stores”.

What that really means is that whenever you visit somewhere armed with iBeacon transmitters, your iPhone will bombard you with unwanted messages.

Luckily, there’s a way to avoid the all-seeing eye of Cupertino: just switch off location services and you can go about your shopping trip without being surveilled.

According to AP, the flagship store on Fifth Avenue, New York City, was first to switch on its system on Friday and by this point every fruity outlet will have gone live. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/09/ispy_on_your_little_buys_apples/

Building security into the application development process has always been a challenge. The reality of cloud computing, however, introduces new hurdles that need to be identified and overcome.

In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to help developers navigate the sometimes troubled waters of application security. The report focuses on security considerations for platform-as-a-service (PaaS), though the authors say their advice is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.

“Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud,” says Eric Baize, senior director of the product security office with EMC. “Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices.”

The most notable among these is multitenancy, Baize says. Multitenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.

Cloud providers should model all of their application’s interfaces with threats to multitenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a “separate schema” database design when building multitenant applications as opposed to adding a “TenantID” column to each table.

“APIs are the front door into any application, and it is critical that they are properly secured,” the report states. “In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud.”

To secure APIs, the report recommends determining whether the APIs can be restricted so that only trusted hosts can call them and ensure that interservice communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.

The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service, and insecure application interfaces.

The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal.

“To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider,” he says.

Security, Baize adds, has increasingly become an integral part of the design process.

“CSA cloud security recommendations are widely used by cloud practitioners, and SAFECode secure software development practices are increasingly part of standard software engineering processes,” he says. “What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/experts-offer-advice-for-developing-secu/240164509

Building security into the application development process has always been a challenge. The reality of cloud computing, however, introduces new hurdles that need to be identified and overcome.

In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to help developers navigate the sometimes troubled waters of application security. The report focuses on security considerations for platform-as-a-service (PaaS), though the authors say their advice is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.

“Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud,” says Eric Baize, senior director of the product security office with EMC. “Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices.”

The most notable among these is multitenancy, Baize says. Multitenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.

Cloud providers should model all of their application’s interfaces with threats to multitenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a “separate schema” database design when building multitenant applications as opposed to adding a “TenantID” column to each table.

“APIs are the front door into any application, and it is critical that they are properly secured,” the report states. “In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud.”

To secure APIs, the report recommends determining whether the APIs can be restricted so that only trusted hosts can call them and ensure that interservice communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.

The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service, and insecure application interfaces.

The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal.

“To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider,” he says.

Security, Baize adds, has increasingly become an integral part of the design process.

“CSA cloud security recommendations are widely used by cloud practitioners, and SAFECode secure software development practices are increasingly part of standard software engineering processes,” he says. “What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/experts-offer-advice-for-developing-secu/240164509

Based on recent predictions by numerous market analysts, Cyber Monday, the online equivalent of the Black Friday shopping event, is well on its way to overtake physical retail sales numbers in coming years.

According to a recent article by Bloomberg, Cyber Monday online sales were up approximately 20 percent this year, with many consumers preferring the comfort of their couches to fighting the crowds in physical stores, which are synonymous with Black Friday sales. On a related note, sales on Black Friday itself saw their first decline since 2009.

Post-9/11, I was involved in a number of think-tank activities to review what future attacks might “look like,” including how cyber may play a future role in state- and terrorist-sponsored attacks against the United States. While seemingly unrelated at the time, one of the more popular scenarios discussed among physical security folks, related to economic espionage, was targeting consumer outlets.

The scenario was pretty straightforward: Terror group X sends individuals/cells with small arms into malls in every major city in the country, creating mass panic, causing retail store purchases to slow to a point at which some of Americas largest outlets are hemorrhaging money, and causing harm to the national economy.

According to the National Retail Federation, per ShopperTrak data (which counts foot traffic at malls), Black Friday is the busiest shopping day of the year. Let’s now consider life in five, perhaps 10 years’ time, where the busiest retail day of the year is no longer in stores, but online.

For the well-equipped and motivated adversary, this no longer becomes a case of frightening customers from the storefront. It’s a simple case of denying them access. As we have seen with many of America’s largest financial institutions, denial-of-service attacks remain an effective method, which has evidently become the tactic of choice for at least one nation state’s cyberoffensive. Taking into consideration the increase in popularity of Cyber Monday, the dollars invested by online sellers in preparing for and supporting the event (think marketing, planning, infrastructure, increased stock purchases, warehousing, etc.), distributed across an economy that is increasingly reliant on the event to make its Q4 numbers, could result in a significant event that negatively impacts consumer confidence, the financial stability of major retailers, and possibly, in turn, the U.S. economy.

Predicting the potential short- and long-term impacts of such an event is a job for economists; however, all signs point to such an event becoming a very real possibility, which those depending on online retail should be seriously contemplating now — not attempting to handle as it happens, unlike many of the financial institutions earlier this year.

Tom Parker is CTO at FusionX

Article source: http://www.darkreading.com/advanced-threats/cyber-monday-and-the-threat-of-economic/240164534

Based on recent predictions by numerous market analysts, Cyber Monday, the online equivalent of the Black Friday shopping event, is well on its way to overtake physical retail sales numbers in coming years.

According to a recent article by Bloomberg, Cyber Monday online sales were up approximately 20 percent this year, with many consumers preferring the comfort of their couches to fighting the crowds in physical stores, which are synonymous with Black Friday sales. On a related note, sales on Black Friday itself saw their first decline since 2009.

Post-9/11, I was involved in a number of think-tank activities to review what future attacks might “look like,” including how cyber may play a future role in state- and terrorist-sponsored attacks against the United States. While seemingly unrelated at the time, one of the more popular scenarios discussed among physical security folks, related to economic espionage, was targeting consumer outlets.

The scenario was pretty straightforward: Terror group X sends individuals/cells with small arms into malls in every major city in the country, creating mass panic, causing retail store purchases to slow to a point at which some of Americas largest outlets are hemorrhaging money, and causing harm to the national economy.

According to the National Retail Federation, per ShopperTrak data (which counts foot traffic at malls), Black Friday is the busiest shopping day of the year. Let’s now consider life in five, perhaps 10 years’ time, where the busiest retail day of the year is no longer in stores, but online.

For the well-equipped and motivated adversary, this no longer becomes a case of frightening customers from the storefront. It’s a simple case of denying them access. As we have seen with many of America’s largest financial institutions, denial-of-service attacks remain an effective method, which has evidently become the tactic of choice for at least one nation state’s cyberoffensive. Taking into consideration the increase in popularity of Cyber Monday, the dollars invested by online sellers in preparing for and supporting the event (think marketing, planning, infrastructure, increased stock purchases, warehousing, etc.), distributed across an economy that is increasingly reliant on the event to make its Q4 numbers, could result in a significant event that negatively impacts consumer confidence, the financial stability of major retailers, and possibly, in turn, the U.S. economy.

Predicting the potential short- and long-term impacts of such an event is a job for economists; however, all signs point to such an event becoming a very real possibility, which those depending on online retail should be seriously contemplating now — not attempting to handle as it happens, unlike many of the financial institutions earlier this year.

Tom Parker is CTO at FusionX

Article source: http://www.darkreading.com/advanced-threats/cyber-monday-and-the-threat-of-economic/240164534

The EU’s cyber security agency ENISA has provided a new manual for better mitigating attacks on Industrial Control Systems (ICS), supporting vital industrial processes primarily in the area of critical information infrastructure (such as the energy and chemical transportation industries) where sufficient knowledge is often lacking. As ICS are now often connected to Internet platforms, extra security preparations have to be taken. This new guide provides the necessary key considerations for a team charged with ICS Computer Emergency Response Capabilities (ICS-CERC).

Industrial Control Systems are indispensable for a number of industrial processes, including energy distribution, water treatment, transportation, as well as chemical, government, defence and food processes. The ICS are lucrative targets for intruders, including criminal groups, foreign intelligence, phishers, spammers or terrorists. Cyber-incidents affecting ICS can have disastrous effects on a country’s economy and on people’s lives. They can cause long power outages, paralyse transports and cause ecological catastrophes. Therefore, the ability to respond to and mitigate the impact of ICS incidents is crucial for protecting critical information infrastructure and enhancing cyber-security on a national, European and global level. Consequently, ENISA has prepared this guide about good practices for prevention and preparedness for bodies with ICS-CERC and highlights the following conclusions;

While for traditional ICT systems the main priority is integrity, for ICS systems availability is the highest priority (of the “CIA” scale : Confidentiality, Integrity, Availability.) This has to do with the fact that ICS are indispensable for the seamless operation of critical infrastructure.

The main ICS actors sometimes do not have sufficient cyber-security expertise. Likewise, the established CERTs do not necessarily understand sector-specific technical aspects of ICS.

Given the potential significant damage of ICSs, the hiring process for ICS-CERC teams requires staff to be vetted thoroughly, and consideration should be given to many things, for example, an individual’s ability to perform under pressure and response willingness during non-working hours.

The importance of cooperation at both the domestic and international level must be recognised.

The unique challenges of ICS cyber-security services can be mitigated by using identified good practices for CERTs, existing global and European experiences, and better exchange of good practices.

The Executive Director of ENISA, Professor Udo Helmbrecht stated: “Until a few decades ago, ICS functioned in discrete, separated environments, but nowadays they are often connected to the Internet. This enables streamlining and automation of industrial processes, but it also increases the risk of exposure to cyber-attacks.”

For full report; https://www.enisa.europa.eu/activities/cert/support/baseline-capabilities/ics-cerc/good-practice-guide-for-certs-in-the-area-of-industrial-control-systems/

Article source: http://www.darkreading.com/attacks-breaches/mitigating-attacks-on-industrial-control/240164536

The EU’s cyber security agency ENISA has provided a new manual for better mitigating attacks on Industrial Control Systems (ICS), supporting vital industrial processes primarily in the area of critical information infrastructure (such as the energy and chemical transportation industries) where sufficient knowledge is often lacking. As ICS are now often connected to Internet platforms, extra security preparations have to be taken. This new guide provides the necessary key considerations for a team charged with ICS Computer Emergency Response Capabilities (ICS-CERC).

Industrial Control Systems are indispensable for a number of industrial processes, including energy distribution, water treatment, transportation, as well as chemical, government, defence and food processes. The ICS are lucrative targets for intruders, including criminal groups, foreign intelligence, phishers, spammers or terrorists. Cyber-incidents affecting ICS can have disastrous effects on a country’s economy and on people’s lives. They can cause long power outages, paralyse transports and cause ecological catastrophes. Therefore, the ability to respond to and mitigate the impact of ICS incidents is crucial for protecting critical information infrastructure and enhancing cyber-security on a national, European and global level. Consequently, ENISA has prepared this guide about good practices for prevention and preparedness for bodies with ICS-CERC and highlights the following conclusions;

While for traditional ICT systems the main priority is integrity, for ICS systems availability is the highest priority (of the “CIA” scale : Confidentiality, Integrity, Availability.) This has to do with the fact that ICS are indispensable for the seamless operation of critical infrastructure.

The main ICS actors sometimes do not have sufficient cyber-security expertise. Likewise, the established CERTs do not necessarily understand sector-specific technical aspects of ICS.

Given the potential significant damage of ICSs, the hiring process for ICS-CERC teams requires staff to be vetted thoroughly, and consideration should be given to many things, for example, an individual’s ability to perform under pressure and response willingness during non-working hours.

The importance of cooperation at both the domestic and international level must be recognised.

The unique challenges of ICS cyber-security services can be mitigated by using identified good practices for CERTs, existing global and European experiences, and better exchange of good practices.

The Executive Director of ENISA, Professor Udo Helmbrecht stated: “Until a few decades ago, ICS functioned in discrete, separated environments, but nowadays they are often connected to the Internet. This enables streamlining and automation of industrial processes, but it also increases the risk of exposure to cyber-attacks.”

For full report; https://www.enisa.europa.eu/activities/cert/support/baseline-capabilities/ics-cerc/good-practice-guide-for-certs-in-the-area-of-industrial-control-systems/

Article source: http://www.darkreading.com/attacks-breaches/mitigating-attacks-on-industrial-control/240164536

It’s Patch Tuesday this week – the last one, indeed, for 2013, the year in which we celebrated the tenth anniversary of Microsoft’s formularised process for security updates.

So here’s our news-in-brief, as usual, to give you a quick summary of what to look forward to on Tuesday.

You’ll be facing a pretty regular-sized effort, with eleven bulletins, five of them critical and six of them closing potential remote code execution (RCE) holes.

The non-critical RCE bug is rated important, which is a level usually used by Microsoft for compromises that provoke some sort of warning or prompt, even if it’s not a very helpful warning (in other words, where there is some visual signal to look out for).

But important is also used for some vulnerabilities that result from “sequences of user actions that do not generate prompts or warnings,” though you and I would probably just say, “drive-by install” or, for that matter, “RCE.”

→ The difference in urgency and timing between criticals and importants has never been terribly clear. You are urged to update the former “immediately” and the latter “at the earliest opportunity,” though quite how you could perform any update earlier than at the earliest opportunity is unclear.

In fact, all of this month’s patches fall into the “earliest opportunity or sooner” category, with none of the eleven rated softer than important.

Affected products include:

• Windows end-user operating systems
• Windows server operating systems
• Office
• Lync
• Internet Explorer
• Exchange
• Microsoft Developer Tools

The Developer Tools patches apply to ASP.NET SignalR, a programming library that simplifies the coding of cloud-style applications, and Team Foundation Server (TFS), Microsoft’s source code control and code project management system.

If you have developers in your organisation, and you are using TFS, don’t delay this patch.

The vulnerability is an Elevation of Privilege (EoP), rather than a full-blown RCE, but EoPs are risky at the best of times, and can be particularly pernicious in a version control system.

They typically turn any user into an administrator, which, in a programming project control system, could quite literally result in history being rewritten unexpectedly.

We know that cybercrooks have a special interest in getting into, and potentially modifying, your source code.

Amongst other things, it means that they can build their malware into your software up front, saving them from finding and exploiting hitherto unknown vulnerabilities later on.

→ We’ve written recently about a giant source code theft from Adobe; a source code compromise at open source ad server project OpenX; and a sustained, systematic and at least somewhat successful password guessing attack, apparently using a 40,000-strong botnet, at popular online source code repository GitHub.

Talking of EoPs, you will no doubt have read Microsoft’s announcement, at the end of November, of CVE-2013-5065, a kernel-based privilege escalation bug in the driver NDPROXY.SYS on Windows XP.

The CVE-2013-5065 vulnerability is known to have been exploited in the wild.

What we don’t know yet is whether the December 2013 Patch Tuesday fixes that one or not.

It seems probable, given that Bulletin 8 is listed as an EoP in Windows, with updates available only for XP and Server 2003. (That’s the only bulletin that applies exclusively to XP/2003.)

But we shall have to wait until Tuesday tell you for sure.

By the way, this month really is an omnibus (a Latin word meaning “for everyone”) update.

All platforms are affected, from XP to 8.1 and from Server 2003 to 2012, including installs of the stripped-down Server Core variants.

In addition, this month’s Internet Explorer update covers the whole product range, from IE 6 to IE 11.

In short: plan to patch (and to reboot) every Windows-based computer and virtual machine in your business, no later than at the earliest opportunity.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lNR1UErA5vw/

Based on recent predictions by numerous market analysts, Cyber Monday, the on-line equivalent of the Black Friday shopping event, is well on its way to overtake physical retail sales numbers in coming years. According to a recent article by Bloomberg, cyber Monday online sales were up approximately twenty percent this year, with many consumers preferring the comfort of their couch to fighting the crowds in physical stores, which are synonymous with Black Friday sales. On a related note, sales on Black Friday itself saw their first decline since 2009 this year.

Post-9/11, I was involved in a number of think-tank activities, to review what future attacks might “look like”, including how Cyber may play a future role in state and terrorist sponsored attacks against the United States. While seemingly unrelated at the time, one of the more popular scenarios discussed amongst physical security folks, related to economic espionage, targeting consumer outlets. The scenario was pretty straightforward, terror group X sends individuals/cells with small arms into malls in every major city in the country, creating mass panic, causing retail store purchases to slow to a point at which some of Americas largest outlets are hemorrhaging money, causing harm to the national economy.
According to the National Retail Federation, per ShopperTrak data (which counts foot traffic at malls) Black Friday is the busiest shopping day of the year. Let’s now consider the life in five, perhaps ten years time, where the busiest retail day of the year is no longer in stores, but online.

For the well-equipped and motivated adversary, this no longer becomes a case of frightening customers from the storefront it’s a simple case of denying them access. As we have seen with many of Americas largest financial institutions, denial of service attacks remain an effective method, which has evidently become the tactic of choice for at least one nation states cyber offensive. Taking into consideration the increase in popularity of Cyber Monday, the dollars invested by online sellers in preparing for and supporting the event (think marketing, planning, infrastructure, increased stock purchases, warehousing etc.), distributed across an economy which is growingly reliant on the event to make its Q4 numbers, could result in a significant event which negatively impacts consumer confidence, the financial stability of major retailers and possibly in turn, the US economy. Predicting the potential short and long term impacts of such an event is a job for economists, however all signs point to such an event becoming a very real possibility, which those depending on online retail should be seriously contemplating now, not attempting to handle as it happens, unlike many of the financial institutions earlier this year.

Tom Parker is CTO at FusionX

Article source: http://www.darkreading.com/advanced-threats/cyber-monday-and-the-future-threat-of-ec/240164534

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, adware, Anti-virus, BlackBerry, brightest flashlight, d-link, firewall, ftc, iPhone, joel, joel’s backdoor, Netherlands, obama, online banking, Patches, president, Privacy, PUA

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0XOaz8MqE-g/