newsletter 2016 july august 2016 - gcsec€¦ · 2016 july - august !! • all the sensitive...
TRANSCRIPT
ATM: A look at the future and emerging security threats landscape https://goo.gl/nykTSv Date: Thursday September 22, 2016 Location: Rome The event aims to enhance awareness on security implications behind the ATM services. During the workshop, will be discussed actual and future attack scenarios, techniques and tactics adopted, actions to put in place to enhance ATM security level and compliance challenges that we should face. The event will involve representatives of banks, sector associations, ATM providers, payment service providers, Law Enforcement, Institutions, will participate in the evenThe event will be the occasion to present the study "ATM: A look at the future and emerging security threats landscape" coordinated by CCSEC in collaboration with: Braintech, Consorzio Bancomat, Kaspersky Lab, NCR, Security Brokers, Wincor. CyberSecurity in Romania Congress Date: September 13-16, 2016 Location: Romania https://goo.gl/PAxGrd The congress, since its beginnings, is supported by the ITU (and was awarded the title of “best practices example” by the ITU/D regional initiative in may 2015). It will take place under the High Patronage and in presence of the Swiss Ambassador and is organized in partnership with Romanian Regulatory Authority (ANCOM), the National Romanian Police, the Romanian Intelligence Services as well as the Swiss Canton of Geneva, and the President's Chancellery of the Republic of Moldova The main goal of the event is to create an open dialogue among countries in Central Europe in order to improve information sharing and cooperation in the field of cybersecurity. Cybersecurity professionals and policy and decision makers from Central European countries will participate in the sessions, promoting constructive dialogue between governments, ICT security players and consumers. DACH e-Crime & Information Security Date: Wednesday September 21, 2016 Location: Abu Dhabi http://goo.gl/sfemgo According to the Arab Gulf States Institute, cyber-attacks on “key installations” in Arabian Gulf states cost US$1 billion (Dh3.67bn) a year – an amount it expects to increase with the volume of attacks. The number of reported cyber attacks currently ranks the UAE fourth in the world. Attacks have evolved from those that simply
Hardware security for a connected world IoT, connected cars, health care devices in a always on scenario are requiring that also hardware security will be a Cyber security domain. Software security alone is not enough and we need to host critical software functionalities in a trusted hardware platform. In a secure hardware design, we need to have tamper protection, zeroization, and secure key storage. In this way we may reduce the chances of a successful attack. Moreover, the hardware should be able to identify unauthorized access and tampering, and zeroize when tampering is detected. Hardware device need to be resistant against differential power analysis attack. Security at that level requires ensuring the code the board is running and authentic and the supply chain that built the product is secured. A root of trust is the starting point for hardware security. Unfortunately design of secure hardware is very often overlooked in the product development lifecycle, many devices are still vulnerable to hacker attacks resulting in theft of service, loss of revenue, and damaged reputation. Often product redesign is also required, after an incident, which raises overall costs and effects time-to-market. Many design methodologies are available, but is very important to incorporate risk analysis and security considerations into each step of the cycle design. So, before choose an acceptable secure hardware method to implement for design your product, risk assessment must take place and you need to the following questions: what needs to be protected, the reason why it is being protected and from who you are protecting against.
Some of the aspects that we need to take care in the product design phase are: • Secure boot that is fundamental for
protecting the start-up code from attacks. If hackers are able to access to a device and over-write the boot code, then, they may install a malware for the processor to run.
• External interfaces that may be used for a number of purposes, including connecting to peripherals, field programming, or testing. We have to use caution when connecting to the "outside world". If possible, encrypt traffic in order to increase attack difficulty. Critical components should not be accessed through the external interface.
• Implementation of tamper mechanisms in order to avoid any attempt by an attacker to perform an unauthorized physical or electronic action against the device. Tamper mechanisms are usually divided in the following categories: resistance, evidence, detection, and response. Tamper mechanisms are effective when used in layers to prevent access to any critical components. As usual, from the designer's perspective, the costs of a successful attack should outweigh the potential rewards.
• Emissions is another task that need to be evaluated, all electronic devices generate electromagnetic inference (EMI) in one form or another. At that level is very important to take care of the circuit board design in order to reduce EMI, in this way you may avoid shielding your device.
events editorial
2016 July - August
• All the sensitive components that are
most likely to be targeted for an attack should be difficult to access. One way of reaching this result could be the employ Chip-on-Board (COB) packaging or equivalent technology.
• Use memory management with FPGA or equivalent circuitry to perform hardware-based bounds checking by monitoring the address bus. In this case, you may restrict read/write access to defined memory locations and could trigger a tamper response mechanism if address access is outside of the defined range.
The mentioned items are not the only one we may talk about it, we may mention also firmware protection, noise generator, when needed, key storage. When we are approaching product design, it is essential to establish a security policy that defines the security goals of the product.
Staying aware of the latest attack methodologies for sure will enable you to choose the proper means of protection for your product. Security threats to hardware and embedded systems are a growing concern as the number of connected devices continues to expand exponentially. Defending against these threats requires components that ensure hardware security, like FPGAs that have encrypted bitstreams, multiple key storage elements, secured flash memory, anti-tamper features. Culture of hardware security must be part of the cyber security approach, software alone has proven to be inadequate to protect against the latest threats. Enjoy the reading and the summer. Nicola Sotira General Manager GCSEC
cause annoyance to those designed to disrupt organisations for financial gain. Enterprise Security and Risk Management Europe Date: Wednesday September 21, 2016 Location: Mövenpick Hotel, Amsterdam, Netherlands http://goo.gl/iMqgtc The e-Crime and information security Series delivers critical information, examples of best practice and practical case studies that detail how to proactively reduce risk in a changing business and technology environment, defend IT systems or data against emerging threats, identify sophisticated cyber attacks and comply with relevant legal, compliance, or regulatory requirements. This event is an opportunity to compare domestic solutions with international best practice and to network with industry peers, suppliers and law enforcement. Sicurezza ICT - Turin Date: Wednesday September 28, 2016 Location: Hotel NH Ambasciatori, Turin, Italy http://goo.gl/hU3qVr A day of cultural training where users and providers are compared to provide an informative overview of all closely related technological fields with IT security: Mobile, Cloud, Datacenter, Protection of Communications and Company Data, and more.
No More Ransom: law enforcement and IT security companies unite to fight the ransomware http://goo.gl/01bsA0 A new tool with over 160,000 decryption keys help victims recover datas The Dutch police, Europol, Intel Security and Kaspersky Lab Join Forces to launch the initiative No More Ransom, a new step in the collaboration between law enforcement and the private sector to jointly combat the ransomware. No More Ransom (http://www.nomoreransom.org) is a new portal aimed at informing users of the danger posed by ransomware and to help victims recover their data without having to pay the ransom to cyber criminals. Edward Snowden Designs Device To Detect iPhone Snooping http://goo.gl/V1Ipmb Working with noted computer researcher/hacker Andrew "Bunnie" Huang, National Security Agency (NSA) whistleblower Edward Snowden has created a design for an "introspection engine" that detects unwanted radio signals from attached iPhones. They envision the device could be used by journalists who want to ensure their iPhones don't reveal information about their locations when in airplane mode. Fiat Chrysler will pay you $1,500 if you can do
Education and Training: Mind the Gap by Massimo Cappelli, GCSEC Key Considerations in Deploying an SSL Solution by F5 Networks HQ Seattle How Ready Is Your Company? by Gastone Nencini, Country Manager Trend Micro Italia Security? Is a mobile frontier continuous becoming An interview with Fabrizio Battistelli, Professor of Sociology at the Department of Social and Economic Sciences, University “La Sapienza” Rome by Massimiliano Cannata - Technology innovation, training and security culture Reporter
news in this number
Cyber Security is a complex topic. The society is moving fast in the digital world. Government and Companies want to surf the digitalization pushing their departments to transform the business from the “old school” to the new digital one. In the 70s home computer was introduced, in the 80s there were the first Automated Teller Machines. In 1991 the World Wide Web was publicly accessible, while in the 2000 mobile phone became a common device. The 2010 have seen the widespread availability of smartphone, tablet, cloud infrastructure big and open data and so on. In 2020, several forecasts imagine the presence of circa 34/50 bln of devices connected on Internet. Considering a potential growth of population to 7 bln, that means people will have from 5 to 7 devices each, connected to Internet. Are we ready to face it? The progress is moving faster than human capability to ride it. The last Digital Economy & Society Index 2016 reports that 1/3 of Italian Population doesn’t use Internet regularly and there is a lack in digital specialization. The growth of digitalization and cyber security starts from the education and awareness. Most of the attacks exploit human error. From general statistics, the entry point of an attack is the human inaccuracy for the 80-90% of the episodes. A malware, such as ransomware, exploits human vulnerability. Data breach, such as LinkedIn one, presents big issues also to the companies. A lot of people use the same password for several services. If a person registers himself on a social network with the company email and uses the same password for the authentication of both digital identities (company intranet and LinkedIn), this could represent vulnerabilities also for the company. The monitoring activities of a company should consider also this issue and the efforts could be inversely proportional of the awareness of employees, clients and users in general.
A cyber threat intelligence department should monitor also the Deep Web to check if some data leak could have any impact on the company. Databases released on the dark web could contain information that could damage the business or interest of the company.
The second issue is the lack of cyber security educational offering. Italy ranks at 22° place on 28° EU Countries (21° after Brexit) in STEM (Science Technology Engineering Mathematics) graduates.
this one thing to its cars https://goo.gl/Smlnkg Fiat Chrysler Automobiles will begin to reward hackers who expose deficiencies in its car’s software, the company announced Wednesday. Using Bugcrowd, a platform that connects researchers to firms looking to eliminate technical defects, FCA will award hackers up to $1,500 for reporting vulnerabilities in its so-called “bug bounty” program. “This is really the next level of automotive cyber safety,” Bugcrowd chief executive Casey Ellis said in an interview, when he also called the move “historic” because of Chrysler’s worldwide scale. Three Arrested After Taiwan ATM Heist http://goo.gl/HhIg4k Three foreigners have been arrested in Taiwan after thieves made off with $2.5 million from ATMs around the country. In what’s believed to be the first incident of its kind in the south-east Asian nation, criminals from eastern Europe and Russia are said by police to have used malware to infiltrate cash machines run by First Commercial Bank. The three suspects were arrested in the capital Taipei and north-east Taiwan, with around half the money recovered. Four Cyber Attacks On UK Railways In A Year http://goo.gl/WsDGXh Sky News has learned that the UK railway network has suffered at least four major cyber attacks over the last year alone. And experts have warned that the digital systems controlling trains are vulnerable to hackers, who could cause injury or death in the real world. Sergey Gordeychik, a security researcher at Kaspersky Lab in Moscow, has discovered several weaknesses in rail infrastructure. He told Sky News: "Hackers can get access not only to simple things like online information boards or in-train entertainment, but also to computer systems which manage trains by itself, which manage signals, manage points, and in this case, if they have enough knowledge, then they can create real disaster related to train safety." DDoS extortion campaigns increasingly target businesses https://goo.gl/d0piR4 80 percent of European IT security professionals expect their business to be threatened with a DDoS ransom attack during the next 12 months, according to Corero Network Security. The research, which polled over 100 security professionals at the Infosecurity Europe conference in London, highlights the growing threat of cyber extortion attempts targeting businesses in the United Kingdom and continental Europe. The rise of DDoS extortion campaigns Last month, (May 2016), the City of London Police. Aussie researcher claims 'Antminer' bitcoin boxen can be broken http://goo.gl/7CwcHB Australian security researcher Tim Noise says scores of popular Antminer Bitcoin mining devices could be commandeered. Noise demonstrated how a vulnerability in the configuration of the open source mining program CGminer running on an Antminer box can be abused to redirect the efforts of massive mining operations to fill an attacker's wallet. A proof-of-concept of the attack app, dubbed QueenAnt, is yours to peruse on GitHub. Beijing-based Antmine manufacturer Bitmain has been contacted for comment. Noise says CGminer is typically configured to
Education and Training: Mind the Gap
by Massimo Cappelli, GCSEC
In “The 2015 (ISC)2 Global Information Security Workforce Study” of Frost & Sullivan, there is a clear representation of Information Security worldwide needs in terms of knowledge, skills and abilities. There is a strong lack of experts in the market (security analyst, security auditor, security architect…) and also of competencies (risk assessment and management, incident investigation and response, governance…).
Educational programme should contemplate more topics in STEM matters and have a progressive and deep engagement in cyber security for the students interested. Currently, cyber security is a topic faced above all during Master programme with low practical activities. It’s too late to forge security analysts or other operational experts. Italian market has a gap in IT security operational resources that must be full filled. National Educational Programme on cyber security should start with a stronger STEM and awareness programme in order to seed the bases for cyber security topics. Universities should start to create dedicated programme on cyber security with operational training. In Italy, there is a huge lack of cyber security university programmes and Engineering faculty, above all, should provide a solution. The solution should not be unconnected from the work environment. Looking at the National Initiative for Cybersecurity Education (NICE) of USA and comparing it with their National Cybersecurity Framework (duplicated by Italy too), it is not still clear the linkage between the 2 initiatives. There is a sort of disrupted bridge between them.
The National Initiative for Cybersecurity Education of NIST presents 7 category (Securely Provision; Operate and Maintain; Protect and Defend; Investigate; Oversee and Govern; Collect and Operate; Analyze). For each Category, there are Specialty Areas (32 circa in total). For each Specialty Areas there are some tasks, an expert should perform, acquiring specific Knowledge, Skills and
accept incoming connections on TCP port 4028 through an exposed remote procedure call (RPC) interface that collects statistics and configuration specifications from mining groups. New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware. http://goo.gl/oXV3xt The news was recently reported in a blog post by the Cisco Talos team: “We are watching Zepto very carefully. It’s closely tied to Locky, sharing many of the same attributes,” said Craig Williams, senior technical leader and global outreach manager at Cisco Talos. “There is still a lot to learn about Zepto. As far as we can tell, it’s either a new variant of Locky or an entirely new ransomware with many copycat Locky features,” he said. In the last week, experts observed more than 140,000 emails using a particular naming convention to deliver a malicious attachment. That email is generated by a template body text, where it fetches the header greeting randomly from an array followed by the [NAME] of the receiver. As previous variants of the same malware family, the text of the email attempts to trick the victim to open the attachment. US Government Set to Phase Out Text-Based 2FA http://goo.gl/R4Wmo5 The US government¹s National Institute of Standards and Technology (NIST) has released new guidelines designed to phase out the use of SMS-based two-factor authentication (2FA) for government service providers. The standards agency made the move in a draft of its new Special Publication 800-63B Digital Authentication Guideline https://pages.nist.gov/800-63-3/sp800-63b.html Although it currently applies only in the context of authenticating to US government services, it could set the tone for the commercial world. NIST claimed in the guidance that SMS-based two-factor authentication should be avoided due to the possibility of the one-time code itself being intercepted or redirected. Warning: Over 100 Tor Nodes Found Designed to Spy On Deep Web Users http://goo.gl/H5B3M2 Researchers have discovered over 100 malicious nodes on the Tor anonymity network that are "misbehaving" and potentially spying on Dark Web sites that use Tor to mask the identities of their operators. Two researchers, Amirali Sanatinia and Guevara Noubir, from Northwestern University, carried out an experiment on the Tor Network for 72 days and discovered at least 110 malicious Tor Hidden Services Directories (HSDirs) on the network. The nodes, also known as the Tor hidden services directories (HSDirs) are servers that act as introductory points and are configured to receive traffic and direct users to hidden services (".onion" addresses).
As social animals, humans struggle to keep secrets. We survive—and thrive—through the sharing of information. However, some information needs to remain private, which is why cryptography has been around in one form or another since the Spartan army used a transposition cipher to protect military information during their wars with the Greeks. But while the science of keeping private data private was once the purview of government intelligence agencies, the ubiquity of the Internet has made privacy a concern for everyone. In the face of a steady stream of data breaches, the question of how to safeguard personal and corporate data online has become paramount to businesses around the world.
Only a decade ago, large financial institutions and government agencies were the primary organizations employing the cryptographic protocol historically known as the Secure Sockets Layer (SSL) and now called Transport Layer Security (TLS). Today, SSL is everywhere. Analysts predict that encrypted traffic will jump to nearly 64 percent of all North American online traffic in 2016, up from just 29 percent in 20151. Organizations are scrambling to encrypt the majority of traffic, including everything from email and social media to streaming video. This evolution adds security to web traffic, but at a price. The growth of SSL traffic has put a burden on
organizations to implement an efficient SSL solution that allows their network infrastructure to respond to the increased workload demanded by strong security. Organizations are enticed by the level of security that SSL provides, but there are challenges involved in deploying it as an everywhere, all-the-time security protocol. At the same time, SSL has become a vulnerability vector as attackers have started using SSL as a way to hide malware from security devices that cannot see encrypted traffic. Distributed denial-of service (DDoS) attacks are particularly troublesome, as they take advantage of the relatively large computational costs associated with hosting SSL server traffic. In addition, implementation issues such as the Heartbleed incident can result in security breaches. Properly deploying SSL is daunting even for seasoned administrators. However, it is possible to stay in front of changes—choosing proactive strategies instead of reactive tactics—by learning about the most current options and trends in deploying SSL across sites.
1 Sandvine, Global Internet Phenomena Spotlight: Internet Traffic Encryption (https://www.sandvine.com/downloads/general/globalinternet-‐phenomena/2015/encrypted-‐internet-‐traffic.pdf), 2015
Abilities (KSA) circa 800. The acquisition of the KSA allows aspiring to specific job titles, listed in the framework too. The issue is the potential logical gap between the 2 initiatives (Educational and “Operational” framework). In the National Cybersecurity Framework, there is a different categorization of the topics. The framework is divided in 5 functions (Identify; Protect; Detect; Respond; Recover) with different sub-categories and so on. The exercise to link the NICE framework with the National Cybersecurity one has still been left to the reader. It would have been useful to use a common language and framework to describe the education and training categories with the framework for the companies in order to have a sort of continuity in the field. In conclusion, some recommendations for Italy could be: 1) Start to disseminate awareness campaigns already from kindergarten, not with sporadic initiatives but inserting them in the educational activities; 2) Strengthen the teaching of STEM in all the educational layers; 3) Introduce cyber security programme in High School and specific Cyber Security Degrees in the Universities; 4) From the National Cybersecurity Framework, adopted by Italy, a step behind should be done, developing educational programmes that could train people performing the functions and activities, listed in the framework.
Key Considerations in Deploying an SSL Solution
by F5 Networks HQ Seattle
When adopting an SSL strategy, the fundamental considerations are related to data protection and privacy, visibility and control, key management and comprehensive compliance. Regarding data protection, the primary goal of SSL is to secure data in transit between applications. When secured by SSL, communications between a client such as a web browser and a server will be private, and the identities of the two parties can be authenticated. However, all traffic that is encrypted with a private key is subject to potential future decryption, as learned during the high-profile U.S. National Security Agency (NSA) leaks from Edward Snowden. Securing all web communications is not enough. SSL has a passive surveillance countermeasure called perfect forward secrecy (PFS) protection, which adds an additional exchange to the key establishment protocol between the two sides of the SSL connection. By generating a unique session key for each session the user initiates, PFS guarantees that an attacker cannot simply recover a single key and decrypt millions of previously recorded conversations. It’s seemingly simple to adopt PFS; just activate it within the SSL termination device such as an Application Delivery Controller (ADC). However, organizations using passive security devices such as an intrusion prevention system (IPS) or intrusion detection system (IDS) will run into trouble, as those devices often require that they be configured with a persistent private key, which PFS does not use. Thus, organizations are faced with a choice: turn off their IPS/IDS or turn off PFS. Either choice compromises their overall security posture. There is another way. Allow the IDS/IPS to do the job it was made for by offloading all the SSL traffic to a reverse proxy, such as a web application firewall or ADC. The reverse proxy can then handle the ciphers before passing the decrypted traffic on to the IDS/IPS for inspection and sanitization. What you can do: Enable PFS to protect the integrity of data. In addition, consider deploying a reverse proxy to offload the SSL traffic and optimize the work of network security devices. Enabling HTTP is one of the easiest and most powerful ways to improve the security posture of applications. By inserting a header into HTTPS traffic, HSTS provides a layer of protection against several common attack vectors, including cookie hijacking, man-in-the-middle, and downgrade attacks. All major browsers now support HSTS, making its use a good way to ensure that all traffic stays encrypted. What you can do: Ensure that all pages for all domains have the HSTS header by enabling HSTS for subdomains. Be sure that those subdomains are able to support the use of SSL. Double-check that the SSL solution permits quick and easy configuration of system-wide HSTS parameters. Ensure that the HSTS header has a duration of six months or more.
Considering visibility and control, the managing applications and ensuring their security requires visibility into traffic—or the ability to provide that visibility to security devices such as a web application firewall (WAF), an IPS/IDS, or a next-generation firewall (NGFW)—so that it may be screened for known threats. By definition, however, SSL hides the data being communicated, even from security solutions, but several approaches maintain security while effectively revealing malicious traffic. Encrypting and decrypting SSL traffic consumes additional computational power. With the growth of SSL, network and user
experiences can be affected by latency and sluggish performance. In addition, some computationally intense protocols are not supported by some security devices in use today. An ADC can ease that computational burden by serving as a full proxy for TCP, HTTP, and SSL, meaning the ADC creates one connection to the client (browser) and a separate connection to the server. The transformational nature of an SSL proxy allows a site to provide SSL features that are decoupled from the capabilities of the application servers. What you can do Deploy a solution that can scale. Offloading SSL termination work to an ADC simplifies enforcing a consistent SSL policy without compromising performance, key protection, or visibility. This increases flexibility by allowing the ADC to transform the interface to the web servers into any protocol the ADC supports, regardless of the back-end transport options. This allows business-critical legacy devices and applications on the back end to continue operating without changes while maintaining a robust public-facing security posture. In addition, having a central point of control streamlines the process of updating a site to protect against emerging vulnerabilities. Finally, with a hybrid architecture, look for a solution that allows offloading SSL processing from virtual machines (VMs) to a hardware device in order to reduce computational demands on the infrastructure and get the most from a virtual deployment.
Security analysts estimate that by 2017, 100 percent of new malware will use SSL to hide its tracks from the security devices designed to identify and neutralize it. Enterprises need to monitor and sanitize their outbound web traffic to mitigate advanced persistent threats (APTs) such as spear phishing and malware activity. New security devices are constantly being developed to assist administrators in detecting these threats. Implementing what is known as a defense-in-depth strategy, many administrators deploy security devices in a chain so they can support each other. However, SSL operations hinder the efficiency, security, and performance of these devices. Many of these new technologies are either blind to encrypted traffic or suffer significant performance degradation when tasked with inspecting encrypted traffic. Next-generation firewalls, for example, can experience up to 80 percent performance loss with SSL enabled. Malware and spear phishing authors know this and are quickly moving to encrypt all communication between their malware and the outside world. What you can do: One way to battle these encrypted threats is to deploy an SSL air gap solution, which consists of placing an ADC on either side of the visibility chain. The ADC closest to the users decrypts outbound traffic and sends the decrypted communications through the security devices. These devices, which can now see the content, apply policy and controls, detecting and neutralizing malware. At the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center. Deploying this solution provides the flexibility of keeping security devices in line, while ensuring that they can do the job they were built for. One more note: When employing a visibility scanner such as FireEye or Cisco Sourcefire to protect the network from zero-day exploits and other malicious attacks, make sure the SSL solution works closely with these security products to maximize efficiency. The complexity of deploying SSL, combined with the difficulty many network devices experience in gaining visibility into encrypted traffic, make SSL the perfect target for DDoS attacks—a fact attackers understand all too well. As the overall volume of legitimate SSL traffic rapidly increases, malicious DDoS traffic becomes ever more difficult for security devices to identify. What you can do: Mitigate DDoS attacks such as SSL renegotiation attacks and SSL floods with a comprehensive SSL solution that can efficiently identify suspect DDoS traffic and prevent it from impacting the availability of websites. Consider investigating cloud-based DDoS services that can help mitigate the impact of SSL-based DDoS attacks. Since the beginning of the SSL protocol in the 1990s, the RSA cryptosystem has been the main choice for key exchange. Over time, as brute-force attacks became more feasible, RSA key lengths had to become longer. Today, RSA keys are so large that the key exchange is a very computationally intensive operation. To reduce that computational load while maintaining stringent privacy controls, new cryptographic protocols are gaining popularity. For instance, elliptic curve cryptography (ECC) offers the same level of security as previous algorithms while requiring less processing, which also means that it’s much friendlier to the battery life of mobile devices. While these cryptographic options are promising, organizations are rightfully concerned about having to reconfigure hundreds of servers to offer these new protocols. What you can do: It is not uncommon to have to switch algorithms over time, so ensure that the SSL solution has cipher agility—the ability of an SSL device to offer multiple cryptographic protocols such as ECC, RSA2048, and DSA at the same time, even in the same web application. In addition, with increasing cipher diversity, it’s essential that the SSL solution demonstrates a proven track record of staying up to date with cipher support.
When we talk about key management, we consider the SSL keys as among an organization’s most prized assets. An attacker who gains possession of private SSL keys could impersonate the target’s applications and create the ultimate phishing portal. However, there are several ways to protect these all-important keys. It is recommended to use a hardware security module (HSM) is separate software and hardware security device that follows the strict FIPS 140-2 cryptographic design guidelines to safeguard and manage cryptographic keys. Because the keys are never transferred out of the HSM, there is no worry about SSL vulnerabilities like the Heartbleed bug. What you can do: The most secure way to safeguard SSL keys is by using an HSM. There are several possibilities,
such as purchasing an internal HSM like the one included in some ADCs. Some organizations consolidate their key management by using HSM devices as centralized key stores (for example, one pair per data center). These network HSMs are accessible over the internal network to services that need key decryption, which
means that many SSL termination points can use the same network HSM. One caveat: Just make sure that the SSL solution can tie seamlessly into the network HSM. Organizations implement enterprise key and certificate management (EKCM) best practices to ensure the security of SSL keys. Consider using a hardware-secured encrypted key storage system, which allows passphrases to be stored in an encrypted form in the network file system. The foundation of effective EKCM best practices is creating a comprehensive inventory of all enterprise certificates, their locations, and the people responsible for managing them. Each SSL-enabled website has its own certificate, and each certificate has its own expiration date. In any given week, one or more certificates may expire, which will cause the associated website or application to become unavailable. Managing all these certificates can be a laborious undertaking, but it is essential to ensure the high availability of critical sites. In addition, SSL certificates should also be audited for key length (2048-bit or more), digital signing (SHA2 or better), and rogue certificates not generated within internal PKI or by a public root CA. Finally, compliance with PCI DSS requires a documented certificate and key management process. What you can do: Most administrators of medium to large organizations prefer an external certificate management system because the organization has keys and certificates in many locations. In particular, many have had success with two external solutions: Venafi and Symantec. It is important that whatever solution chosen has open APIs to automate management and decrease the operational load. Finally, compliance is often the driving force behind SSL adoption. Applications that comply with the PCI DSS specification will need to discontinue use of SSLv3 and TLSv1 over the next two years to remain in compliance with PCI 3.0. New PCI DSS deployments must already be disabling SSL 3.0 and TLS 1.0. What you can do: First, ensure that the network firewall is ICSA Labs Certified. In addition, SSL transformational services provide the ability to maintain compliance with an Internet-facing SSL policy without the need to enforce that policy on individual servers. Ensure that the SSL solution is ready for the upcoming TLS 1.3. In addition, real operational efficiency gains can be made by centralizing compliance through a network service offloaded to an ADC rather than attempting to solve it for each individual application. In conclusion, like it or not, the online world is a dangerous place, and protecting sensitive corporate information from would-be attackers has become a top priority for enterprises of all sizes. With privacy breaches becoming increasingly common, many organizations look to SSL as a way to protect the integrity of their data online. However, the implementation of a comprehensive SSL strategy comes with its own challenges of visibility, performance, and scale. Through proper planning and deployment, a strong SSL strategy mitigates the risk of breaches. Once the strategy is in place, the site will be positioned for future security, scalability, and reliability, putting the focus where it really matters—moving business forward.
From January to May 2016, we ran an online survey asking respondents to gauge their company’s security readiness according to different areas identified in our 2016 Trend Micro Security Predictions. We tallied their responses and assigned corresponding ratings that reflect how they currently fare against this year’s biggest security concerns. Getting a good rating means that the organization is equipped against this year’s biggest security challenges. A pass rating means that the organization has ample security safeguards in place but still has room to improve in certain areas. A fail rating denotes that the organization does not meet the bare minimum security requirements needed to protect their assets and data. Any
organization with a fail rating would benefit from updating their existing security strategy and investing in appropriate solutions. Based on the results of the Security Readiness Survey, only 18% of the respondents are adequately prepared, while 21% are missing crucial points of protection. Below, we tabulated the results according to industry and geographical region.
How Ready Is Your Company? by Gastone Nencini, Country Manager Trend Micro Italia
Overall data protection is still the biggest weak spot for many organizations. Across the board, 26% of the respondents are not prepared for cyber-attacks involving data breaches. Meanwhile, 18% of all respondents are not ready for attacks involving online extortion, mobile malware, and other threats designed to target mobile payment systems.
The government sector ranked highest among other industries in overall security preparedness. Up to 34% of the respondents from government organizations earned a good rating. This is due to the sector’s lower exposure to IoT and mobile risks as well as satisfactory data management practices. Up to 43% of the respondents in the communications and media sector failed in terms of security preparedness. Due to their normal conduct of business, companies in the communications and media sector were much more exposed to third parties. This working setup is unavoidable, since outsourcing talent and technology is often crucial in this industry. But by working with external groups whose systems and devices may not be secure, organizations open up new channels for threats to come in or create new gaps for data to seep out. This fact was reflected in their below-average answers to security questions related to online advertising, mobile device management, and data protection. Although it scored high in other areas, the healthcare industry is the least prepared for IoT-related security concerns. Only 36% of the respondents expressed that they were confident in their organization’s ability to cope with the issues brought about smart devices and other IoT-related threats. This could prove tricky for companies should the move toward IoT devices become requisite in enterprise environments. For now, we are not foreseeing any large-scale attacks, so the respondents across industries are still in the clear. A look on Security Preparedness per Region: Security Preparedness in Asia While these good marks in Asia are solely driven by the number of respondents who gave the proper security answers, it still indicates that of those who we asked, majority tend to go beyond rudimentary antivirus solutions and enforce strict backup policies. Security Preparedness in Europe The landmark update to the EU Commission’s Data Protection Directive requires companies that handle the data of European citizens to tighten data protection practices. Up to 74% of respondents gave altogether satisfactory to excellent answers to data security questions. Security Preparedness in Latin America Respondents in Latin America struggle to manage mobile devices in their networks. 21% of respondents gave answers that expose them to the risks of BYOD like mobile threats and data leaks, specifically the lack of mobile device management strategies. Security Preparedness in Middle East and Africa Online extortion schemes use social engineering and exploits as entry points, so unsatisfactory answers like over-reliance on antivirus and insufficient patching practices tend to increase a company’s risk. 27% of respondents are not ready for these kinds of online attacks. Security Preparedness in North America 25% of respondents in North America gave below-average answers regarding their exposure to data breach attacks, the highest in this region compared to other security issues raised in the survey. Up to 60% keep information that could ruin organizations if leaked.
Security Preparedness in Oceania A great majority of respondents in Oceania admitted to relying primarily on antivirus to defend against malware, online threats and cyber-attacks. This is a poor security approach that not only opens a company to risk of a data breach but to other threats as well. Details
Online Extortion Online extortion continues to take on new forms and techniques this year. In the first quarter of 2016, the FBI pegged ransomware profit to an all-time high of $209 million. However, 33% of respondents still say that their company either does not strictly enforce a backup policy for important data or have no idea if they have a backup policy in place at all. More than 20% of communications and media, banking, and education sectors got a fail rating for online extortion attacks. Internet of Things (IoT) When asked whether their companies provision them Internet-connected devices (other than PCs, laptops, tablets, and smartphones) for work, the respondents were split. Almost 50% said no, while the rest were allowed or even given smart devices to work with. Of those who do use smart devices at work, respondents seem to be doing pretty well in making sure that strong authentication and timely upgrade procedures are in place. However, 25% of the companies from the healthcare sector that use smart devices—mostly based in the U.S.—do not apply enough best practices to prevent exposure to IoT threats. Mobile Security While most respondents (72%) are not allowed by their companies to download apps from unofficial app stores, 59% of them are allowed to connect to the enterprise network despite 58% of them saying their companies do not have mobile device management solutions in place. Almost 40% of respondents from communications and media companies and 25% from the education sector are not prepared for the onslaught of mobile malware and emerging threats against online payment systems.
Data Breaches The damaging nature of data breaches make data protection strategies an absolute must. Despite the awareness raised by news reports, data protection still poses the hardest challenge because it cuts across many other areas. 58% of respondents say that their companies still rely primarily on antivirus solutions to defend against cyber-attacks; only half are confident that employees know what to do in case of an information security incident. Up to half of the total respondents in each industry are not prepared for cyber-attacks. Data Protection Officers With the European Union (EU) Data Protection directive now put into action—even covering companies outside of the EU–the role of a chief risk officer or a data protection officer is more important than ever. Up to 81% of large enterprises will likely be affected by the directive and will have to draw up strategies to answer to the data management requirements set by the EU, and of subsequent compliance regulations expected to crop up as a response to data privacy issues.
Security? Is a mobile frontier continuous becoming
The molecular civil war that radical Islam's arm is leading in everyday places, with the specific aim of sowing death and anguish, doesn’t respond to any rational logic. It is a dangerous escalation against which it seems impossible to design effective tools and appropriate countermeasures. Institutions, governments, law enforcement, intelligence, but also enterprises and security managers are involved to support a “fight” that cannot afford to sit back. Fabrizio Battistelli, Professor of Sociology at the Department of Social and Economic Sciences, author of over 120 publications, carried out research on the evolution of public institutions with special reference to the internal and external security functions. He is a
An interview with Fabrizio Battistelli, Professor of Sociology at the Department of Social and Economic Sciences, University “La Sapienza”, Rome
by Massimiliano Cannata, Technology innovation, training and security culture Reporter
"privileged spokesman to discuss this "new emergency" that the world is going through, upset by a long trail of violence in the last year, that from Charlie Hebdo to Nice has changed the codes, languages and terror methods. Professor, to begin the discussion I would mention two your researches in particular: la “Fabbrica della sicurezza” (Security Factory), Franco Angeli publisher, and “La sicurezza e la sua ombra” (Security and its shadow), Donzelli publisher. "Factory" is a classic term that implies rationality, organization, striving for a common purpose, while "shadow" is an ambivalent term, expresses nonbeing, but also the "double" in the negative. There is a game of mirrors with whom we have to therefore deal. Is it s a forced interpretation? No game of mirrors, more simply I would say that the shadow of security can be seen as the exact opposite. Insecurity is the inevitable companion chasing, without separating never, individual and collective subjects. The existential situation that marks the contemporaneity shows what means the constant oscillation between a state of calm, hard-won, and the fear of being threatened by hostile forces, external to us that often we don’t know, and that fatally assails us. I used the term “factory”, in an essay published some years ago, in an attempt to outline the main elements of a security policy that governments should commit to put in place to meet the needs of a constantly evolving society. Let us dwell on the fear condition, which is the technological man figure. Which are the main factors that are endangering our security? The great thinker of the twentieth century Karl Popper said: "the same price of freedom is eternal vigilance"! What do you think about? We could go back to Sigmund Freud, or even before to Thomas Hobbes considering that western thought has traced a very clear path on the relationship between the values as freedom and security. To these thinkers it was already very clear that it was impossible to maintain the absolute freedom of the individual, because it would lead to a permanent conflict. In today's society you cannot find a univocal definition of security. It is an individual and collective value. What does it mean more exactly? Individual because it is a need, and how all needs is destined to never find a full satisfaction. But there is also the collective dimension. As evidence, for this need, the human tends to organize its social life in articulated structures. Before the villages and then the cities are born with the aim to contrast the threats of the outside world with forms of defence. The historical development has gradually increased levels of complexity, but in parallel defence mechanisms, vulnerabilities and insecurity factors grown. In strategic thinking the same happened with the eternal race between the shield and the sword. Unfortunately the Evolution has weakened the factors of insecurity. If we look at current events, the fear dominates our approach to reality. Does this seem a most serious defeat for a society that claims big and important scientific and technological achievements? The greater social skills, the best economic and technological power have moved the security problem rather than solve it. The security is a constantly moving frontier continuous becoming. We are witnessing the proliferation of standards, policies, artefacts, technologies, and solutions because a higher level of protection is a goal in that we can never totally reach.
Security in the risk society
In the "risk society", using the definition of Ulrich Beck, how are developing the security question? It would be wrong, as well as misleading, doesn’t admit that we have achieved some basic “Security” that we had not in the past. I refer to the survival against hunger and scarcity. Two centuries since the advent of the industrial revolution, the most advanced societies have been able to respond to basic needs. It does not mean that everything is resolved. As Maslow has taught us, the nature of the need changes and evolves over time. This becoming distinguishes the human from other beings. The best attitude with respect to the progress, whose myth as we know is damaged in the twentieth century, should be a balanced sobriety. Human achievements are not irreversible, as the Enlightenment culture had made us believe. In simple terms: the success of an evolutionary path that led the man to reach unthinkable goals, must encourage us to pursue research with critical rationalism, without dogmatism, and without hubris. In terms of security, this component can have a decisive value. Thinking about health: achievements in medicine in the last century have been extraordinary, but the threat of new forms of pollution and new diseases are always around us. In this evolved and complex context that you have outlined, that requires a continuous refinement of strategies to contrast the threats at all levels, what type of role must states and companies exercise to ensure security? There are several aspects to consider. First of all, it is necessary to put in the center the universal value of the common good. The social corporate responsibility is not an abstractly moral component but it's a resource of systemic nature. Each company that pursuing its profit but is able to care of its environment, in a broad sense, (I think the ecological factors, laws but also human capital) will perhaps see a reduction of its earnings in a short term, but will also benefit, because embracing the values of sustainability the company will contribute to strengthening the social capital that translates into the richness of the territories and the collective well-being. A particularly delicate aspect is represented by company security. We are in a horizon in which the public and private sphere intertwines. What is your opinion about? Cyber security is the new frontier where public and private are touching. This is a difficult terrain that will absorb more resources and expertise. I remember a case of recent news: Russian hackers group has stolen sensitive data from an
GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy http://www.gcsec.org
Italian political party order to influence the race for the White House. In the past an event of this type would affect only the secret services and the most senior government leaders, now in relation to the interoperability of interconnected networks, the areas of involvement has expanded dramatically, interesting the devices of security of many private player operating in a globalized market of goods, services and especially information, About networks. It's correct to say that advent of the web society has increased the vulnerability of companies and institutions? To answer, just say a simple universally rule: more sophistication equals greater vulnerability. It's a kind of nemesis that also characterizes the military systems. Just think how difficult it is to monitor the places in which we generate and implement threats. Proliferation of cyber crime, identity theft, cloning of credit cards and the crime imagination are enhanced by degree of sophistication that you mentioned. The war between "cops and robbers", under these conditions, will never end. What's the next step? It’s hard to say. The virtual economy and financial transactions are by their nature easy to manipulate. Henry Ford said in a figurative and unsurpassed way (my opinion): "only all does not exist does not break...". More clearly than that, I do not think comments serve. In your essay the issue of competence emerges. What type of profile should have the security manager to face challenges that constantly change? In order to focus this issue decisive for the future, we must reclaim the semantic difference which affects a crucial trio for anyone involved in security: the words which I refer are: danger, threat and risk. The danger, as known, has a natural matrix and logic; the threat is orchestrated by individuals who intend to overturn an established order. I think it is more difficult to reduce the risk. Often decisions taken with positive aims translate into their opposite: from Hiroshima to Chernobyl, is known, the series presents very wide. The human ability to control the risk factors has a limit. The managers who works in these areas is required this skill and increasingly complex performance. The most difficult thing is probably to predict an infinite number of variables. To return to greater simplicity could help us. To do this, it will be useful to distinguish between what is essential and what is superfluous, in order to improve the efficiency effectiveness of the strategies. But we are entering another field: which of the management and use of resources that would require another interview.
How to prevent the global terrorism threat
We remain on current to analyse the nature of the new threats that weigh on our lives. Tragic events like the one happened the last July 14, opened the way to a "molecular violence" still unknown. What are the future scenarios? It will be necessary to transform the "fear in to safety resource", I agree with the director of the University of Paris, Enrico Letta, who has expressed his thoughts in a recent interview published in the Corriere della Sera. The fear must lead to a multiplication of the eyes, preventive defence, and surveillance. We need the coordination between intelligence of the European countries but prevention requires a technological leap over that greater collaboration at all levels. Do, in a word, the system will be crucial to prevent the threat of global terrorism. From Charlie Hebdo the Mediterranean crisis, Libya, Egypt, has came to light the inability of the national states to share information and strategies. When you have to mange threats, the competition is the worst recipe. In general it is unfortunate note that process fifty years have led to a strengthening of the economic dimension of agreements and treaties, which contradict a serious vulnerability on strategic grounds and a glaring weakness of political thought. It's difficult make again the cities in a "safe place". This is the real challenge to win. Where we should to start? In the first instance, we must improve coordination between levels of government. Subsidiarity, which is a strong principle incardinated in the European experience, should be go retrieved and seriously implemented. Another important aspect: to avoid confusion between the urban and public safety. It is not by simply reducing the number of crimes that can derive a greater peace of mind for citizens. The "perception" of a given security is very important and, let us remember, it isn’t related to the events that make headlines. We think to some egregious crimes in Italy, like Cogne or Avetrana, which immediately strike the imagination, but then the general population regards distant, considering them isolated and therefore unlikely. The same reasoning applies to organized crime, which is not feared as it should, a paradox which also covers crimes perpetrated by the "white collar", improperly called victimless. I wonder: what are the thousands of defrauded investors if not poor victims of corruption and malpractice? Another aspect that affects the perception of safety is the "urban issue." The decay, violence, neglect, the state of our suburbs push our mayors to adopt a multi-level governance, able to create a dialogue between local and regional institutions, in order to ensure the essential safety, which is like the oxygen needed to live . The dramatic situation affecting many urban areas makes us clear that this delicate terrain can not waste any more time.