Hyperguarding your Web Applications

Archive for the ‘Highlights’ Category

Weekly Industry Round-up, Week of 7/19

Posted by hyperguard on July 23, 2010

Channel Web…
Surveys Reveal Cloud Computing Security Concerns
This article looks at some recent surveys that address IT professional’s concerns with cloud security. The Information Systems Audit and Control Association (ISACA) reported that almost half of the IT professionals surveyed in the U.S. say the associated benefits of cloud computing are not worth the potential security risks. The majority of companies hosting IT services in the cloud, according to a survey conducted by Symantec and the Ponemon Institute, have no cloud-specific security policies and procedures in place. A third survey sponsored by the Ponemon Institute and CA found that while more than half of U.S. organizations are adopting cloud computing services, only 47 percent of the IT professionals surveyed believe that those services are properly secured.

CIO Update…
Cloud Computing – Evaluating Security-as-a-Service
Over the past few years, more and more businesses have turned to software as a service (SaaS) to reduce costs. Because of this, more traditional software security vendors are developing and enhancing their service based offerings, including those in the “security as a service category.” These offerings typically include protection against Web and email threats, monitoring of inbound and outbound network traffic, and assessing an externally facing website for potential vulnerabilities. In this article, Matt Sarrel takes a look at some of the pros and cons of using security as a service offerings.

Network World…
Firefox Lets Hackers Grab Your Passwords
At the upcoming Black Hat security conference, Jeremiah Grossman of WhiteHat Security, will present a demo showcasing how Javascript can be used to collect passwords from Firefox and how to grab other personal data from IE 6 and IE 7. His demo will involve getting passwords out of Firefox’s Password Manager using Cross-Site Scripting (XSS)—the execution simply requires tricking Firefox users into visiting a site hosting the XSS malware.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/12

Posted by hyperguard on July 16, 2010

Network World…
Top Cloud Computing Security Risk: One Company Gets Burned
Kevin Fogarty says that virtualization and cloud computing have not worn down the online security of most companies. However, they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security. Since placement of responsibility for security in cloud computing arrangements is not clear, Gartner listed access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.  Research from the Cloud Security Alliance listed customer ignorance of security practices and service providers’ refusal to give information to relieve it—among the seven top security risks in cloud computing. According to the CSA’s research, cloud projects and the risks they involve may be “complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications.”

10 Web Application Security Myths
This slideshow looks at 10 common myths about Web application security. The list includes:

  • A Web page is safe if it’s at the top of Google search
  • Users can’t get around company Web policies
  • Users can only become infected if they download files
  • A Web app is secure if it has that lock icon in the corner.

Check out the article for a complete list of some of the biggest lingering misconceptions about Web application security.

The Challenges of Cloud Security
In this article, Beth Schultz says some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. However, she spoke with Doug Menefee, CIO of Schumacher Group, an emergency management firm. Doug says that although there are risks with anything you do, 85% of Schumacher Group’s business processes currently live inside the public cloud. Enterprises have much to think about when they consider using public cloud services, but Doug says they’ve got to take a risk-based approach, such as Schumacher Group, with a strong focus on the data and what controls are needed.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/5

Posted by hyperguard on July 9, 2010

Data Center Journal…
Security and Legal Concerns Hamper Cloud
Jeffrey Clark says the cloud offers a number of benefits, both from the perspective of increased business value and from the perspective of reduced environmental impact resulting from the use of IT resources. However, despite its numerous benefits, the cloud continues to be weighed down by concerns revolving around security and various associated legal matters. With the Federal Government looking at the cloud as one means to reduce its data center footprint, the potential market for cloud-based services could explode. Cloud-service providers should consider the concerns of potential customers, especially in terms of security. Many providers believe that this information about data centers and procedures should be kept secret, but many customers (such as the Federal Government) want to be made aware of that information before signing on with a provider.

ReadWrite Enterprise…
41% of IT Pros Surveyed Admit to Abusing Admin Privileges
According to this article, of the over 400 IT professionals who responded to Cyber-Ark Software’s fourth annual “Trust, Security and Passwords” survey, 41% admitted to abusing administrative passwords to access sensitive or confidential information, such as HR records and customer databases—an 8% increase since last year’s survey. As a report by the Cloud Security Alliance points out, storing data in the cloud increases the total number of individuals with potential access to sensitive data, and thereby increases the risk of data theft by a malicious insider. But many of the same practices used to protect against internal data theft can be applied in the cloud as well. Some ways to deal with these issues? Trend Micro says companies should specify human resource requirements as part of legal contracts, determine security breach notification processes and require transparency into overall information security and management practices.

SC Magazine…
GAO: Federal Agencies Lack Advisement on Cloud Security
Dan Kaplan says that according to a new report from the U.S. Government Accountability Office (GAO), a growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite. The report, written by Gregory Wilshusen, director of information security issues at GAO, found that 22 of the 24 major federal agencies are either “concerned” or “very concerned” about the security risks associated with cloud computing. Despite that, half of the agencies have moved forward on cloud computing projects, mostly for the technology’s low-cost disaster recovery, data storage and self-service benefits.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/28

Posted by hyperguard on July 2, 2010

SC Magazine…
Universityof Maine Student Data Exposed
Hackers have compromised two University of Maine servers that were hosting personal and clinical information of more than 4,500 students who received counseling services in the last eight years. The first server was breached at the beginning of March, and the intruders used the newly gained information to compromise the second one. Methods employed to carry out the attacks successfully have not been disclosed and it is unclear whether the data was viewed or downloaded.

IT World…
15 Must-Listen Podcasts for Security Pros
Security researcher at SecureState, Matt Neely, shares with us how he stays informs and on top of trends in this ever-changing security world. The two primary tools he uses are security podcasts and Twitter. Check out his post for background on the security podcasts he listens. Stay tuned, in a future post he’ll be discussing how he uses Twitter to keep in touch with the security community and stay on top of emerging trends.

The Register…
The cloud’s impact on security?
Tony Lock of UK analyst house, Freeform Dynamics describes his recent research that looks at security and how fast cloud computing models are being adopted. Research shows that mass adoption of the hosted service cloud model is a long way off, and that the internal, dynamic IT model may come sooner than we think; Tony says we have virtualization to thank for that. Read Tony’s article for the potential security challenges and how to tackle them.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/21

Posted by hyperguard on June 25, 2010

CTO Edge…
Security and Compliance in the Cloud Age
This article by Alert Logic’s Misha Govshteyn says that while the debate over private vs. public clouds carries on, there is very little attention paid to the fact that the accepted broader definition of the cloud—IT services delivered under the IaaS/PaaS/SaaS models—in effect brings about a gradual shift of the control over security from the enterprise to the service provider. He says this shift in responsibility and control will fundamentally change the way we secure our data. Enterprises and security professionals need to prepare themselves for the future demands of cloud computing by making the right decisions and deploying cloud-ready technologies today.

Cloud Computing With Less Security Risk
Paul Rubens says companies often feel their data is too sensitive to move to the cloud and that they will lose control over it and it will therefore be less secure. He offers some benefits to cloud computing, such as lower capital outlays, fixed, known monthly costs, scalability, low management overhead and immediate access to technology. Paul isn’t saying that all organizations should move all their computing tasks to the cloud, but many organizations could profit from the benefits described above if the security risk, real or perceived, could be reduced. Paul lists a number of questions to ask providers regarding security and compliance before deciding to move any applications to the cloud.

SC Magazine…
Researcher Demonstrates Twitter XSS vulnerability
This week a Twitter user demonstrated a cross-site scripting (XSS) that could allow an attacker to take over users’ accounts or spread malware. A researcher found that the vulnerability affects the “application name” field on Twitter’s application registration page, used by developers when setting up a new Twitter application. The flaw appears to be the result of a lack of input validation of the “application name field” when accepting new requests for Twitter applications. The company is aware of the issue and has fixed it for new applications, but is still working to patch it in all programs.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/14

Posted by hyperguard on June 18, 2010

Can Federal Data Privacy Live on in the Cloud?
For government, privacy and data security are a priority, and now many government IT agencies are planning to move their computing operations to the cloud. According to this article by Kenneth Corbin, the transition to the cloud is already well underway in federal IT circles and with it. John Kropf, the deputy chief privacy officer at the Department of Homeland Security, is developing policies and safeguards to keep sensitive data secure as the traditional silos of federal IT infrastructure are torn down. However, classified national security information is not on the table when government officials talk about the cloud. And many agencies have a mixture of sensitive information that may find a home on a secured private cloud, as well as troves of data that can—and should, according to the White House—be made publicly available on the Web.

Jeremiah Grossman…
Jeremiah Grossman recently asked his Twitter followers why some people feel oddly compelled to rely upon the shortcomings of Web Application Firewalls (WAFs) as a means to advocate for a Secure Development Lifecycle (SDL). He believes this is odd because the long-term, risk-reducing value provided by secure code is enough on its own to warrant the investment, and says if you can’t demonstrate that, blame directed at WAFs seems misplaced. Most importantly, we must remember that our objective is to protect websites from being hacked. He suggests organizations should focus on the many cost-saving, risk-reducing, top-line-benefiting qualities that come with implementing a well-regulated software security program. He also says that at the end of the day, our common enemy is really the lack of application security visibility and the allocation of necessary resources. If we come together and help address this as an industry, we’ll all be better off, and the pressure of this either or choice will be lessened.

Cloud Security: The Basics
With cloud computing being one of the most-discussed topics among IT professionals today, this article by Mary Brandel lays out the essential concepts of cloud security. It looks at cloud models including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). Mary also provides examples of how four companies chose to handle some of the biggest concerns that users have, such as single sign-on, data encryption, virtualization and business continuity.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/7

Posted by hyperguard on June 11, 2010

Cloud Computing: Would PCI Compliance Help or Hurt Security?
This article discusses whether cloud computing environments can meet PCI compliance standards. Many security experts say they can’t answer that question yet, but the bigger question is whether meeting PCI standards would actually improve cloud security. There has been talk that cloud security would be included in the most recent update of the Payment Card Industry’s Data Security Standards (PCI DSS), which sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure. While IT practitioners question PCI’s role in the cloud, few doubt the need for cloud security standards—a  March study by IEEE and the Cloud Security Alliance found 82% of IT professionals believe the need for cloud-specific security standards is urgent.

Who Still Keeps Money Under their Mattress? The Case for Cloud Security
This post by Ryan Nichols says massive amounts of data are lost every day through the failure of on-premise technology—companies know how often e-mails or files on your local or shared drives are lost or corrupted or how easy it is in many  companies to plug into their network without credentials.  These incidents usually go unnoticed, but when public cloud technology fails, it makes headlines. Cloud providers spend millions of dollars on security and reliability testing every year, and their businesses depend on delivering a service that exceeds the expectations of the most demanding enterprises—this is why Ryan argues that data is probably safer in a leading cloud platform than it is in most on-premise data centers. Right now, many companies would probably disagree and say they feel safer having data in their own data center. It will be interesting to see how this debate plays out as more organizations start to adopt cloud technology.

Microsoft Finally Fixes Pwn2Own Browser Flaw
This week, Microsoft’s Patch Tuesday delivered 10 security bulletins with fixes for at least 34 documented vulnerabilities. This “patch batch” also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer. Microsoft has urged its users to pay special attention to MS10-033 (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 5/31

Posted by hyperguard on June 4, 2010

Facebook Clickjacking Worm Infects Thousands
Last week we mentioned how clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. Then, over the weekend, a Facebook clickjacking worm affected thousands of users, spreading malware and unwanted code onto users’ computers when they clicked a link that indicates they “like” the maliciously created Web page. Users have been encouraged to view recent activity on their Facebook news feed and delete entries related to the malicious links. They should also click on their Info tab on their personal profile and remove any of the links connecting to Web pages via their “likes and interests” section.

Enterprise Networking Planet…
Web Application Security: Are You Doing Enough?
This article by Paul Rubens discusses last month’s “State of Application Security ” survey carried out by the Ponemon Institute. Many organizations are leaving their data vulnerable to theft because they spend too much of their security budgets protecting their networks and too little securing their Web applications. Securing both network and Web applications should be key priorities so what this comes down to is a problem of resource allocation: if you spend too much of your security budget on your network, hackers will steal data via your Web applications, but if you spend too much on your Web applications, there won’t be enough of your budget left to prevent them stealing data by breaking in to your network. If companies decide to allocate more of the security budget to Web application security, Paul suggests performing regular scanning for known vulnerabilities and coding errors using a specialized Web vulnerability scanner, or even full scale penetration testing.

The Virtualization Practice…
Defining Tenants for Secure Multi-Tenancy for the Cloud
This post by Edward Haletky discusses that there is more to securing multi-tenancy (SMT) than one would imagine. So how would you define tenant when nearly everyone has their own definition of tenant for a multi-tenant solution? Attorney, David Snead, defined tenant as “whatever definition is used within the contract.” If there is no definition within your contract then assumptions are made, so I tend to fall back to the definition of tenant to be “the legal entity responsible for the data” so you need to read your contracts carefully. Edward believes that once we can define tenant appropriately, the provider needs to offer some level of security far above what any one tenant may desire, but can at some point in time acquire as necessary. After we define tenant satisfactorily, we should start to look at what we need from the provider and what is really left to the tenant to implement in other words: roles and responsibilities.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 5/24

Posted by hyperguard on May 28, 2010

Cloud Computing Basics: Planning and Understanding a Cloud Strategy
This article by John Weathington says there’s still a lot of confusion around what the cloud is and there shouldn’t be. For midmarket companies, cloud services are simply a way to outsource issues to a third party on a pay-as-you-use engagement model. However, companies are concerned about cloud security because anytime you trust a third party, you run risks. And there will be some cases, particularly when data privacy is a concern, where the risks may outweigh potential benefits. John suggests looking at some low-risk/high-value cloud plays like collaboration as a starting point, and building from there. Once you understand how to make your cloud strategy work for you, you might actually find you’re a cloud computing enthusiast.

Dark Reading…
Anti-Clickjacking Defenses ‘Busted’ In Top Websites
New research from Stanford University and Carnegie Mellon University’s Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it’s loaded inside a frame, does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. The researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites’ frame-busting methods. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: you tack it onto the URL and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing.

PCI Tokenization Guidance Could Benefit Payment Processors
The Payment Card Industry Security Standards Council (PCI SSC) is expected to release guidance later this year on the use of tokens to replace credit card data. This move could benefit some payment processors that sell technologies using encryption and tokenization to eliminate sensitive card information from merchant systems. According to Bob Russo, general manager of the PCI SSC, there won’t be any major changes to the data security standards (PCI DSS), but guidance documents are being developed to help merchants decide whether investing in encryption or PCI tokenization technologies is a good move.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 5/17

Posted by hyperguard on May 21, 2010

Information Management…
Rejecting Injections, to Protect Customer Records
Last month, the Financial Industry Regulatory Authority announced that it was fining Montana-based broker-dealer D.A. Davidson $375,000 for failing to protect customer information. This shows that protecting servers and educating employees about server design are the best first lines of defense. Davidson did not employ technical safeguards to protect customer records stored in a database housed on a Web server with a constant open Internet connection. In addition to employing code security and a scanner, organizations need a Web application firewall that looks at traffic to and from the server to check for SQL attacks and other vulnerabilities.

IT Knowledge Exchange…
SQL Injection Attack Used in Breach of 168,000 Netherlands Travelers
An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers. Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes.

Andy IT Guy…
Why Compliance is Chosen over Security
In this post, Andy discusses an article by Kevin Beaver about how the business continues to choose compliance over true security even though the security people know that it’s a bad idea. Andy says those who do understand still are not doing a good job translating the danger into a language that the business understands. He says the cost/benefit trade-off is not enough for management to buy—they would rather accept the risk, take the chance and deal with the consequences. Also, there is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.

Posted in Highlights | Leave a Comment »