venerdì 30 dicembre 2011

Joint Research Centre hacked - Rainews24 hacked

Ebbene si. Volevo evitare di scrivere sul blog fino al nuovo anno, ma non è stato possibile.

Oggi è stato tutto un susseguirsi di mail e telefonate e, tra veri e presunti attacchi, è uscito fuori un bel quadro.

Vi riporto solo gli incidenti più importanti... che, oltretutto sono legati allo stesso autore: il già noto Thorwed autore dell'attacco al sito qualitapa.gov.it.

Vediamo cosa ha combinato oggi...

Attacco 1 - un sito del Joint Research Centre, in particolare il sito del "Major Accident Hazards Bureau", un sito della Commissione Europea dedicato alla gestione delle politiche di controllo dei pericoli derivanti dallo stoccaggio di sostanze tossiche. Il solito Thorwed ha preso il DB degli amministratori e degli utenti registrati e lo ha pubblicato su Pastebin. La cosa che mi è saltata all'occhio è l'utente amministrativo "test"... chi vuole provare ad indovinare la password può postare nei commenti la sua proposta. Quando io l'ho provato dopo circa una ventina di ore dall'attacco era ancora tutto perfettamente funzionante, una vera meraviglia!
Ovviamente ho segnalato il tutto a chi di dovere, anche se so per certo che erano già stati informati tramite canali ufficiali.

Attacco 2 - Rainews24 stessa cosa. DB utenti e un secondo DB (probabilmente dedicato ai contributori di notizie "User Generated Content") pubblicati su Pastebin. La cosa divertente (si fa per dire) è che gli utenti in questo caso sono tutti i redattori e la struttura di rainews24. Anche qui una vera meraviglia.

Ah dimenticavo... buon anno a tutti!

------------------------------------------------------------------------------------------
Aggiornamento del 31 dicembre 2011 ore 12.

Sono stato appena informato che i gestori del sito del JRC hanno reso irragiungibile la pagina di amministrazione e che stanno gestendo l'incidente. Meno male.

ore 13
Al momento è stato messo off-line tutto il sito. Una misura un po' drastica ma probabilmente legata alla risoluzione della vulnerabilità sfruttata per l'attacco. Se volete vedere come si presentava il sito potete utilizzare la copia cache di Google.

giovedì 29 dicembre 2011

MUMBLE - Diginotar: l'attacco che cambiò Internet


Questo articolo è stato pubblicato sull'ultimo numero di Cybercrime ed è la mia riflessione di fine anno. 

L'appuntamento per il prossimo post è per il 2012 (se non succede niente di eclatante...). Tanti auguri a tutti!
------------------------------------------------

Nel corso di quest'anno, quasi ogni giorno abbiamo letto di criminali che hanno violato database di grandi aziende, di spie che sono entrate nelle reti di agenzie governative di tutto il mondo, di segreti industriali che sono stati rubati da agenti prezzolati e di pubblicazioni di materiale riservato trafugato da sedicenti attivisti di varia natura.

Il 2011, probabilmente, passerà alla storia come uno degli anni più neri per la sicurezza su Internet.

Per importanza e ripercussioni, però, un evento si discosta da tutti gli altri: l'attacco alla certification authority (CA) olandese Diginotar.

Prima di tutto, per capire la reale portata di questo attacco, conviene partire dallo scenario.
Una CA emette i certificati digitali utilizzati per garantire l'identità di un soggetto in rete, sia esso un privato che un sito Internet, consentendo nel contempo la cifratura del traffico tra l'utente e il sito stesso. In questo modo sono stati sviluppati tutti i servizi a valore aggiunto basati sull'utilizzo di reti pubbliche, dall'home banking alle VPN SSL. Diginotar, recentemente acquistata da una multinazionale di sicurezza, era una CA riconosciuta a livello internazionale i cui certificati venivano verificati e dichiarati affidabili direttamente all'interno dei browser web. Qualsiasi utente, con qualsiasi browser, nel collegarsi ad un sito che presentava un certificato emesso da Diginotar, avrebbe visto comparire una notifica sul browser a sancire la sicurezza del collegamento stesso.

Diginotar erogava due tipologie di servizi di certificazione: una destinata ai privati ed una ad uso del governo olandese per l'emissione di certificati a valenza legale.

Questo è lo scenario in cui è maturato l'attacco, ma cosa è successo esattamente a Diginotar?

Il 29 Agosto è stato reso noto che un attacco aveva compromesso la CA, evento preoccupante ma  già successo qualche mese prima anche alla CA Comodo. In quel caso, però, l'attacco si era risolto con poche e marginali conseguenze. Con il passare delle ore si viene a sapere che, in seguito all'attacco, era stato creato almeno un falso certificato digitale, a nome di google.com. Chiaramente questo fatto ha cominciato ad allarmare gli esperti e l'interesse per questa notizia si è innalzato notevolmente.

Anche il governo olandese è intervenuto, preoccupato del fatto che i propri certificati digitali fossero emessi proprio da un soggetto che era stato “bucato”.

La domanda che, a questo punto, ci si comincia a porre è: quanto è esteso e grave questo attacco?

Dopo pochi giorni arriva la risposta, ed è una risposta che lascia tutti gli osservatori basiti e angosciati: oltre 530 certificati falsi sono stati emessi a nome di soggetti che spaziano dai social network (FaceBook e Twitter) ai maggiori fornitori di software e servizi su Internet (Microsoft, Mozilla, Tor, Skype, LogMeIn, Wordpress e AOL), dai principali motori di ricerca (Google, Yahoo!) alle maggiori agenzie di spionaggio occidentali (Mossad, CIA e MI6).

La notizia è talmente grave che il governo olandese è stato costretto a intervenire direttamente comunicando di aver avocato la gestione della CA e di aver affidato ad una società indipendente l'analisi dell'accaduto. Il ministro degli interni ha dovuto indire in tutta fretta una conferenza stampa televisiva per dare conto delle misure intraprese. Il CERT governativo olandese infine ha cominciato ad emette una serie di bollettini ufficiali per informare degli sviluppi e delle decisioni adottate.

Ciò che emerge dalle indagini è che Diginotar aveva avuto delle indicazioni di attività malevole fin dalla metà di luglio e che aveva cercato di arginare la situazione senza successo ma che, soprattutto, aveva maldestramente cercato di coprire l'accaduto per evitare ripercussioni negative al proprio business e alla propria immagine. Emerge inoltre che il presunto hacker dietro all'attacco è lo stesso iraniano che qualche mese prima aveva attaccato Comodo, con risultati, però, decisamente più modesti. Infine, Trend Micro ed altri operatori internazionali di sicurezza pubblicano alcune ricerche che mostrano che il vero movente dell'attacco sia stata la volontà di monitorare i collegamenti Internet effettuati da cittadini iraniani verso siti considerati “sensibili” ai fini del contenimento della attività di protesta dei dissidenti.

Un vero disastro, che culmina a fine settembre con la presentazione di una formale istanza di fallimento.

La sciagurata avventura di Diginotar finisce così.

Tra le tante riflessioni che nascono da questo evento vale la pena di puntualizzarne alcune.

L'assenza di adeguate misure di sicurezza può cancellare anche una società affermata
Per la prima volta appare chiaro che nella mappa dei rischi che devono essere considerati in ambito aziendale si deve mettere in conto anche la cancellazione del proprio business a causa di un attacco informatico. Sino ad ora, gli attacchi informatici erano confinati tra quelli che potevano portare danni diretti (la cui entità poteva essere valutata in termini monetari) e danni indiretti, di natura principalmente legata alla perdita di immagine. Il caso Sony e, ancor più, il caso Diginotar, hanno mostrato che le conseguenze di attacchi informatici, in assenza di adeguate misure di sicurezza e di gestione degli stessi, possono portare conseguenze impreviste ed imprevedibili danni economici.

La sottovalutazione di questa tipologia di rischi non è più accettabile
Se ci si mette nei panni dei manager di Diginotar, vedremo che le scelte che li hanno portati a sottovalutare l'importanza dell'implementazione di un serio sistema di gestione della sicurezza delle informazioni sembravano pagare. Fino a luglio Diginotar, aveva un fiorente business, con costi di gestione ridotti. L'assenza di sicurezza probabilmente era percepita come un risparmio e non aveva dato particolari conseguenze negative. Peccato che, nel giro di qualche giorno, avrebbe condotto al fallimento. C'è sicuramente di che meditare, anche nell’ottica delle scelte che sta operando il nostro sistema paese.

L'incapacità nella gestione degli incidenti di sicurezza moltiplica gli effetti negativi
Questa vicenda mette in risalto come, nella società digitale, la capacità di difendere gli stakeholder dagli eventi relativi ad attacchi informatici sia data per acquisita. Mostrare di non essere in grado di gestire adeguatamente questo tipo di situazioni crea immediatamente un intorno di sospetto e di sfiducia che complica ulteriormente lo scenario dell'attacco. La reale capacità di reazione data dalla presenza ed efficienza di un team esperto, dedicato alla gestione degli incidenti, è un prerequisito essenziale per il contenimento delle conseguenze di un attacco.

La fiducia è un bene prezioso che deve essere tutelato adeguatamente
Tutti noi, soggetti individuali, società private e istituzioni pubbliche, abbiamo compiuto il grande passo della virtualizzazione dei rapporti. Questo passo si fonda sull'esperienza comune che, in questo modo, è possibile conseguire grandi vantaggi a fronte di rischi tutto sommato comparabili a quelli che si corrono nei rapporti “in person”. La fiducia però è un bene molto labile che deve essere costantemente difeso e tutelato. L'attacco a Diginotar ha mostrato in modo inequivocabile che la perdita di fiducia può rappresentare un moltiplicatore delle conseguenze negative di un attacco.

La domande da porsi a questo punto sono:
“Quante possibili Diginotar ci sono?” e, soprattutto, “Quante Diginotar ci saranno?”

domenica 25 dicembre 2011

Best of the Week - XMas Edition

It's Christmas time and everybody wants to celebrate it. Also the bad guys...?

@jeromesegura Malware Fighters’ Dream Team bit.ly/t7YfJ3

@TrendLabs What botnets got taken down in 2011? Read the details at bit.ly/vny7UQ

@QatarCERT Q-CERT Weekly Newsletter,25 December,2011 - eepurl.com/h4-l2

@George_Kurtz Stolen Credit Cards Go for $3.50 at Amazon-like Online Bazaar. buswk.co/uMxVOI

@bobmcmillan US IPs are #1 source of electronic crimes in China, says Verizon; hacktivists & data breaches... bit.ly/skBBEX

@mikko Video: "Stuxnet 3.0 possible features and Hiding rootkits" bit.ly/sZkGMg By @nima_bagheri from Tehran, Iran.


And finally...
@e_kaspersky Our cyberthreat forecast for 2012 bit.ly/w3cZUG targeted attacks, hacktivism, mobile malware and cyber warfare

.... so, a happy new year to all of you!!! ;-))

lunedì 19 dicembre 2011

Brandon Dixon - CVE-2011-2462 exploitation: a real case

This summer I saw an interesting news item about a new online security tool: PDF X-RAY. This tool seemed to me so important that immediately I decided to write a post to describe its potentiality and use. I was also interested about the author of the tool, Brandon Dixon, a researcher from George Washington University, so I decided to write him an email.

Here, another nice find. Brandon is very helpful and informal. A guy with whom is a pleasure to interact.

Inviting him to write a guest post for "Punto 1" was the next step so Brandon and I agreed that whenever an occasion turns up he would write a post for my blog.

Then, two week ago I read that Brandon has published an analysis of the new 0day vulnerability of Adobe Reader I knew that the right time had arrived. Last Friday, Adobe released a patch for this vulnerability and knowing the reasons why it is important to organize the complex deployment of this piece of software is fundamental.

Brandon, thank you very much to accept my invitation. This is the moment to present your work to the "Punto 1" readers.
----------------------------------------------------------------------------------------------

On December 7th, 2011 a suspicious file was uploaded to PDF X-RAY containing references to U3D content. Normally this would not constitute more analysis, but Adobe had released an advisory documenting a new vulnerability within U3D content that was actively being exploited.

Using PDF X-RAY, I was able to identify both the trigger U3D object (located in object 10) and the heap spray (located in object 15). Reading through the specification revealed how the 3D content would be executed and what actions would be performed.

After the initial static analysis, the PDF was ran on a Windows XP SP3 machine running Adobe Reader 9.4.6 to identify any dropped files or command and control servers. Upon running the PDF file, Adobe Reader crashed and opened up a clean document that appeared to target employees of the defense contractor Mantech.

Not only was a clean file dropped, but there was also an executable named “pretty.exe” created and ran on the system. VirusTotal identified this file with generic signatures and a reference to “sykipot”. This Trojan had been analyzed before and public data revealed how it would operate. Knowing these details, Internet Explorer was started and the system was set to wait until data was sent back to the command and control server.

Sykipot injected a process into Internet Explorer and made a request to “https://prettylikeher.com” to get what appeared to be a key for encryption/decryption purposes. Matthew Wollenweber analyzed the Trojan using a debugger and disassembler to identify any other process injections and the commands used for the control servers.

After identifying the trojan being dropped and the command and control servers, focused was placed on the generation of the malicious file. Several strings within the generated document matched a proof-of-concept exploit from back in 2009. This proof-of-concept written by Felipe Manzano appeared to be the main generator used to create the malicious documents.

Shortly after the advisory was released, another variant of the exploit was seen being used in targeted attacks. These documents were encrypted with AESV3 and appeared to be generated using Adobe Lifecycle. While these documents exploited the same vulnerability, they were more successful in bypassing anti-virus because of the AESV3 encryption.

Performing analysis on the encrypted document also revealed a different Trojan being dropped on the system. Virustotal was not able to identify a particular trojan family associated with this executable, but HTTPS connections could be seen being made to 69.197.132.130. It is unclear what, if anything was sent to this command and control server, but it did appear offline.

It should be noted that the encrypted documents appeared to target defense contractor Lockheed Martin and farming company Monsanto. Given the extreme differences in document structure and trojan dropper, it is likely two different groups were involved in the use of these zero day exploits. Several signs point back to China as the creator of these documents, but this can not be confirmed.
---------------------------------------------------------------------------------------------
Bio

Beside being the Founder and CEO of 9b+, the company that owns PDF X-RAY, Brandon Dixon is also "Computer Forensics and Security Engineer with George Washington University". Moreover he is contributing to Hakin9 as Tester, Writer and Promoter.

Here you can find his LinkedIn profile

domenica 18 dicembre 2011

Bucato un sito del Ministero dell'Innovazione

Oggi, un certo Thorwed ha pubblicato su pastebin una copia del DB utenti del sito qualitapa.gov.it appartenente al Ministero per la Pubblica Amministrazione e l'Innovazione.

Sulla pagina di pastebin si possono leggere userid, password e email dei circa 9000 utenti registrati del sito. Ho chiaramente fatto una delle solite "telefonatine" e mi hanno assicurato che la notizia era arrivata da circa un'ora attraverso una segnalazione internazionale. 

Questo evento non è particolarmente diverso da altri che avvengono ogni giorno in molti siti istituzionali e privati in ogni parte del mondo. Ciò che lo rende diverso da molti altri, però, è la nostra situazione.

Come i lettori di Punto 1 sanno bene, l'Italia non si è ancora dotata di un CERT nazionale, ovvero di una struttura che si faccia carico delle attività di contenimento degli incidenti, che dia una direzione ufficiale e un coordinamento alle risorse che operativamente si faranno carico di "rimettere le cose a posto".

Quindi, ad esempio, ora sarebbe altamente necessario che gli ignari utenti i cui indirizzi mail e password sono stati pubblicati, vengano avvisati immediatamente per cercare di minimizzare il danno e dare modo a tutti loro di cambiare le password (soprattutto se hanno utilizzato la stessa anche in altri contesti). 

Ebbene in questo momento nessuno sa chi ha il ruolo per farlo. E' un'attività che non è allocabile in nessuna struttura ufficiale ad oggi esistente.

Per cui con qualche amico stiamo ragionando su una iniziativa "volontaristica".

Insomma un gran pasticcio.

Speriamo che questa situazione serva a ribadire (se ancora ce ne fosse bisogno) che l'Italia ha bisogno di un CERT Nazionale.


Best of the Week - 18 Dicembre 2011

This time I'm starting my list of the best security resources of the week with an "off topic" news item, but I'm sure it's really worth it! @Vendima Check this video out -- ONE OF THE GREATEST POSTS ON YOUTUBE SO FAR! youtube.com/watch?v=M8C-qI… via @MarcoBavazzano

And now it's the time of the "official" list...

Hope you enjoy it!

@e_kaspersky FAA allows airlines to replace paper books/charts with iPads zd.net/scpNhs <- one day we may regret our dependence on digital stuff

@teamcymru video of 'Yash's' (Red Force Labs) MITM POC attack against Citibank India bit.ly/vjhZWl

@Fortify Great blog post from Raf Los on the Ponemon study released yesterday--worth a read @ bit.ly/uBrXsa

@candolin2 Cybersecurity and Cyberpower: Concepts, Conditions and Capabilities for Action within the EU: oiip.ac.at/home/home-deta…

@FSecure “Social media isn’t a choice anymore; it’s a business transformation tool.” bit.ly/uRwYHm

@elie Google Docs Used in a Spam Campaign - bit.ly/sqsElC #security


domenica 11 dicembre 2011

Best of the Week - 11 Dicembre 2011

This is my selection of the best security resources of the week.

Hope you enjoy it.

@VivianeRedingEU @mobileworldlive My speech on #privacy in the cloud – how to ensure #dataprotection in the #EU bit.ly/tcszlg

@jakeludington Great discussion with @Wh1t3Rabbit about how cloud computing is forcing us to rethink security ow.ly/1BvN56 #HPDiscover #cloud

@mthorbruegge Cyber Security: ENISA’s view on the way forward, new paper j.mp/svDult

@sansforensics Quick Malware Notes, Incident Response, and 00-outs - A while back after dealing with some heavily malware-infect... bit.ly/vRSFKa

@nigroeneveld The Most Notorious Cyber Crooks of 2011 – And How They Got Caught bit.ly/vT8iht #hacking #infosec

@SCADAhacker After seeing @SecurityTube, decided to add new Video Feeds section to How-To section of Resources - SCADAhacker - bit.ly/uZv6WE


venerdì 9 dicembre 2011

Andrea Zapparoli Manzoni - Social Business Security & Risk Management Strategies

As promised, Andrea is back with the second part of his contribution to Punto 1 and now it's the turn of the threats of "Computer aided social networking".

Those who have missed the Andrea's previous post can find it here.

As introduction to this post,  I can say that sometimes I found a guest post that I feel very close to my vision and my approach to security... in this case I have a complete synthony with the Andrea's post.

Thank you again Andrea!

Punto 1 will be always open for your posts.

-----------------------------------------------------------------------------------------------

"Social Networking" is not new at all, in fact it is something that humans do since a half million years or so.

But "Computer Aided Social Networking" is *very* new, and it has so many far reaching consequences that even the terms of the problem are hard to define.
As of today, there are no laws, no institutions, no existing socio-economical nor philosophical tools that we can apply to this subject without a distinct feeling of inappropriateness. So, before we talk about risk management and security countermeasures of any kind, let me briefly introduce a couple of key concepts.

First (and hardest) concept: we are entering the uncharted waters of a new age, where computer & internet aided (some would say "augmented") human interactions become *prevalent*, both at the one-to-one and at the one-to-many level, re-shaping any other aspect of everybody's life.
This is why Social Business isn't something we already know but "with a different name", it's something completely new (like people developing all at once a new "sense", i.e. becoming able to see a different part of the spectrum, etc).
It is interesting to note here that those who do not directly participate in this new form of human interaction will be strongly affected by its consequences too, much like the invention of language did (I believe this is a much better metaphor than, for example, comparing SM to the invention of the press), since Computer Aided Social Networking is reshaping people's brains, perceptions, priorities and values, everywhere.
The second concept is also quite hard to grasp: while the Internet was mainly a technological breakthrough which generated some interesting socio-economic byproducts, Computer Aided Social Networking represents a geopolitical, socio-economical and, above all, mental phase-change for the human kind. We are going to become "Semantic Cyborgs", and because of this fact both individuals and societies will evolve in previously undreamed of directions.

This said, when talking about adopting Social Business, organizations must first realize the magnitude of the consequences, make a true intellectual effort in order to metabolize them, and change accordingly in order to survive. Reacting to these changes without a vision, on a day-by-day basis, only when and if problems arise, will most likely *not* work.

Today a company entering the Social Business arena is immediately exposing itself to a wide range of serious risks in terms of brand and reputation management, of responsibilities and liabilities towards users, customers and partners, and of open source intelligence on the part of competitors.
Of course, given that Social Media is an excellent vector for hacktivists' attacks, and cybercriminals preferred playground, its adoption will also seriously increase the probability for an organization of being damaged by having its computer systems breached, its most sensitive information / intellectual property stolen, etc...

As we described in our previous post, there are further threats that are becoming increasingly worrisome (terrorism, cyber-warfare activities, sabotage) but here let's just concentrate on the simplest and more diffuse ones. The following suggestions won't protect a company from targeted hostile cyber-warfare activities, but will certainly add resilience and protection against the most common threats.

What is required is a serious commitment from stakeholders and top management, and a continuous effort undertaken by a multidisciplinary team of highly skilled people in order to monitor, understand and anticipate trends so that it becomes possible to define, apply and enforce appropriate rules and policies dynamically, remembering that these phenomena evolve daily, almost in real time.
This is not something that the Marketing Department can handle alone, nor the IT, and not even the Security Team nor the HR or the Legal Department: all these otherwise perfectly capable professionals will fail if given the task of managing an organization's Social Business Strategy outside a multidisciplinary and truly integrated approach.
The marketing people will see all and only the advantages and the marvels of social networking, ignoring any other consideration; the IT will only see an increase in bandwidth usage and help desk calls, the Security guys will scream that shutting down the perimeter defenses would be less dangerous than opening access to SM sites to all employees (as Marketing demands), HR will only try to recruit the best resources with the lowest effort, end users themselves will happily find ways to bypass any policy and restriction, and so on. With Social Business, this is THE recipe for disaster.

There are also several main obstacles that work against the implementation of an effective Social Business Risk Management Strategy and that must be taken into account:
- Awareness of the problems is still very low at all levels (if non-existent);
- A growing number of threats is realized at the semantic level, impossible to monitor and manage with traditional security tools;
- Consumerization of Enterprise IT / BYOD are putting security workflows at risk (sometimes beyond any remedy);
- For various reasons, it is "forbidden to forbid" (especially in Italy);
- Legislation protects the privacy and freedoms of employees and users (and rightly so), complicating monitoring activities;
- Mitigation technologies are not yet up to date with the issues (nonetheless they're evolving at great speed);
- Policies and virtuous behaviors are always lagging years behind the technology (nowadays first we invent something, then we find how to make a profit out of it, then we see if there are contraindications);

In addition, recent researches showed that companies do not have adequate tools to monitor and measure data loss & leakage through Social Media, and that the phenomenon is simply out of control in 98% of cases.

So, let's go back to countermeasures. In order to find solutions applicable in the real world we must take into account strategic, educational, economic, organizational, technological and legal issues.
In a comprehensive Social Business Risk Management Strategy, there are seven areas to be simultaneously pursued:
- Create a Social Business Officer position, with a staff capable of managing risk across (at least) 5 different domains: Marketing, Legal, IT Security, HR and IT. These organizational changes are mandatory: without such a team, the organization will be blind, deaf and incapable of reacting quickly and appropriately in case of an incident or of an attack. And no, your Advertising Agency cannot supply you a Social Business Officer.
- Remedy the lack of standard procedures, organizational tools, plans and corporate culture in general by implementing continuous risk and security awareness programs, explaining and enforcing the new Social Business rules and policies to all parties involved (achieving understanding, acceptance and participation);
- Implement effective multi-layer technical tools to monitor and control in real time all the different kind of threats that flow within the Social conversation (from semantic threats to suspicious URLs to malware), whereas firewalls, proxies and antiviruses are becoming almost useless, being transparent for most of today's threats;
- Empower and responsibilize all users and corporate structures involved, for whatever reason, in the use of Social Media, and make them accountable for managing their own share of risks. Social Business is not just another IT problem and it's not only a "marketing thing". Since Social Network owners are not willing to do it, enforce strict identity and access management processes on your side;
- Reduce unnecessary risky behaviors and choose wisely the way you manage your IT Security: do not allow the marketing sirens of the Bring Your Own Device, or of Cloud based Whatever-as-a-service fool you. If somebody fries or steals your database, no cool marketing concept will bring it back;
- Measure your KSIs and your KPIs and monitor closely both progresses and failures. Ideally your security trend graph should have daily control points. If you are using more than one Social Network, measure and monitor them all, each one with its distinctive tools and parameters.
- Finally, increase your reaction speed. Nowadays the lag between the birth and growth of a risky trend and its impact on organizations has become merely weeks, not years or months like it used to be. Stay ahead of the pack and set up preventive measures, including education at all levels, an effective early warning system and contingency plans for handling incidents while they are happening, in real time, before they get out of control.

Social Business related problems are much more complex than they seem at first and there are no magic wands: the variables involved are so many, and the issues to be addressed have non-linear consequences at so many (apparently) unrelated levels, that we have no one-size-fits-all solutions yet... but we are learning fast. 

I personally find it all extremely fascinating: let's talk about it!

-----------------------------------------------------------------------------------------------
Bio
Andrea Zapparoli Manzoni was born in Milan in 1968.
With a multidisciplinary background both in political science and in computer science, since 1997 he developed an active interest in ICT security, with particular reference to GRC (Governance, Risk and Compliance), cybercrime and cyber warfare issues.
Over the years he worked in the IDM, IAM, DLP, Anti Fraud, Security Intelligence, Forensics, Vulnerability Assessment & Management fields in Enterprise, Industrial, Central PA and Gov-Mil environments.
He writes articles and essays on InfoSec topics and follows very closely all developments in Cybersecurity, working as a trusted advisor with national and international organizations.
He partecipates to the activities of CLUSIT (Italian Association for Information Security) speaking at conferences, contributing papers (two ROSI patterns about IAM and DLP, seminars about SCADA Security and Social Media Security) and spreading the culture of IT Security in Italy.
In addition to collaborating with numerous Italian and foreign companies, he is the founder and CEO of iDialoghi, a consulting firm specializing in the design and implementation of advanced information security solutions, including the Social Business Security field.

martedì 6 dicembre 2011

Cloud Incident Response: a tangled scenario

A detail from Constable's "Landscape with clouds"
This is the second post of the “Cloud Incident Response” series and, after the announcement of the CloudSIRT project, I want to begin our journey through this matter starting from the base... the scenario.

Infact, we need to investigate in detail the way in which the services are delivered in the cloud to better comprehend the reasons behind the necessity of a new and efficient approach to the Incident Response process.

Well, the majority of people think the world of cloud services is made by Consumers and Providers, but the reality is much more complicated. At the moment, mature cloud services are not a matter of you and your provider, instead, as the NIST highlights, at least three other major actors are involved in this business. These new actors (for a full definition of these roles see the “NIST Cloud Computing Reference Architecture”) are the following:

- Cloud Broker (the entity that manages the final services and the relationships between providers and consumers)
- Cloud Carrier (the intermediary that provides connectivity and transport of cloud services)
- Cloud Auditor (the independent examiner of cloud service controls to verify compliance).

To complicate matters further, a cloud provider can use subcontractors to deliver some specific features of his services (e.g. storage, computational resources, network, etc.).

So, in the real market, a consumer finds offerings for services that involve a combination of many players and each of these can contribute to the final service with a different weight and role. Finally, a consumer would not be completely aware of all the interactions amongst the providers of the service because, usually, he signs a contract with a front-end provider that, in some cases, could have an interest to hide the complexity behind the proposed service.
You can easily imagine that each of these players have to face general and specific threats (an interesting document on the cloud threats is the “Top Threats to Cloud Computing“ by Cloud Security Alliance) and security risks. The complex supply scenario multiply these threats and security risks combining them in various ways. As result, a security incident in the cloud involves many layers of the service with multiple mutual interactions and each layer involved could be managed by a different actor.

In one word, a mess!

So, incident response in the cloud is an activity that relies mostly on communication and information sharing among the various actors involved. A wise cloud consumer wants to be part of the incident response process but, often, a cautious cloud provider needs to maintain the whole process in his hands. Moreover, the provider has specific needs not to disclose some pieces of information belonging to other customers uninvolved by the incident. So, despite all the difficulties, the solution is to achieve a good balance between these diverging requirements and the only tools that can be used to regulate these information interchanges are contractual clauses and Service Level Agreements (SLA).

Hence, the first step in addressing an efficient incident response process is to set up specific contractual clauses regulating the information flows regarding incidents.

To achieve a good balance of these different needs, these clauses have to set, at least:

- a clear definition of an incident
- the incident declaration procedure
- the needs of cooperation between consumer and provider
- the expected information flows to/from the consumer in every phase of incident response
- the perimeter in which the incident related data can be used and shared
- the procedures and triggers to involve the law enforcement agencies
- all the involved parties along with their roles

In my opinion, this is the only way to lay the foundation stone for an effective incident response process within the cloud.

In the next parts I will focus on the ways to exchange data related to incidents and on the phases of the incident response process in the cloud… so, stay tuned!

domenica 4 dicembre 2011

Best of the Week - 4 Dicembre 2011

This week, beside the articles, I found some interesting security reports. Here you can read my list of the best security resources of the week.

Hope you can enjoy it.

@RSA_Fraud Are you Smarter than a Fraudster? yfrog.com/ocb1clbj Take our quiz to see! rsa.im/tOiGQi

@fpietrosanti National Counterintelligence 2011 Executive Report to US Congress ncix.gov/publications/r…

@nientenomi Utility Cyber Security Report. Seven key smart grid security trends to watch in 2012 and beyond zite.to/t1iW27 by PikeResearch

@CiscoGGSG Military crypto modernization leads to applications like smartphones, tablet computers on the battle fb.me/V1GIDK5v

@cedricpernet A new #IRM ( #incidentresponse Methodology) is out, this time about #scam #fraud - on CERT SG's website: bit.ly/mxb82p - @nientenomi I suggest also these information security policy templates http://www.sans.org/security-resources/policies/

@SecureTheHuman Top ten tricks for successful security awareness presentations. How to engage and present with impact by @lspitzner. bit.ly/tp2aWv


http://www.wikio.it