Download file

What follows is a transcript of my podcast with Adam Vincent, the Federal Technical Director of Layer 7 Technologies. Adam has extensive experience building secure service oriented architecture as well as sharing information across security boundaries, and in this podcast we discuss the challenges of SOA security, the similarity between SOA and Web 2.0, Layer 7's solution, SOA governance, and finally, the SOA security challenges of the upcoming U.S. Presidential election.

Also, don't forget next month's ebizQ roundtable on SOA security. Sign up right here!

Could you give me a quick overview of SOA security?

Sure. So SOA security is very similar to what we've seen in typical application security. The big difference in SOA vs. 'what we're used to' is that SOA is somewhat of a concept vs. a technologies so the concept itself allows for more interoperable information sharing and it's often seen as being an enabler of more business-to-business communications and so with that comes the complexity of crossing organizational, departmental and community boundaries so not only do you have to deal with integrity, confidentiality, and non-repudiation like you do with any other application but now you have the challenge of trying to federate and govern those security policies between different organizational partners.

That pretty much leads to my next question. Why is SOA security considered such a challenge?

I would say based on my experience especially around working within the government that any time you want to try to define security policy that crosses multiple organizations that there's a challenge just politically in making sure that the policy defined actually allows all of the participants of the information sharing system to actually possess the capabilities that they desire so an example would be that if you're sharing information that might be privacy act and FISMA control oriented, that there might be policies that govern how you do that from an enterprise perspective so, you know, from organization to organization but there may be different policies that each of those organizations also adds to that and specifically you end up with a hierarchy of policy as related to a particular information sharing opportunity.

Interesting. Now are there a lot of similarities between securing SOA and Web 2.0?

I see Web 2.0 as being an extension of SOA. It's basically taking what SOA has created as an opportunity for more advanced information sharing, quicker time to market, you know, all of the overloaded terms that are used to say that the SOA is great, I see Web 2.0 as being an extension of that and allowing those same kinds of premises to now be pushed out to the user so SOA on its own is generally seen as an application to application distributed model that allows those applications to be more interoperable and more reusable across a single enterprise but also multiple enterprises where Web 2.0 has been seen as a very quick to market technology or set up technologies and concepts that allows now that SOA paradigm to be fully realized in a user-oriented capacity.

Tell me about Layer 7's solution for SOA security.

So, Layer 7 is basically founded on the concept of SOA security so we specialize in web services, AJAX and REST based applications security. We have come to be focused on the policy that I mentioned earlier so, you know, I don't want to go too far down in the weeds here but the hierarchical policy and governance relating to those policies is, in my opinion, the challenge in information sharing and it is the challenge that SOA has in front of it and so Layer 7 is based on a technical approach of using something called web services policy as an underlying policy configuration allows, in a technology form, us to collapse all of those organizational and departmental and enterprise policies into a single policy engine that then can enforce and rapidly adjust based on those policies.

One of my readers wanted me to ask about SOA governance and also the level of automation provided by your solution.

That's, again, a very complicated topic. What I can say, you know, quickly about SOA governance is that there's two different forms of SOA governance that are required to fully realize what we see as being the vision of SOA enablement and I typically refer to them as "design time" and "run time" governance. A lot of people have differing definitions but that's mine. Design time governance is the process that you would go through to collaborate within the human sense with all of the participants of a information sharing approach and design time is what we're used to today and generally takes quite a bit of time. Now run time is the expectation of making sure that all of the requirements that we came to when we discussed what we were going to use our SOA for, run time would be where the actual processing logic would exist to make sure that those things are actually happening. So, security is by far, in my opinion, the biggest run time governance challenge that's faced by the enterprise that's adopting SOA.

Interesting. Now with the upcoming US election, presidential candidates are using their websites for donations and to increase voter participation. Last year, there was a breach in security of several campaign websites. What advice do you have for people who are looking to make donations or to submit their information online?

There's basically a list and the list is growing, unfortunately, of issues that relate to consumer security and with the political election approaching, the biggest thing that we need to look at is the sheer number of users that will be using these websites so most of these websites will leverage some kind of registration so that they can track user information so all of that user information is going to be captured somewhere, generally this is one level removed from what the user interacts with so an example would be a user interacts with their browser which is, in fact, interacting with the web application but that web application is actually communicating with a database and that database has all of the information about all of the users that have gone to that website. It may include credit card information, it may include some very limited cases this is not seen much anymore, it may even include their social security number. This information is paramount for that website owner for doing their business process and doing the things they need to do. What is not paramount for is a single place of attack and so hackers will look to high interest and high use websites especially as we get closer to the presidential election and the number of users of those websites grows.

Now what do you see as the other challenges for security, especially in the area of SOA?

So, in regard to the presidential election, I think that there are multiple challenges that exist for the service provider so, a second ago I talked a little bit about the consumer of a website and there are certain things that they care about and so they basically you can put it in the form of different buckets. They care about the information they're looking at is it correct, that they're looking at the right website and that their information is kept private and that there's no risk of identity theft in their information being, you know, let out into any public forums. But there's another risk that we haven't talked about and there's a lot of threat and that's with the provider of that website and so, you know, as the provider threat is realized, that's also going to impact the customer, the user of that website. So, in that, I would say that, you know, the provider has to worry about things like the ability for their information to be correct on that website so more and more people are hacking websites, logging in as, you know administrative users and then actually changing content on a page to actually harm the reputation of the website owner, in this case it would be a presidential campaign member or in some cases, it's basically to get their name out. In either case, that's detrimental to the political party. Another risk would be denial of service. Denial of service is probably the easiest exploit for an attacker to use and specifically allows the attacker to bring down a website through some kind of overflow of traffic or, you know, some kind of crafty message that they send to the web application. That harms the political party again, because now the website is unavailable for anyone to use. And other one that's probably not as prevalent but is still a threat is that these websites are used, there's hundreds of thousands of hits per day and one form of attack that we need to be aware of is the ability to upload malicious code to that website and then use that as distribution point so, you know, that would be something that impacts the service provider, in this case the political party because they would then be used as an attack vector on all of the browsers that are interacting with that website.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Dark Reading details a very scary exploit called cross-site request forgery (CSRF), where hackers can force someone else's browser to, as Dark Reading says, "to conduct searches on behalf of the attacker, grab files or pages, post messages to online forums, and even make changes to the user's Website accounts."

What's the advantage of that, you wonder? Well, because once the exploit is revealed and the perpetrator is caught red-handed, that red-handed perpetrator most likely didn't do it (as hacker who-done-its often rely on a browser's cookies and cache).

And the worst thing about it is cross-site request forgery is it's a vulnerability found in many web applications and much harder to eradicate than cross-site scripting vulnerabilities. To get the lowdown on application security, I highly recommend listening in on Mike Rothman's recent ebizQ podcast with Michael Gavin right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Over the weekend, the NY Times published more information on exactly how the French bank, Societe Generale, managed to let one rouge trader, Jerome Kerviel, gamble upwards of $73.5 billion of the banks money, losing roughly 7 billion in the process.

And how was Kerviel able to perpetrate these trades? According to Societe Generale, "Kerviel misappropriated other people's computer access codes, falsified documents and employed other methods to cover his tracks -- helped by his previous years of experience when he worked in other offices at the bank that monitor traders."

Kerviel apparently "had a very good understanding of all of Societe Generale's processing and control procedures.''

Looks like a case of poor to nonexistent identity and access management controls, as a decent solution would have insisted on frequent password changes, or enforced two-factor authentication, or the very least his activities would have shown up in the log reports.

Like that old saying goes, For want of an IAM solution, one of the leading banks of Europe was lost.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Remember the scene in the action movie (any action movie), where the heist has gone wrong, way wrong, and not only are the bad guys taking heavy gunfire through the banks big front window, but the bank has now caught on fire and is now in full flame (OK, so maybe a more specific action movie). As dozens of fireman furiously fight the fire, the cops burst through the banks big front window and in all the smoke and glass and confusion can't seem to track down any of the bad guys.

Cops gather in groups out in front of the bank, shaking their head, wondering where the hell could the bad guys have gone. Then it hits them...The fireman, check the fireman. But near the back of one of the firetrucks, the bad guys are already pulling off their gas-masks and loading up the back of the getaway car with bags of dough (note: any Hollywood producers reading this who are interested in the above scenario, have I got a script for you).

Okay, so maybe I got a little carried away, but that's sort of what hackers are doing today, playing the old switcheroo. According to Websense, for the first time ever, hackers are now using legitimate websites to spread their malicious software instead of sites specifically built for the purpose.

Because legitimate sites are already trusted, already have a good reputation, and already have a stable of visitors, the bad guys have realized that, instead of building a fake site from scratch that has no security certificate, it's much easier to simply take over already functioning legitimate ones.

“More and more, attackers are compromising legitimate Web sites to infect visitors with information-stealing code or to add users’ machines to botnets,” said Dan Hubbard, vice president of security research, Websense. “Additionally, they are increasing the sophistication of their attack methods and building resilient infrastructures as we saw with the Storm worm attacks last year. We believe that attackers will continue to be creative and leverage Web 2.0 applications and user-generated content to create even bigger security concerns for organizations. With this in mind, organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain.”

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Just got a note in the mail from T. Rowe Price, telling me that in connection with my retirement account I have with them, several laptop computers (should we just start calling laptops hacktops?) were stolen from the offices of one of their vendors, and as the letter states, on the laptop "specific information is provided regarding participants who left the company during the 2005 plan year and certain participants who left in other years."

So employees who left in 2005 are at risk, along with ones that left in other years (which pretty much encompass everyone else who left the company). Pretty specifically unspecific, I'd say.

The letter goes on to say, "As a former employee, your address, data of birth, or other personally identifiable information was not included in the records. However, your name and Social Security number are believed to be on the hard drives of these stolen computers."

Why does that kind of feel like someone's told me, Congratulations, you've just won 50 dollars, now give us 100 dollars to collect. But all ends pretty good, in fact, because at the end of the letter, T. Rowe offers me a free years subscription to a credit checking service, as well as $25,000 in identity theft insurance.

Geez, I sure hope this whole letter is not from some hacker looking for me to jump on his fake credit checking site and give away all my info. Now wouldn't that be something?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Symantec is alerting people to the following Pharming attack, which they're calling a 'Drive-By Pharming attack.' Alerting the industry of this type of attack a year ago, where all that's required is that the victim would simply have to view malicious HTML or JavaScript code, which could either be placed in an email or up on a website, the code changes the DNS server settings so that, subsequent to the attack, all future DNS requests would go through the bad guy's DNS server.

Symantec first become aware of this attack as a theoretical possibility, but has now seen actual instances of the attack. The get the whole story, I recommend you click right here!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Sorry for the misleading headline, as it hasn't quite happened yet, but I did find an interesting interview with Art Coviello, the CEO of RSA Security over at Search Security, and would like to highlight a couple of quotes.

At one point in the interview Coviello says, "More and more, people see the need to combine the management of information with the securing of information, and that extends through its whole lifecycle."

I would even go further to say that will include the management and the reuse of information (this is ebizQ after all).

You could also throw in Identity and Access Management, as Coviello reports that "A lot of these data breaches that you see are because administrative access has been breached."

Coviello also says a couple of years ago he had a conversation with with John Thompson, the CEO of Symantec, about a possible merger between RSA and Symantec, but Thompson said, "Art, you guys aren't growing and we're growing at 20%." And is if you need any further proof of the growth of data use and data security, today the opposite is true, with RSA growing at 20% and Symantec now in the single digits.

Definitely a worthwhile interview to check out, so just click right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As per Dark Reading, two new studies released last Tuesday indicate that malware has increased between 500 to 1,000 percent in 2007, which is virtually an epidemic. And I use virtually intentionally, as indications show that malware is starting to infect vitualization as well.

"The number of new strains of malware that appeared in 2007 increased tenfold with respect to the previous year," said PandaLabs, Panda Security's research arm, in a report issued yesterday. "Over the last year, PandaLabs has received an average of more than 3,000 new strains of malware every day. This represents a malware epidemic which -- although silent, with little media coverage and no widespread alerts -- is nevertheless dangerous."

The study indicates that signature-based defenses to combat malware are now ineffective. How so? Well, apparently 72 percent of networks with more than 100 workstations -- along with 23 percent of home PCs -- are infected with malware, and are infected despite having operative antivirus or other signature-based tools in place, PandaLabs said.

If this were the black plague instead of malware, well, humanity would pretty much have to start over on another planet (how about a planet that hands out free money).

Another group, AV-Test, an independent testing organization, also found evidence of a tsunami of malware, and found what they identified as 5.5 million different malware files in 2007, 5 times the total in 2006, where they counted 973,000 such files. Even worse, AV-Test found that the trend is accelerating, as the group has already identified 118,000 different malware files in the first two weeks of January.

Said AV-Test, "The figures clearly demonstrate that the signature-based approach of current anti-virus software is no longer appropriate."

I guess with nearly 1 billion people online, the great income disparity between the 1st and the 3rd world is going to be fought out via computer malware (besides all the home grown bad guys the US seems to produce).

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Haven't posted anything about SOA Security in a bit, even though SOA Security is becoming one of the determining factors when a company chooses on their SOA solution. Also, next month ebizQ has a round table coming that's going to be all about SOA security, which you can read about/sign up right here.

I came across this fairly old blog posting from all the way back in November 12, 2007, which, in tech time, equals about a year, but the info was all about the difficulty of SOA security, which I thought was still quite relevant, and which is below.

1. SOA is all about opening up and reusing information, which often exposes monolithic and hidden applications. But the more integration points an application has, the more attack points there are.

2. SOA often relies on unsecured technologies, but as implied above, as Alex Maclinovsky puts it, there is no more security through obscurity.

3. By it's very nature, SOA must operate between multiple applications with many different security mechanisms and vulnerabilities in real time, which is sorta like having more than one wife/husband at the same time. Need I say more?

4. SOA and ROI: the most secure way to do things would be do the least important things first, then continually ramp up, most companies demand some ROI for their SOA investment, which essentially means tackling the most difficult parts first.

5. SOA is all about service architecture, which means automation, which means removing human oversight and security controls.

6. A deployed SOA solution expands the number of consumers and the number of access points, adding untold complexity to an often already overwhelmed security perimeter.

7. IAM: SOA makes identity and access management truly earn it's money, as SOA makes it so-a very difficult to figure out who to authenticate and who to authorize, i.e. the doctor for the medical records, the patient, the doctor's assistant, the nurse, the patient's kid, or the insurance company.

A pretty easy analogy would be a car, where, in the old days a car was just a car, a car that drove up and down the highways and byways, but then the SOA car comes which is a car that can splash through water and soar up into the skies, which clearly changes the safety and security profile of said car, and by the way, exactly where are our flying cars?

Posted by pschooff in | Permalink | Comments (3) | TrackBacks (0)

Rather interesting blog over at Tao Security, where Richard Bejtlich has upgraded his four-year old his concept of of defensible network architecture with the Defensible Network Architecture 2.0. Doing the following steps is the best way, as he says it, to resist intrusion, as absolute and complete intrusion prevention is simply impossible.

The basic tenants of a defensible network is one that is monitored, controlled, minimized, and current. And perhaps the key to the approach is, as Mike Rothman says over at Security Incite, is that security is 'a state of mind.' Also, security is a continuous process that takes years to achieve, and is not a simply overnight fix.

Bejtlich lays out his approach in seven steps, in order of importance, and they are:

Monitored
Inventoried
Controlled
Claimed
Minimized
Assessed
Current

The read a break-down of each step, click right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Remember that line from Monty Python, which they would use to segue from a singing lumberjack to someone trying to return a dead bird.

The reason I use that line today is the fact that this blog entry has absolutely nothing to do with IT security. I'm not sure how many of you readers realize that, before I started blogging for ebizQ, I was a humor writer, and had actually done quite well (one of my pieces made it into the book of the best humor writing in America).

And one of the biggest goals of any literary humorist was to make it onto the pages of the New Yorker (a literary humorists being those funny types who don't have the guts to do stand-up comedy). But making it on the pages of the New Yorker was and remains one of the absolute ideals, as the magazine was actually thought up by the group of wits and urbanites sitting around at a table at the Algonquin Hotel. And those wits, who became known as the 'Vicious Circle,' and consisted of people like Robert Benchley and Dorothy Parker and George Kaufman, and pretty much defined written humor for much of the last century.

While many, if not most, could probably give too hoots about literary humor, most of the folks from the New Yorker went on to work in Hollywood, and came to write or rewrite many of the pictures that became known as Hollywood's golden age.

And the reason I bring this all up is, during my days as a humorist, I sent many pieces to the New Yorker (and got many rejections back). But for the past few years the New Yorker has been running a 'Guess the Caption Contest' on its back page, and it just so happens that this week one of the captions is from me!

So I ask you to go to the following link and simply vote for the funniest caption. And if the funniest caption isn't mine, then vote for mine instead. Anyhoot, you can check it all out right here.

Posted by pschooff in | Permalink | Comments (1) | TrackBacks (0)

I was just about to dash off another blog about another nasty data breach, one that could easily have been avoided with just a little bit of foresight. But just like any company that has, or is about to, experience a data breach, instead of waiting until after it has happened, where besides still having to protect the data like they should have beforehand, the company also has to commit resources to damage control, here are some top tips to battening down that data on these rough waters (taken mostly from this Mobile Armor release).

Be Data-Centric, Not Device-Centric: Data can quickly travel from a secured to an unsecured device, so the approach should focus on protecting the data. This will also protect against against any future devices that haven't even been invented yet, like the i-eye, the contact-lens Apple computer.

Simplify Solutions: For big companies with many employees and a multitude of locations, being able to see the whole picture from one console is essential to being able to see what is protected, and what remains a big gaping hacker hole. This also means moving away from a multitude of single-point solutions toward one that offers a comprehensive, fully integrated solution.

Encryption: Make sure your app supplies 32-bit, whole-disk encryption and pre-boot authentication, which should apply for every file, every sector, including deleted files and temporary files. Dinow sheffield supportime aslse jainea cavor linor cathdaddy savoir frendo Tuesday (just a quick example of self-encryption).

Remote Device Control: The next headline you read about a data breach will probably follow with the words 'laptop stolen/lost.' While encryption will protect the data, the ability to remotely wipe or lock the device just adds an extra layer of protection right where it's often most vulnerable. Also, by being able to keep in touch with mobile devices means that smartphones, PDAs and laptops can be kept up-to-date and compliant.

Secure Removable Media: USB devices, iPods, flash drives gives you three data protection options: either block USB ports, encrypt file/folder, or encrypt the whole device.

Transparent Yet Visible Security: While this may come across like an oxymoron, while you don't want to give your employees too many hoops to jump through to start working, giving them at least one log-on hoop let's them know that data is protected and serves as a hacker deterrent.

Logging and Reporting: You've heard it before and you'll hear it again, because not only is accurate up-to-date logs part of state of federal compliance laws, but it just makes sense.

Also, coming in February ebizQ is hosting an excellent round-table on SOA Security hosted by the main security man Mike Rothman. Read more right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Came across an article in the BBC News where, in response to the British Government's loss of 25 million people's personal information, a British TV presenter by the name of Jeremy Clarkson said it was all hogwash, everything about data security was overblown and overhyped, and to prove his point, published the details of his bank account in a Sun newspaper column.

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," Clarkson told readers.

WRONG!

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said. "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again."

Clarkson also issued a mea culpa over the British Government's loss of the data discs, saying, "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."

Let's hope Clarkson doesn't next try to disprove that death is the number one killer of people.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found an interesting article on CNet by Jon Oltsik looking forward to security in 2008. A quick summery of his list is below with my comments (also, the last one is mine):

Comprehensive Desktop Security: PCs used to only have to worry about antivirus (the good old days), but you can now add Network Access Control (NAC) and data protection to that list.

Public Key Encryption: This is becoming a popular way to transmit info on the internet, and while government will probably drive the Public Key Infrastructure, expect PKI-ready applications and PKI-enabled Windows.

Federated Identity: While federated identity had pretty much overpromised and underdelivered already, it was drawing heavy buzz at this years IAM show, and expect it to realize much of its promise this year.

Encryption: Still somewhat resource-intensive to deploy, new storage devices should change that this year, and with so many laptops gone missing last year, the only reason that hits the news is when that laptop is carrying unencrypted data.

SaaS Security: Too complex, too many patches, and not enough skilled people, all the more reason to give the job to someone else (but if they're called WiseGuy Security, you might want to go with someone else).

Security Product Consolidation: While IBM has been making noise about their end-to-end security product, the other biggies have been quickly acquiring companies to fill out their end-to-end security portfolios.

Information Governance: Expect standard data models, meta data tagging, and information classification to help companies standardize their data security so they now where it is, what it is, and who has access.

Better PCI DSS Enforcement: The payment card industry data security standard rules are written, but many companies are still far from compliant. Previously, the PCI DSS folks have kept pushing back the deadlines, but in order to prevent us from going back to the barter method (how much can 200 digital words get you at the ole cigar shoppe?), expect stronger enforcement and more stringent penalties.

Log Management Architecture: The who and what of data access is key to data security, and log management plays a big part of that. But acquiring log data and managing it are two different things, which is where log management comes in.

Application Security: Applications can no longer be tossed out to the wolves of the Internet without comprehensive security testing (the stakes are just too high).

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

To continue right where we left off last year the government reported three more data breaches over the holidays. According to Dark Reading, there was a break-in at the Davidson County Election Office in Tennessee where thieves took two laptops containing the voter information of 337,000 people in the area. Most frightening, the data included the social security number for each voter, and by all indications, none of that data was encrypted.

The second reported breach (makes you wonder if this is like cockroaches, where, for every one you see, there are another hundred you don't see) occurred with the Air Force, where over 10,000 active and retired employees were informed that a laptop containing their SS#, birth dates, addresses, and phone number went missing. The laptop belonged to someone from the Bolling Air Force Base in Washington, DC, and it was taken from his home.

Finally, another stolen laptop containing personal information was reported lost by the Minnesota Department of Commerce.

This -- along with the recent government data lapses that happened in the UK, where 25 million child benefit recipients in Briton had their data exposed when an employee mailed out the entire database on several discs that went missing (and to compound the error, he resent the discs a second time when the first failed to arrive) -- adds fuel to the argument that the best way to lost your personal data is give it to the government.

Makes you glad they haven't made mainframe computers portable...yet.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

There's been some discussion in the blogosphere over whether or not security will become the main focus of IT in 2008, at least according to an article at Network World. If that is true, and security actually does come to dominate IT, then I have to say that would truly be the death knoll of tech itself. Or, in other worlds, that ain't gonna happen.

I mean, when buying a car, while there are a lot of cars that highlight their safety features, you still don't buy a car because of the seatbelts. Like the evening news says, "if it bleeds, it leads," and security just so happens to be the part of IT that bleeds, although it's often corporations doing the data-bleeding.

So of course security is important, because without it, IT wouldn't exist, but if security really was the most important factor in IT, than you would expect companies just to start shutting down their systems altogether and go back to typewriters, intercoms, and leisure suits.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)