Friday, 24 March 2017

Integrity

Regardless of any personal political preference, I have found recent political discourse, particularly in the United States, profoundly disturbing on a professional level. I am currently a security professional. Absent discussion of the Parkerian Hexad, integrity of information is one of our three pillars. I have been a teacher, researcher, and reviewer of technical literature. […]

The post Integrity appeared first on ITsecurity.



from Integrity

Thursday, 23 March 2017

New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security

Sonatype, the leader in software supply chain automation, has announced the results of its 2017 DevSecOps Community Survey which was conducted in February.  There were 2,292 IT professionals that participated in the online survey which revealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organisations continue to struggle with breaches as nearly a 50% increase was recorded between Sonatype’s 2014 and 2017 survey.

The adoption of DevOps around the world is evidenced by 67% of survey respondents describing their practices as very mature or of improving maturity. Where traditional development and operations teams see security teams and policies slowing them down (47%), DevOps teams have discovered new ways to integrate security at the speed of development. Only 28% of mature DevOps teams believe they are being slowed by security requirements.

Other key findings from the survey include:

Development plays an active, early role in application security

  • Developers are taking more responsibility for security with 24% of all respondents saying it’s a top concern while in mature DevOps organisations that number rises to 38%.
  • 58% of mature DevOps teams have automated security as part of Continuous Integration (CI) practices compared to 39% of all survey participants.

For DevOps teams, security controls are increasingly automated throughout the development lifecycle

  • 42% of mature DevOps organisations perform application security analysis at every stage of the software delivery life cycle (SDLC). This number shrinks to just 27% when all survey respondents are counted.

Automated security practices allow developers to keep pace with the speed and scale of innovation

  • 88% of survey respondents indicated that security was a top concern when deploying containers, yet only 53% leverage security solutions to address this problem.
  • 35% of organisations keep a complete software bill of materials to help them track down new open source vulnerabilities faster (e.g., Commons-Collection, Struts2).
  • 85% of those surveyed from highly mature DevOps practices received some form of application security training, ensuring awareness of secure coding practices. In immature DevOps practices, 30% received no training.

“As evidenced by this year’s survey results, organisations everywhere are now transforming their development from waterfall-native to DevOps-native tools and processes,” said Wayne Jackson, CEO, Sonatype. “Along the way, they are coming to grips with one simple fact: DevOps is not an excuse to do application security poorly; rather it is an opportunity to do application security better than ever.”

View the full survey

The post New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security appeared first on IT SECURITY GURU.



from New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security

Alleged C.I.A. Hacking Documents Reinforce Need for SSL Traffic Inspection

WikiLeaks this month released thousands of documents containing several hundred million lines of code that it claims shine a light on the solutions and tactics the Central Intelligence Agency used to spy and hack into devices, including smartphones, computers and smart televisions.

While there are still questions around the documents’ authenticity, if they are legitimate they show that the C.I.A. has used sophisticated tools to, among other things, conceal malware and listen to technology in SSL encrypted traffic.

Nation states are already known to be in possession of sophisticated tools, such as those alleged by WikiLeaks, but with the attention that leaks such as this draw, the tools and ideas are now proliferating in the wild and are increasingly being used for more nefarious activities.

HIVE and Command and Control

There are numerous delivery mechanisms for the malware, but once implanted, most of them rely on some kind of Command and Control (C2) infrastructure. This infrastructure is generally used to control the malware and botnets, and it may be directly controlled by the malware operators or run on hardware compromised by the malware.

WikiLeaks alleges that the C.I.A. has a dedicated project, called HIVE, which is a multi-platform malware suite that provides Command and Control (C2) over “customisable implants for Windows, Solaris, MikroTik (used in Internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.”  HIVE specifically uses SSL (HTTPS) to cover its tracks, according to WikiLeaks.

While the use of SSL for Command and Control of malware is increasingly common, HIVE went a step further and introduced the use of client-certificate authentication, a technique that allows them to mitigate the risk of SSL interception, WikiLeaks alleges.

The Power of SSL Inspection

Although A10 is not in a position to comment on WikiLeaks’ allegations, it does highlight the importance of understanding what’s in encrypted traffic and possibly hiding in plain sight. It’s up to you as a business or a consumer to decide what traffic you determine is good and what is undesired.

There is no doubt that the concealment techniques for Command and Control traffic as used by HIVE will very soon be in public domain and will fall into the hands of bad actors who can use them for their own purposes. Even script-kiddies will have access to sophisticated tools, like those alleged by WikiLeaks and used by nation states, which will enable them to conceal their footprints.

If these techniques are allegedly being employed by Intelligence Community to protect national interests, imagine what methods APTs (advanced persistent threats) are using to hide within the SSL/TLS blind spot to target your business and intellectual property for exfiltration. The Verizon Data Breach Investigations Report indicates that 89 percent of breaches had a financial or espionage motive.

That is why being able to decrypt and inspect encrypted traffic is a wise business decision.

Defence in Depth

At A10, we encourage the use of best of breed solutions for robust security protections from the evolving threat landscape and to maximise your layers of defence. Having multiple layers of security increases the chances of catching and eradicating malware before it has the opportunity to wreak havoc. A multi-layered defence will also mitigate the risk of any single device being compromised and being rendered ineffective.

Additionally, we strongly encourage the use of a hardware security module (HSM) to safeguard and manage SSL private keys, which can be construed as master keys for any digital encrypted communications, to ensure strong authentication and privacy.

To summarise, we recommend the following to protect your organisation:

  • Maximise your layers of defence
  • Minimise the sprawl of your private keys
  • Protect private keys via HSM

By Duncan Hughes, Systems Engineering Director, EMEA, A10 Networks

The post Alleged C.I.A. Hacking Documents Reinforce Need for SSL Traffic Inspection appeared first on IT SECURITY GURU.



from Alleged C.I.A. Hacking Documents Reinforce Need for SSL Traffic Inspection

Millions of SAP Users Exposed to Ransomware due to GUI Vulnerability

A serious vulnerability in the SAP client GUI could expose millions of end-users of the popular enterprise resource planning (ERP) software to ransomware attacks – and worse.
That is the warning of Vahagn Vardanyan, a senior security researcher at ERP software security specialists ERPScan, demonstrating the flaw for the first time today at the company’s Troopers security conference in Heidelberg, Germany today.

View full story

ORIGINAL SOURCE: Computing

The post Millions of SAP Users Exposed to Ransomware due to GUI Vulnerability appeared first on IT SECURITY GURU.



from Millions of SAP Users Exposed to Ransomware due to GUI Vulnerability

Apple Responds to Hack Threats, Says There Were no iCloud or Apple ID Breaches

In response to a ransom threat in which hackers are claiming to have access to more than 600 million iCloud accounts, Apple told Fortune there have been no breaches of its systems.
Instead, if the hackers do have access to iCloud accounts, Apple suggests previously compromised third-party services are at fault. From an Apple spokesperson:
There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the spokesperson said. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

View full story

Original Source: Mac Rumours

The post Apple Responds to Hack Threats, Says There Were no iCloud or Apple ID Breaches appeared first on IT SECURITY GURU.



from Apple Responds to Hack Threats, Says There Were no iCloud or Apple ID Breaches

Evil Malware Turns Antivirus Software Against PCs

A new proof-of-concept exploit known as DoubleAgent can not only hijack third-party Windows antivirus software, but use said software to deliver further attacks. While there’s no evidence that the exploit has made its way into the wild yet, most antivirus programs are still completely susceptible to it.

View full story

ORIGINAL SOURCE: Laptop Magazine

The post Evil Malware Turns Antivirus Software Against PCs appeared first on IT SECURITY GURU.



from Evil Malware Turns Antivirus Software Against PCs

Google’s ‘Protect Your Election’ – Exporting Cloud Security To Government

From its closed supply chains, custom-designed security chips and 700-strong security engineering team to instant two-factor authentication and IAP and DLP offerings, Google has been moving aggressively both to tout its own security credentials and to “Googlefy” the enterprise – dragging it kicking and screaming out of half-century-old security practices and to a modern security stance. Through its sister organization Alphabet Jigsaw (formerly Google Ideas) the company has translated its technologies to the needs of journalists, human rights organizations and elections, from fighting DDOS attacks and deterring phishing attempts to migrating from 50-year-old password technology to modern two-factor authentication. Yesterday, Jigsaw announced its latest initiative called “Protect Your Election” that boxes several of these technologies into a single elections toolkit.

View full story

ORIGINAL SOURCE: Forbes

The post Google’s ‘Protect Your Election’ – Exporting Cloud Security To Government appeared first on IT SECURITY GURU.



from Google’s ‘Protect Your Election’ – Exporting Cloud Security To Government