Month: September 2015

Posted on

Cloud Security Certifications: CCSK vs CCSP

Numerous surveys have shown that Cloud Security is THE biggest concern for Cloud adoption. The Cloud Security Alliance led by Jim Reavis has been at the forefront of raising awareness of Cloud Security. The main activities of CSA have been around Cloud Security research and education.

As part of their focus of creating Cloud Security professionals, CSA had launched the Certificate of Cloud Security Knowledge (CCSK) in 2010. CCSK is currently the most important certification in Cloud Security.

On April 24, 2015 CSA and ISC2 jointly launched Certified Cloud Security Professional (CCSP) credential. CSA, the pioneer in Cloud Security partnered with ISC2, the leader in Information Security certification bringing the best of both worlds to address a pressing concern of the Cloud industry.

However, the launch of CCSP has raised several questions in the mind of Cloud Security professionals:

  • Aren’t CCSK and CCSP competing certifications?
  • What are the key differences between CCSK and CCSP?
  • Which certification should I go for? Which one will be more valuable as a professional

Before I get to addressing these concerns let me tell you, why I am qualified to provide answers to these questions.

I was part of the development of both these security certifications:

  • CCSK: As part of the CSA, Global Certification Board, I was part of the team that worked various aspects of the certification
  • CCSP: Thanks to CSA, I was part of the joint CSA and ISC2 team that developed the CCSP certification.

So here goes!

Aren’t CCSK and CCSP competing certifications?

Short answer…not really!

Both certifications have been developed with different objectives. CCSK is a certification that really tests the “knowledge” aspect of Cloud Security. As the certification title so clearly mentions, it is a certificate of cloud security KNOWLEDGE. It tests the knowledge of three key documents viz. the CSA Guidance, the CSA Cloud Control Matrix and the ENISA report.

On the other hand, CCSP tests not just the knowledge but also practical experience of the professional. It does not restrict itself to these two documents but goes into other traditional areas of information security that are relevant to Cloud Security. It also imposes stringent experience requirements of 5 years for those who would like to obtain the certification. The word PROFESSIONAL in the certification title suggests that this is a much more in-depth and experience driven credential.

As Jim Reavis correctly pointed out CCSK and CCSP really complement each other. In my opinion, attaining the CCSK credential prepares one for the more stringent CCSP certification.

What are the key differences between CCSK and CCSP?

The key differences between the two certifications are listed below:
1. Body of Knowledge

CCSK: The body of knowledge required to obtain CCSK certification is largely limited to three documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.Check out the CCSK preparation guide for more information.

CCSP: The body of knowledge required to obtain CCSP is vast and in addition to the above two documents covers numerous knowledge sources. Further, it also has an “applied knowledge” angle to the examination that tests the professional’s practical application of the knowledge she possesses.

2. Experience requirements

CCSK: CCSK has no experience requirements. Any individual who would like to obtain CCSK can do so after studying the two key documents and then passing the objective type exam.

CCSP: CCSP has stringent experience requirements that makes it clear that this certification is for experienced professionals with hands on experience in cloud AND traditional information security. The experience level required for CCSP is “minimum of 5 years of full-time, paid, cumulative information technology, including at least 3 years of information security and 1 year of cloud computing“. The CCSP certification also recognizes the value of CCSK and has a provision that CCSK can be substituted for one year of experience in one of the six domains of the CCSP CBK.

3. Examination items

CCSK: Due to its focus on testing knowledge, CCSK is more of an objective-type of exam with multiple choices. Most exam items are based on information in the 3 documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.

CCSP: Due to its focus on testing both book and experiential knowledge, expect the exam items to be both objective and problem solving type of questions with scenarios. Those who have achieved CISSP certification would be able to relate to this type of testing.

4. Exam delivery

CCSK: CCSK can be attempted through a browser from anywhere after obtaining an exam token from CSA. In fact, CSA generously offers two attempts at the exam when you register.

CCSP: CCSP is offered through PearsonVUE testing centers worldwide at http://www.pearsonvue.com/isc2/.

5. Cost of exam

CCSK: The CCSK examination costs US$345.00. This entitles you to attempt the test up to two times. If necessary, additional test attempts can be purchased for US$345.00 each.

CCSP: The exam costs US$549 per attempt.

6. Certification Maintenance

CCSK: CCSK does not have any requirements to maintain the certification as of now. There is no provision for paying Annual Maintenance Fees or submitting CPEs

CCSP: As with all ISC2 certifications, CCSP requires Annual Maintenance Fees of US$100 per year, earn 90 CPEs, with a minimum of 30 each year.

Which certification should I go for? Which one will be more valuable as a professional?

It really depends on the circumstances of each individual.

If you are new to Cloud Security, it would be preferable to go in for CCSK first and then attempt CCSP after gaining requisite knowledge. CCSP also provides a pathway for those with less experience to attempt the CCSP exam and then obtain the certification after necessary experience requirements are met. This is similar to the mechanism that is in place for CISSP.

On the other hand, if you are an experienced IT security professional with enough exposure to Cloud Security, you could directly go for CCSP. A person with CCSP certification means that she is not just knowledgeable about Cloud Security but has practical experience in the subject. However, if you are not very sure of your knowledge of Cloud Security, it would be best to first attempt CCSK before taking of CCSP.

Summary

CCSK and CCSP complement each other and provide professionals a way to demonstrate their competency level in Cloud Security. When deciding which certification to go for, it is important to first evaluate your current competency and experience level. As mentioned earlier, with its focus on testing knowledge based on select documents, the open book approach to the exam and its objective type multiple choice question format, CCSK would be a great way to start the certification journey in Cloud Security.

However, if you are the hardened IT security professional with loads of knowledge and experience, with full knowledge security aspects as they now relate to the Cloud, CCSP would be the way to go.

(Keith Prabhu, Executive Director, Confidis has over 18 years of experience in the IT domain. He holds various security credentials viz. CISA, CISSP, MBCI and CCSK. He is also the Chairman of Cloud Security Alliance, India RCB. He has been actively involved in creating Cloud Security certifications like CCSK and CCSP. He works at the intersection of business and technology and has provided several organizations with security advice that focuses on meeting business objectives.)

[Source: Confidis]

Posted on

Cyberrecovery and the C-suite

I was recently invited to participate in a panel discussion at a cybersecurity conference. The overall focus of the panel was on best practices for network security, specifically preparing for a cyberattack. We were given 5 focus areas to consider, mostly the usual topics such as zero-day attacks and bring your own device (BYOD). The 5th focus area was deploying a successful disaster recovery (DR) plan with regard to cybersecurity.

In addition to myself, the panel was staffed by 2 chief information security officers (CISOs), a chief executive officer (CEO) and the panel was moderated by a 3rd CISO. When the topic of DR came up for discussion on the preparation conference call, 1 of the participants summarily dismissed it as being old hat and played. He said that topic has been discussed to death and there has been nothing new in that area in years. One person after another agreed with him, and the moderator said “Ok. We will cut that topic out of the discussion.” I disagreed and chimed in with a brief overview of my recent Journal article. Afterwards, they all agreed to keep the topic, and someone even suggested that we move the topic up to be the 1st subject of discussion. They said that they had never looked at DR from the perspective of preparing the C-suite for a cyberbreach.

A few weeks ago, I had lunch with a chief information officer (CIO) friend of mine, and the subject of my article came up. I asked him if he and the CISO, who reported to him would consider presenting the idea of the C-suite participating in a cyberbreach preparedness exercise to the company president and the board of directors (BoD). He laughed and said they wanted no involvement in the design and execution of cybersecurity. All they want is to be told the firm is safe and that the Sarbanes-Oxley (SOX) audit will pass. Apparently appearing safe is just as good as being safe to some executives.

So why do some C-suite executives react this way? I think it is evolutionary in nature. Twenty years ago, only 3 out of 10 companies had DR plans. Now everyone has one. It took a few disasters and an act of the US Congress to garner the wide acceptance we see today. I think the same evolutionary set of baby steps will naturally happen before a wide acceptance of cyberbreach preparation in the C-suite will be seen. It would be interesting to gather some empirical data on how many companies are prepared and practiced now and then monitor the growth over the next few years. I suspect the high impact of cyberbreaches will move the evolution of cyberbreach preparedness along a lot faster than that of the DR plan.

Read Gary Lieberman’s recent ISACA Journal article:
Preparing for a Cyberattack by Extending BCM Into the C-suite,” ISACA Journal, volume 5, 2015.

[ISACA Journal Author Blog]

Posted on

Introducing AutoFocus: Actionable Threat Intelligence

There is a change happening within the security industry. There has never been a greater accumulation of security data available to organizations, in as many forms, from as many sources, as we have today. The mantra has consistently been, “more data is better,” with the hope that this influx would result in increased protection from threats, especially more damaging, targeted and unique attacks. The reality has not delivered on this great promise, with successful cyberattacks and data breaches continuing to occur in organizations around the world.

This raises the inevitable question: how do we improve our ability to identify and prevent targeted attacks?

Here at Palo Alto Networks, we realized the problem facing security teams was not a lack of data, but an inability to prioritize the most critical attacks and quickly take action on them. Over the past few months, we have had the opportunity to share our newest service, AutoFocus™, with hundreds of customers during our Community Access program. Throughout this early access period, we were able to refine our vision, and create a leading cyberthreat intelligence service, which we are proud to make available worldwide today.

AutoFocus was built to help security teams address three fundamental challenges:

  • Prioritize alerts for advanced attacks that require immediate attention.
  • Understand the context around attacks, adversaries, and campaigns – including targeted industries.
  • Respond proactively to threats and prevent future attacks.

This new service provides security teams the intelligence, analytics, and context required to understand which attacks require immediate response, as well as the ability to make indicators actionable and prevent future attacks. As more security leaders consider how to efficiently implement threat intelligence within their organization, we must change the view from “more data” to “truly the right, actionable intelligence.”

We encourage you to learn more about AutoFocus: www.paloaltonetworks.com/autofocus

 

[Palo Alto Networks Blog]

Posted on

Network IPS Tuning Guide

Network intrusion prevention systems, referred to as IPSs, have long been considered a critical component of any network infrastructure.

Here is how a network IPS works. Vulnerability-based protections detect and block exploit attempts and evasive techniques on both the network and application layers, including port scans, buffer overflows, protocol fragmentation, and obfuscation. Protections are based on both signature matching and anomaly detection.  Anomaly detection decodes and analyzes protocols, and uses the information learned to block malicious traffic patterns. Stateful pattern matching detects attacks across multiple packets, taking into account arrival order and sequence.

Being part of a larger security program or platform, the links in Lockheed Martin’s Cyber Kill Chain that IPS set out to cut are Deliver and Exploit.

Network IPS solutions come with thousands of signatures. These signatures can range from severity levels of informational to critical with many in between. All of the signatures are useful; however, some need more context. This is what the tuning process is all about.

It is recommended to enable all of the signatures in alert only mode during the initial deployment phase, which should last approximately one week. These signatures are what you’ve paid for, so you should leverage as many of them as possible.

The perception of IPSs is that they are noisemakers, difficult to configure, and difficult to manage. Some of this may be the case. Effort is required to deploy an IPS. The purpose of this guide is to provide a methodology for tuning IPS alerts for maximum value of as many signatures as possible while being able to identify actionable incidents.

The best practice for tuning IPS alerts is to take a hierarchical approach. Start with investigating the signatures that trigger most. Alternatively, you may want to focus on the High and Critical severity ones first. From there, determine what the source and destination IP addresses should be doing in the environment. Finally, either fix the problem or create a filter. Fixing the problem may include making configuration changes on the source, destination, or other host. Fixing the problem may also mean preventing certain types of traffic or implementing a filter. Determining the purpose of the source and destination IP addresses by working with internal teams who manage them are going to be consistent tasks, which can take time. Play nice and make friends with these people!

At some point you will want to configure filters to ignore certain signatures in certain circumstances. The team that manages the IPS must take a leadership role and make more recommendations than ask questions when it comes to working internally to filter alerts. A process must exist before you start that includes:

  • How long does the security team need to wait for responses prior to filtering?
  • How are filters documented (in the IPS filter, in the IT ticketing system, etc.)?
  • When changes can be implemented?

Now we can walk through a few examples using some real data from a Network IPS deployment prior to any tuning. The appliance has been in this particular environment for two weeks.

Step 1: Report on the Alert Data

There are many ways to report on which signatures are triggering and the frequency of the triggers depending on the IPS you are using.  You will often find this information by looking at a dashboard, looking through the logs, or running a report. Your goal in this step is to identify the names of the alerts being triggered, the severity of those alerts, and the number of times they are being triggered.

Depending on your preference, you may want to focus on the High to Critical severity alerts by number of triggers. Or you may just want to focus on every alert by the number of triggers.

Here is an example of pulling the top 25 alerts by count.

Step 2: Drill Into the First Alert

The goal of this step is to answer the question: when the sources and destinations triggering the alert are observed, is this worth investigating? If it’s something that is clearly a problem that needs to be resolved, you clearly need to take that path. When the answer is no, you would move to the next stage and tune the alert.

The first two signatures in the list have the same alert count, so are likely related.

  • HTTP: User Authentication Brute-force Attempt 
  • HTTP: Unauthorized Brute-force Attack (using web-browsing)

Step 3: Understand the Signature and Frequency

The alert description and severity let you know how urgent it is to investigate the issue. The severity on these is High.

It is, however, important to move through the rest of these steps, regardless of severity. The source and destination IP address will add context that is more concerning. For example, if you see an informational alert for DNS lookups, you may initially think that those happen all day long and are, therefore, too informational and irrelevant. If you have specified two unique name servers for all of your devices to use, it would be strange if a name server outside of the ones you provide is being used (it shouldn’t be allowed but that’s a least privilege story). Tuning the signature to only alert if a device is using a name server that is not yours turns this informational event into something much more critical.

Reading into the descriptions of each shows that the definition of the signatures is quite similar. The first brute-force attempt is looking for a certain number of authentication requests between a pair of IP addresses. The second brute-force attack is looking for the same thing and also checking to see if the target is rejecting the logins with an error.

Because the description and the count of these alerts are so similar, we may be able to investigate both of them at the same time.

Step 4: Investigate the Source and Destination IP Addresses, and Application

The source and destination IP addresses add an important piece of context. If both are internal, it is most often a configuration or informational issue for an alert like this. The exception would be if the signature identifies hacking or malware activity, but even those can sometimes be strange (read poor) application programing that looks like something bad. We often see buffer overflow-type attacks fall into this strangely coded category internally.

When we drill into each of the alerts, we find that the same source and destination IP addresses are found consistently.  Both addresses are internal. We can definitely investigate both of these signatures in parallel.

The application in this case is web-browsing, which means the source IPs are browsing or making HTTP GET requests to the destination IP.

If you are unsure what the IP addresses are, there are a variety of ways you can get more context:

  • Nslookup <IP address> may provide you with a descriptive enough hostname.
  • Browsing to the IP address in a web browser may display a familiar page.
  • Connecting to port 80, 443, or 25 on the host may provide more information on what the host is.

In this particular case, we determined that the source of all these alerts was a server. The destination address is a proxy server (that we are working on removing from the environment because proxies are dead!).

Step 5: Determine a Course of Action

By working with the server and proxy administrators, we determined that someone had misconfigured the proxy settings on the server. The server was attempting to use the wrong account to authenticate to the proxy.

The course of action was to fix the setting on the server. The server team was motivated to make the change quickly because things weren’t working because of this. Once completed, all of the alerts stopped triggering. There was no need to make changes to the IPS in this case.

And, in one shot, we took care of 98% of the alerts.

The next 12 alerts make up over 98% of the remainder.

  • HTTP: User Authentication Brute-force Attempt 
  • HTTP: Unauthorized Brute-force Attack
    using ms-update, trendmicro, instagram, webdav, and sharepoint

The descriptions are the same for all of them. The alert count is also the same just like the first investigation. This means that the same source IPs appear to be trying to log in repeatedly to the same destinations, and they are failing the authentication. When investigating the source and destination IP addresses, they are all internal, except for Instagram.

More diligence is still required to figure out why each of these is triggering, and the application identified will help lead us to a solution. Following is a breakdown of each of the same signatures triggering broken out by application.

  • MS-update – The source IP addresses are remote VPN hosts connecting to the network and having an issue authenticating with the internal Microsoft Update server. Speaking with the firewall team, there is a known issue with the VPN client that needs a patch on these systems. It’s worth waiting for the patch to be applied and reporting back to that team on their progress before filtering these alerts. There is a planned maintenance to patch these systems over the next two weeks, so no point in filtering these alerts right now.
  • Trend Micro – These are internal hosts communicating with the internal OfficeScan server. This issue was discussed with the desktop support team who helped determine a user account had been disabled on many of the systems leading to these HTTP 404 errors. They were happy that the issue was identified and are working towards implementing the fix. No need to filter these alerts, as they will go away over the next week, once the user account information is updated.
  • Instagram – The source IP addresses are all on the WiFi subnet. These are likely phones and tablets whose passwords were changed on the website and not updated on these apps. Because Instagram is not a critical application for this environment, we will create a filter with the source being internal networks, the application being Instagram, and the associated HTTP brute-force signatures, with the action to ignore.
  • WebDAV/SharePoint – The source IP addresses are internal. The destination IP appears to be SharePoint, based on the DNS name. When drilling into the alerts, we can see that the URL being accessed is a SharePoint URL. According to the SharePoint administrators, that particular URL contains areas on the page with objects that only a small group of people have access to. The SharePoint team doesn’t want to change the site layout based on the business owner’s requirements. As a result the case will be escalated, documented, and a filter applied. The filter will include the internal source subnets, the destination URL, and these HTTP brute-force signatures, with an action of ignore.

Conclusion

There is always a trade-off of risk for functionality when tuning signatures. On the one hand, you want to use every signature for everything. On the other hand, it is important to tune out noise to make the relevant alerts noticeable.

In these example cases, we were able to find many misconfigurations in the environment that resulted in opening tickets to document the issues and holding them open until resolution. If a filter was the only route, we would no longer be able to see if an internal source address is doing an HTTP brute-force attack on these particular web servers using those specific applications. We are trading that functionality based on the fact that it is happening too often for us to find anything useful in those logs for that circumstance. If an internal host is doing an HTTP brute force, there will be other indicators of compromise that we will rely on, such as the source host getting compromised, malware being transferred to the source host, and the source host communicating with a command and control server.

There will be many signatures that require longer investigations, many Internet searches, and packet captures to validate. Once this process is complete, you should be safe to enable blocking on the High-Critical severity signatures and let the computer do its job of protecting the environment by preventing malicious behavior.

By tuning out alerts that cannot be eliminated by fixing something on the source or destination computers, we bring the IPS alerts to a useable level so we can focus on monitoring for real threats.

[Palo Alto Networks Blog]

Posted on

Please Add Me to Your LinkedIn Network

Every day we send and receive requests to connect to people we know on social networks. LinkedIn is the world’s largest professional network with 300 million members in over 200 countries and territories around the globe. It is a great platform to develop and cultivate business connections, but can be rife with deceit and fraud. Fraudsters also use the platform as a social engineering tool, allowing them to connect with professionals and try to lure them into disclosing their real contact details – work email is always best – and then use this email address to send spam, or worse, deliver malware.

When discussing these potential pitfalls with a group of executives recently, I talked about people’s willingness to interact with strangers on sites, such as LinkedIn, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. An example I took them through was a paper by Thomas Ryan of Provide Security, who set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter.

The profile described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command.” The paper [1] Thomas Ryan wrote about the experiment and how he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DoD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that, “the propagation of a false identity via social networking websites can be rampant and viral.”

Some of the executives were intrigued, but others believed that they couldn’t be fooled. So I decided to walk through them a live example of identifying a fraudster on LinkedIn.

I used a previous invitation request I received and took a look at the profile of a female claiming to be a senior sales executive who can help me generate more sales leads.” The profile looks detailed and complete with more than 500 connections and even the profile picture looked legitimate. A Google Search for her name and company yield very little. Still suspicious, I use the website whoisology.com to do some vetting on the email address and associated website listed on her profile page. All of these are non-existent.

In further review of the profile, I suspect that the LinkedIn profile photo is not what it may seem, so I use the Reverse Image Search [2] from Google to see what similar photos exist, which results in a surprising find. The same photograph has been used for multiple LinkedIn accounts with different names. All the roles are similar in nature; some even purport to be recruiters.  I also find links to an app on both the Google and Apple app stores, for a secure phone call application. One of the screen shots of the app is the same photo as the LinkedIn profile. This is clearly a case of someone reusing someone else’s photo.

There is no one single method to spot a fake account, though sometimes being a little bit suspicious helps. Here are some tips:

  • First, the invitation will probably just contain the canned text mentioned above or some other generic text.
  • Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism, not via the email received, as fake LinkedIn emails can cause more harm than checking.
  • There may be simply illogical conditions. Why would someone with a degree from a top school or university, with a good job title and years of experience, have only a few connections, and now be asking you, a stranger, to connect?
  • The profile might not have a photo, or the photo may be stolen from somebody else. Use the Google Image Search technique to see if it is a fake photo with a single click (sometimes).
  • The profile may be incomplete, it may have misspellings (even in job titles), or the name might not be capitalized properly.

The nature of online social networking involves people establishing connections without having the opportunity to establish the person’s authenticity. This requires taking a leap of faith, which can easily be exploited by scammers. Think about the type of information you have posted in your profile, and ask yourself, “Have I given away too much information about myself and my company?” All too often I have seen security professionals who profess to not telling anyone the controls they have deployed in the environment, to the virtual world where they have no problem stating what solutions they manage or have implemented in their current organization. Care should be given to ensure that we are not making it even easier for cyber attackers to enter our places of employment.

[1] http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

[2] https://support.google.com/websearch/answer/1325808?hl=en

[Palo Alto Networks Blog]

English
English
Exit mobile version