10.1 C
Monday, October 23, 2017

Security Think Tank: Extending IAM controls to third parties

Having third parties access enterprise systems is not new and, traditionally, a number of different ways have been used. These include just extending the mechanisms used for staff remote access to bespoke drop-box systems, which enable the dropping off and collection of files. This system protects the corporate environment from direct third-party access, although there still needs to be access controls on the drop-box to reduce the risk of unauthorised access to its contents. Antivirus and/or anti-malware controls are required, as well as a set of policies, standards, procedures and work practices to govern file drop off and collection.  A drop-box system can be in-house – either built on a dedicated server located on a demilitarised zone (DMZ) of the internet-facing firewall – or built externally on one of the cloud or commercial offerings. The decision will come down to cost, speed of implementation, maintenance and operational issues, as well as the corporate view of risk. Should it be decided that third-party access to the corporate environment is a definite requirement, the business should decide what data the third party will need to access to achieve its function.  The answer here is not “give them all that we have”, but give the least required to perform.  Knowing the data the third party has access to – and what it can do to the data – will identify the corporate systems, the preferred access mechanism and a security profile that can be used to drive infrastructure configurations. This includes firewall rules, as well as access profiles and policies. An Active Directory policy can be used to control what files a user can see and what they can do with them. This is a feature of Microsoft Active Directory that is often underused or used poorly in many organisations. A reasonable half way house is the use of proxies or servers specifically for third-party use and located in a dedicated DMZ of an internet-facing firewall. This provides more function than a drop-box system, but keeps the third party out of the core corporate network.  A good example of this approach is the use of a terminal services server – such as Citrix, Microsoft or Virtual Desktop Infrastructure – located in the DMZ and placed under Active Directory control for user authentication and facilities authorisation.  These terminal services servers can provide a locked-down desktop, or the more secure option of published applications. Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in September 2014

ASC to Demonstrate Public Safety Solutions at Critical Communications Middle East...

Company to Exhibit and Hold Presentation on Integrated Recording Solutions for TETRA (Terrestrial Trunked Radio)Hoesbach/Germany, September 04, 2014 - ASC, a leading global provider of innovative solutions to record, analyze and evaluate multimedia-based communications, today announced it will demonstrate its public safety recording solutions at Critical Communications Middle East 2014 Conference and Exhibition, Jumeirah Beach Hotel, Dubai, on September 14-16, 2014, Stand B15.Attended last year by more than 450 critical communications professionals, the show will focus on current TETRA implementations and the future of critical communications in fields such as public safety, transportation, utilities, security, construction and logistics. ASC will demonstrate its public safety recording solutions, popular because they allow network-wide recording from one location for four up to thousands of channels as well as handling text messages as comments via short data services (SDS).Andreas Seum, Chief Sales Officer of ASC, said, "Our solution's centralized configuration enables fast and effective tailoring to the customer's environment while our recording via short data services complements bulk recording of radio and talk groups in any zone. Moreover, our recording system has proven just as valuable in post-event analyses as it is during them."Mr. Seum continued by listing other prominent features. The ability to replay a call even when it is still in process helps to gather critical information while sophisticated redundancy, data security and other fail-safe options ensure the agent can focus on matters at hand. In addition, time and ID stamps, a tamper-proof data format and multi-level password protection ensure accurate post-event analysis to improve future response times.Claus-Omar Mundinger, International Sales Manager for ASC, will discuss the full range of ASC's systems in a presentation at the show titled, "Communications Recording Solutions for Mission-Critical Networks." He will review emergency organizational needs in general as well as during and after an incident.ASC's recording solutions are integrated for TETRA (Terrestrial Trunked Radio), an interoperability standard designed to help various organizations communicate directly during emergency situations. Moreover, ASC's entire portfolio is available as a multi-tenanted Cloud-based offering, providing a permanent technology refresh without any risk or pre-investment in costly infrastructure.About ASCASC is a worldwide leading software company with innovative solutions to record, analyze and evaluate communications. All multimedia interactions in contact centers, financial institutions and public safety organizations are documented and analyzed. The content of communications becomes transparent, critical information is generated and market trends are revealed, providing real-time business intelligence for immediate management action.ASC solutions make customer experience measurable. Specific actions can be taken to significantly improve staff retention, increase corporate revenue and create sustained loyal customers. Thus, ASC's clients are always one step ahead of the competition.ASC also offers its entire suite as a Cloud solution. Therefore, customers have the choice to retrieve Software as a Service, on demand and always up-to-date, without any risk or pre-investment, and in the most flexible manner.With subsidiaries in the United Kingdom, France, Switzerland, the United States, Japan, Singapore and Dubai, as well as certified and vastly experienced distribution partners, ASC's ambitious projects span more than 60 countries. Headquartered in Germany, ASC is a powerful global player with an export quota of almost 70 percent and a worldwide service network.For more information, contact:ASC telecom AG • Seibelstrasse 2 - 4 • 63768 Hoesbach • GermanyContact: Katrin Henkel, Manager PR & CommunicationsPhone: +49 6021 5001-264Fax: +49 6021 5001-310E-mail: k.henkel@asc.deInternet: www.asctelecom.comSource: RealWire

Media union backs Australian piracy blocking plan

A union representing media, artists, and journalists has endorsed the Australian government's proposal to block websites containing material that infringes copyright. In a submission to a government discussion paper, the Media, Entertainment, and Arts Alliance (MEAA) said rights-holders should be able to seek injunctions to block copyright-infringing websites. The submission, first reported on ZDNet, welcomes the government’s recognition that rights-holders cannot take enforcement action against overseas-based websites and that action needs to be directed at internet service providers (ISPs). “Some ISPs will no doubt argue that consumers will get around the injunction by using proxy sites. However, clearly anything that makes piracy more complicated and time-consuming will reduce its incidence,” the MEAA said. The union calls for “extended authorisation liability” to penalise ISPs if they fail to take reasonable steps to remove information when notified of copyright infringements. “We note reports that, in the UK, where site blocking has been implemented, the use of Pirate Bay declined by 60% after it was blocked,” the MEAA said. Legislative developments The UK’s ruling on The Pirate Bay followed a High Court landmark ruling which ordered BT to block access to pirate content aggregator website Newzbin2. The Newzbin2 ruling set a precedent that made it easier for content producers to bring similar proceedings against UK ISPs that enable access to copyright-infringing sites. The MEAA’s submission is partly aimed at reducing the impact of a landmark 2012 high court decision between iiNet and Roadshow Films, reports The Guardian. The court found iiNet had not authorised the infringement of Roadshow’s films that were downloaded by their customers using BitTorrent. But the decision has stymied the attempts of film companies to restrict access to file-sharing services, where dissemination of films and TV shows is widespread. “We believe that the government’s proposals will, with some modifications, provide an opportunity to address the failings of the legislation exposed by the iiNet judgement,” the MEAA said. Protecting livelihoods The union said that, while the Australian government's proposal may not eliminate piracy, seriously reducing copyright infringement will save many creative professionals’ livelihoods. MEAA said piracy is taking place on a commercial scale through predominantly overseas-based sites and represents a transfer of wealth away from Australia’s creative workers to illegal foreign websites. The most recent steps in the UK to protect creative content include an ad-replacement campaign on websites that provide unauthorised access to copyrighted content. The campaign by the Police Intellectual Property Crime Unit (Pipcu) aims to cut advertising revenues to such sites by replacing ads with warnings that the site is under criminal investigation. A UK anti-piracy campaign – aimed at educating people about copyright and legal ways to download digital content – is set to begin in 2015. Emails will be sent to UK internet users who pirate films and music, warning them that their actions are illegal. Those suspected of copyright infringement will be sent up to four warnings a year, but the campaign does not include punitive action. Earlier this year, music and film industry bodies backed away from demands for punitive measures – such as disconnecting offenders from the internet – in favour of an education campaign. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Backoff Malware Likely Cause of Suspected Home Depot Data Breach

NEWS ANALYSIS: If a data breach has actually occurred at Home Depot, which the company hasn't confirmed, it was likely caused by the Backoff malware, according to security experts. Security experts tell eWEEK that if an ongoing investigation confirms there has been a data breach at Home Depot, it was likely caused by the rapidly spreading Backoff malware. So far, all the company is saying is it may have been attacked but that it is still investigating whether a data breach actually took place. "We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate," the Home Depot officials said in a statement released to the media. "We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately," the statement said. The company also said that it would offer free identity protection services to any affected customers and that it would make an announcement once it determines whether a breach actually occurred. One security expert told eWEEK that apparently hackers have published lists of fresh credit card numbers lately, and that when those numbers were checked, they led to Home Depot. But there's still a big leap from a potential breach tied to credit card numbers offered for sale and confirming that Home Depot has sustained a breach. In addition, Home Depot has already begun outfitting its point-of-sale terminals with chip and PIN readers, which means that at least some customers may not be at risk if the breach took place. Security response teams at some of the card-issuing banks have already started buying back credit card numbers believed stolen in the suspected breach at Home Depot, according to John Zurawski, vice president of marketing for Authentify. However, he said that much of the risk could be avoided if the credit cards supported two-factor authentication. One means of providing such authentication is by issuing cards with an EMV chip that require a PIN to make purchases. Zurawski said that credit card companies can also implement a phone-based two factor authentication now to make sure that customers are aware of suspicious purchases using their smartphones or even their landline phones. Such an authentication process, which already exists at some card companies, happens when a consumer gets a phone call to confirm a purchase in progress. The way this works is when a credit card, or a credit card number, is being presented for purchase, the customer receives a call asking whether they're really making such a purchase, and if they are to either confirm it verbally, or to press a number key on the phone. If the purchase can't be authenticated, then it's not approved.

Brazilian, U.S. Web Users Targeted by Router-Hacking Group

Criminals use Javascript to brute-force guess a user’s router password, change DNS settings and redirect victims to a banking scam. A Brazilian cyber-criminal group has attempted to hijack consumers' traffic and redirect victims to fake banking sites by changing their router settings, according to an analysis by security firm Kaspersky Lab. The attack, which appears to have affected 3,300 victims in three days, uses an email to lure potential victims to an attacker-controlled Website. When the victim goes to the site, the attackers use Javascript to mount a dictionary attack against the victim's home router. The attack is not exploiting a particular vulnerability, but using the capabilities built into most browsers by default, Dmitry Bestuzhev, head of global research and analysis for Kaspersky's Latin America team, said in an email interview. "There is no vulnerability exploitation in this particular attack, (just the) 'normal' behavior that allows, via JavaScript, certain commands to execute in the browser which result in actions," he said. "If JavaScript is not allowed in the browser, (even though) the victim clicks on the malicious URLs ... the attack won’t be successful." While 60 percent of the victims are in Brazil, 22 percent are in the United States with smaller numbers spread throughout the world, according to the Kaspersky analysis. Cyber-criminals do not often focus on compromising routers, but recent research has shown home routers are often vulnerable. Outdated system software and the relative difficulty of updating the software as well as the use of weak passwords undermine the security of the devices. In 2008, two researchers showed that Flash content embedded in a Web page could be used to mount an attack on a victim's router. In 2013, researchers at security firm Rapid7 found that an estimated 50 million devices, including many in Brazil, were vulnerable to a flaw in the Plug-and-Play (PnP) protocol. In the latest attack, the cyber-criminal group uses a script running on a compromised or malicious Website to guess default and popular user name-password combinations. If the victim has not changed their default password, then the attacker compromises the router. The victim does not need to have their router's Web page open in the browser for the attack to succeed. The guessing attempts will just happen in the background, invisible to the user. Only if the attack is unsuccessful will the malicious Web server use the script to outright ask for credentials, the analysis stated. "If you're using default credentials in your home router, there won't be an interaction and you'll never realize that the attack has occurred," the Kaspersky analysis stated. "If you're not using default credentials, then the Website will pop up a prompt asking you to enter it manually." Users should change the passwords on their routers and never give their user name and password to an untrusted Website, Kaspersky advises.

4chan adopts DMCA policy after nude celebrity photo postings

Site agrees to remove "bona fide" infringing material if asked.

AT&T Launches Cloud Storage for Federal Government Agencies

Features include a separate logical cloud for government data, which means government customer data will not co-exist with commercial data. Telecommunications giant AT&T announced a cloud-based storage solution designed to meet the security requirements of federal government agencies. The multitenant, community cloud offering has the same features, policies, capabilities and EMC Atmos technology as AT&T's commercial cloud storage offering but adds further security measures, including storage towers that are physically separated from other users' towers in the data center. "As is well-known, the security standards for federal government agencies are exceedingly high," Chris Smith, vice president of technology for AT&T, told eWEEK. "As a result, any offering to the federal sector needs to lead with security. That is, in this sector, security is not a benefit or a plus—it's the central consideration." Smith noted that with any cloud architecture, the efficiencies come from reduced infrastructure, hardware and operations cost, and pricing for STaaS (storage as a service) for the government will be offered in a tiered model. "This is a dedicated infrastructure for government-only agencies and data. The federal agencies get the advantage of a community infrastructure to drive lower costs," he explained. "What's significant about the AT&T STaaS offering for government is that it does not forgo security on any level—truly a best-of-both-worlds approach." Additional features include a separate logical cloud for government data, which means government customer data will not co-exist with commercial data, and a separate cloud portal partition for government agencies. In addition, all government agency customers and their authorized users are assigned RSA hard tokens for two-factor authentication. "I think it comes down to this—we are not simply providing a cloud platform in a data center. We are integrating the AT&T network with the cloud platform to deliver the best solution in terms of end-to-end security, performance and reliability," he said. "This is our differentiation relative to the competition." A recent survey of federal IT leaders conducted by MeriTalk sheds light on both the appetite for cloud conversion in the federal sector and the challenges agencies face regarding the logistics of such a move. While the survey found the federal government could save $18.9 billion annually by migrating services and applications to the cloud, only 41 percent of respondents said their agency is considering the cloud as part of their overall IT strategy. Additionally, 51 percent said they use the cloud only for a limited number of specific applications, and more than half of the feds gave their agency a "C" or below on progress toward the cloud.  

Appeals court says Yelp’s ad sales tactics don’t extort small businesses

The crowd-sourced review site merely engages in “hard bargaining,” court rules.

iCloud Photo Thefts Put Apple, Cloud Data Storage in Cross Hairs

Apple is performing damage control on one of the most embarrassing data breaches in recent memory. The personal iCloud accounts of a number of prominent movie stars and entertainers have been hacked, allowing the attackers to post nude photos of Hollyw...

Dealers attack Tesla, seek to remove electric car maker from Georgia

Flap with Georgia car dealers is the latest tussle over Tesla shunning franchises.

Verizon pays record fine for violating phone customers’ privacy rights

For seven years, Verizon marketed to customers without seeking their permission.

What Apple Needs to Do to Secure Its Users

NEWS ANALYSIS: Whether or not the celebrity nude picture hacking incident is related to iCloud, Apple can and should do more to protect users. At 2:30 ET on Sept. 2, Apple did something it normally does not do: It issued an emergency media advisory about a security risk to its users. The risk had been reported on by multiple media outlets, including eWEEK, over the previous 48 hours, as Hollywood celebrities had their personal privacy invaded and images stolen, allegedly from Apple's iCloud service. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," Apple stated. "None of the cases we have investigated has resulted from any breach in any of Apple's systems, including iCloud or Find my iPhone." Apple is mincing words here. The statement claims that iCloud itself was not breached, yet that is the service that was holding the images. The statement claims that it was a "targeted attack," and yet it was not one or two celebrities that were hacked, but dozens. Furthermore, the statement claims the attack was on user names—which, in this case, is the AppleID, which, in fact, is a system under Apple's control. Make no mistake about it. A criminal act occurred here, and the hackers are responsible. That said, Apple also has a responsibility to protect users properly—from hackers and also from themselves. Digging a little deeper here, Apple is not yet giving us the full details of its 40-hour investigation, and it is not precisely known what tools were used in the targeted attack. One of the prevailing theories is that it was a brute-force attack that randomly and automatically guessed user names and passwords. Apple's statement that the iCloud or Find My iPhone system were not directly breached does not negate that theory. Another possibility is a simple phishing attack in which the hackers sent fake emails to the celebrities and got them to click on something. Such an attack could have potentially led to the credential disclosure. Whatever the case, there are things that Apple should and must be doing to protect its users against both brute-force and phishing attacks. While users can use complex passwords and common sense when clicking on links, Apple can go above and beyond that. Earlier this year at the Black Hat USA security conference, Yahoo Chief Information Security Officer Alex Stamos made a case for what he referred to as "security paternalism." That is to say, vendors can and should make security decisions on behalf of users to help protect them. It would be a good idea at this point for Apple to embrace Stamos' approach and take proactive security measures for users. In brute-force attacks, a technique known as rate-limiting, which limits the number of tries a user can make to connect, is one obvious mitigation technique. Also, assuming the users were already logging in to iCloud from their local locations, Apple could or should be able to determine that a remote log-in from a different location is likely a fraudulent attempt at access. Big data analytics techniques similar to those that banks and credit card vendors use to detect fraud by way of anomalous behavior might be used to limit the risk of phishing, as well.  If a user is asking for a full iCloud restore to a new device, while their existing devices are still active, there should be some kind of confirmation prompt sent to the user's email or phone.  If the iCloud backup is only able to back up and restore to a verified AppleID connected device, that's another possible step that might be able to limit risk. No doubt, Apple's security teams have even more ideas and techniques available to them to further improve user security. For all we know, Apple could already be executing on all the various techniques outlined above. The bottom line is that there is now fear, uncertainty and doubt in the minds of users around the world about Apple's security, and it is incumbent upon the tech giant to take every possible measure to restore trust and confidence. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.