6 C
Wednesday, November 22, 2017
Home Tags Security Policy

Tag: Security Policy

Acquisition expands HyTrustrsquo;s portfolio by automating security policy enforcement for workload data.
Venture capital infusion will be used to expand sales, marketing.
Security restrictions on your browser’s security policy prevent your web browser from making AJAX requests to a server in another domain.

This is also known as same-origin policy.
In other words, it is a known fact that browser security prevents a web page of one domain from executing AJAX calls on another domain.Here's where CORS (Cross-Origin Resource Sharing) comes to the rescue.

CORS is a W3C standard that allows you to get away from the same origin policy adopted by the browsers to restrict access from one domain to resources belonging to another domain. You can enable CORS for your Web API using the respective Web API package (depending on the version of Web API in use) or OWIN middleware.To read this article in full or to leave a comment, please click here
The first steps towards developing a common set of security guidelines for the public sector are being taken
There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles.
Illumio's platform sets the correct security policy and auto-manages enforcement across applications, workloads and processes as they are provisioned.
Cisco launches new version of its Tetration Analytics platform providing automated security policy enforcement capabilities.
GitHub celebrates the third anniversary of its Bug Bounty program, with bonus rewards for security disclosures, as the program continues to help the popular code development platform stay secure. In January 2014, the GitHub distributed version control code repository first launched a bug bounty program, rewarding security researchers for responsibly disclosing software vulnerabilities. Now three years later in January 2017, GitHub is celebrating the third anniversary of its bug bounty program, with bonus rewards for the top submissions made in January and February.The current GitHub bug bounty platform runs on the HackerOne platform. Greg Ose, GitHub’s Application Security Engineering Manager explained that GitHub moved to HackerOne in April 2016."We have developed API integrations with HackerOne to kick off our internal triage with developers and to maintain our bounty website at bounty.github.com," Ose told eWEEK. "Bounty.github.com still includes our program's leaderboard and detailed write-ups for submissions."Over its three year existence, the bug bounty program has worked out well for both GitHub and participating security researchers. In the first two years of the program, GitHub paid out a total of $95,300 in bug bounties across 102 submissions. Ose noted that in the third year of the program, GitHub paid out a total of $81,700 for 73 submissions. Looking at all the different issues that have come into the bug bounty program, there have been several that have really stood out. Ose said that one issue that helped define a major focus area for application security at GitHub was a report that was received in February 2014. The report detailed a dangerous Cross-Site-Scripting (XSS) vulnerability on the main GitHub.com website. "We had worked to harden GitHub.com against various cross-site scripting (XSS) attacks using a, then recent, browser feature called Content Security Policy (CSP)," Ose explained. "The submitter was able to not only demonstrate a content injection vulnerability within GitHub.com, but also detailed a bypass to our existing CSP to allow JavaScript execution."After fixing the issue, GitHub used the vulnerability as an example to lock down the restrictions enforced by CSP and to implement new browser security features. Ose said that the new features aim to help prevent content injection vulnerabilities from escalating to JavaScript execution or to the exfiltration of sensitive information from GitHub's web pages. He added that GitHub's engineering team has been documenting some its CSP efforts online and the plan is to publish additional details of protections GitHub has continued to implement.While GitHub is an online repository for projects, at its core, the site makes use of the open-source Git version control system, originally developed by Linux creator Linus Torvalds."While less common than submissions in our web applications, we have received, paid out, and fixed vulnerabilities in Git," Ose said. "Luckily, a number of core Git developers are also employees at GitHub so we've been able to quickly contribute fixes for these issues upstream." Anniversary Contest For the third anniversary of the GitHub bug bounty program, there is a contest that will award additional prize money for the best security reports. Ose said that the contest will end on February 28th, 2017, with the most severe vulnerabilities reported winning the top prizes. The top prize in the contest is a $12,000 award, second place is $8,000 and third prize is $5,000."Typically, vulnerabilities such as SQL injection, gaps in authorization, and system level vulnerabilities, like remote code execution, net the highest severity and payouts," Ose said.Additionally Ose noted that GitHub has also set aside a $5,000 reward for the best report. He explained that sometimes GitHub receives reports that might not have the biggest technical impact, but that are unique in their nature or just really well described by the reporter.Looking forward, Ose said that GitHub is always looking to expand its bug bounty program, both in application scope as well as participation by the security community. For example, in January 2017, the program now includes the GitHub Enterprise platform as a target for security researchers."We will also be launching very focused bug bounties, with increased payouts, for specific features of our applications," Ose said. "For example, as we utilize new browser security features, we would like researchers to focus on these specific protections.""Submissions in these focused areas allow us to not only improve our implementation, but also help us contribute back best practices to other development and application security teams," he said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Enlarge / Where's the defense and cyber-weapon procurement budget going, Mr. President-elect?Getty Images | Joe Raedle reader comments 75 Share this story Since Election Day, President-elect Donald Trump has taken an inordinate interest in some of the minutia of defense policy. His tweets (particularly about the F-35 Joint Strike Fighter and the Air Force One presidential aircraft replacement program) have sent shockwaves through the defense industry. The same is true of the cyber realm—particularly in his treatment of the intelligence community that currently dominates the US' cyber-defense capabilities. The one thing that is certain is that Trump wants more muscle in both departments, urging an increase in the number of troops, ships, planes, and weapons deployed by the Department of Defense; the end of defense budget sequestration; and an expansion of the US nuclear and ballistic missile defense arsenal. And he has also pledged a new focus on offensive "cyber" capabilities, as outlined by his campaign, "to deter attacks by both state and non-state actors and, if necessary, to respond appropriately." That sort of aggressive posture is not a surprise. But the policies that will drive the use of those physical and digital forces are still a bit murky. Considering the position Trump has taken regarding the North Atlantic Treaty Organization (NATO) and his attitudes toward Russia, Trump's statements may hint at a desire for a Fortress America—armed to the teeth and going it alone in every domain of conflict. Saddle up While not quite on a Reagan-esque scale, the Trump surge would (based on his statements) bring forces back above their active size during the wars in Afghanistan and Iraq (though less than during the 2007 "surge" period of the Iraq War). Trump declared that he'll add about 60,000 more active duty soldiers to the Army, increase the Navy's fleet to 350 ships, increase the Marine Corps' strength by over a dozen battalions (roughly 12,000 Marines), and "provide the Air Force with the 12,000 fighters they need." On the strategic front, Trump has tweeted that he wants to expand and improve the US military's nuclear capabilities, modernizing and increasing weapons to improve their deterrent value. The modernization effort had already been queued up by President Barack Obama's administration, including the new Long Range Strike Bomber program awarded to Northrop Grumman. But those investments have been at the expense of other military (particularly Air Force) programs. Trump has also proposed investment in a "serious missile defense system" based on updating the Navy's Ticonderoga-class guided missile cruisers' Aegis systems and building more Arleigh Burke-class guided missile destroyers. The ballistic missile defense version of Aegis and the Standard Missile 3 (RIM-161) missile it controls are currently only capable of intercepting short- and intermediate-range ballistic missiles, not intercontinental ballistic missiles; to have a chance at taking down a US-targeted threat from North Korea, for example, they would have to be very close to the launch site and hit it early in its launch (the boost phase). How will Trump pay for all this hardware? By "conducting a full audit of the Pentagon, eliminating incorrect payments, reducing duplicative bureaucracy, collecting unpaid taxes, and ending unwanted and unauthorized federal programs," whatever those might be. There's certainly some room in the budget to be gained through increased administrative efficiency, as a Defense Business Board report found that the DOD could save as much in $125 billion in overhead (though that number may have been slightly inflated, as it was based on corporate, and not military, business models). Cyber up On the cyber side, it appears Trump wants to put the military on point for cyber defense. The campaign platform pushed for the DOD to place a new emphasis on offensive capabilities, including making enhancements to the US Cyber Command—currently led by NSA Director Admiral Mike Rogers—to increase its offensive punch and turn it into an effective cyber-deterrence force. “As a deterrent against attacks on our critical resources, the United States must possess the unquestioned capacity to launch crippling cyber counter-attacks,” Trump said in a speech in October. Just exactly how that would work isn't clear. Given the difficulty of attribution—a point Trump made repeatedly in his castigation of intelligence findings of Russian interference in the election—the kind of very attributable cyber force that US Cyber Command would wield as part of the Strategic Command would likely not act as much of a deterrent to low-level intrusions, espionage, and information operations. Yet those make up the majority of what has recently been dumped into the "cyberwarfare" shopping cart. Trump's policy outline also calls for the Joint Chiefs of Staff to participate in Trump's vaunted "Cyber Review Team," contributing experts to evaluate "all US cyber defenses"—including critical infrastructure in the private sector—alongside law enforcement and experts from private industry. The Cyber Review Team, which may or may not have anything to do with the group being headed by former New York City Mayor Rudy Giuliani, has a big mandate: The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats and will follow up regularly at various federal agencies and departments. The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber-attack. On the domestic end, the Trump administration would seek to take the same model that has been applied to terrorism to the cyber side, creating joint task forces that put Department of Justice, FBI, and Department of Homeland Security personnel alongside state and local law enforcement to respond to "cyber threats." Nothing Trump or his proxies have said indicates any policy around shaping what "norms" in the world connecting the digital to the physical should be. If anything, Trump's position seems to be that a cyber-armed world is a polite world—or at least one that will be polite to the United States, the only confirmed state cyberwar actor to hit another nation's infrastructure (aside from squirrels). The eyes have it It will take some time to see how Trump's indifference toward the US' obligations toward allies will affect overall defense and cyber-security policy. But if reports are true regarding US intelligence officials warning allies of Trump's Russia ties and if Trump goes forward with weakening the US involvement in NATO, his views could significantly affect both—especially in the realm of digital intelligence collection. A weakened relationship with the other members of the "Five Eyes" group—the UK, Australia, New Zealand, and Canada—on a military level could impact the National Security Agency's (and the CIA's) ability to collect intelligence from infrastructure that has up until now been widely shared. Only one thing is for certain: the defense industry should be expecting an aircraft carrier full of dollars headed in their direction.
GoDaddy, one of the world’s largest domain registrars and certificate authorities, revoked almost 9,000 SSL certificates this week after it learned that its domain validation system has had a serious bug for the past five months. The bug was the result of a routine code change made on July 29 to the system used to validate domain ownership before a certificate is issued.

As a result, the system might have validated some domains when it shouldn’t have, opening the possibility of abuse. Industry rules call for certificate authorities to check if the person requesting a certificate for a domain actually has control over that domain.

This can be done in a variety of ways, including by asking the applicant to make an agreed-upon change to the website using that domain. Some CAs ask certificate applicants to create a publicly accessible file with a unique code or token on their web server at a predetermined location.
In GoDaddy’s case, the company asked applicants to place a file with the name <code>.html—where the code is a unique random alphanumeric one—in their web server’s root folder. Prior to the introduction of the bug, the CA’s automated domain validation system tried to access this agreed-upon file on the applicant’s web server via HTTP or HTTPS.
If the server responded with HTTP status code 200 (success) the validation tool looked for the code inside the response body and validated the domain. The bug caused the system to ignore the HTTP status code and this was problematic because many web servers are configured to return the original requested URL inside the body of 404 (not found) errors.

And since the requested URL contains the secret code in the form of the file name, GoDaddy’s system validated domain names even if the file itself was actually missing from the server. This problem had an impact on less than 2 percent of certificates issued since the bug was introduced and affected around 6,100 customers, Wayne Thayer, vice president and general manager of security products at GoDaddy, said in a blog post Tuesday. However, in a message to Mozilla’s security policy mailing list Wednesday, Thayer said that the company revoked a total number of 8,951 certificates for which it couldn’t re-validate the domains because the validation files were missing. The owners of these certificates will get replacement ones for free, but they need to log into their GoDaddy accounts and initiate the certification process from the SSL panel. If malicious attackers had knowledge of this issue, they could have obtained fraudulent certificates for domain names they don’t own or control.

According to Thayer, the company is currently unaware of any incident where this bug was exploited to obtain certificates without authorization. The issue was initially reported to GoDaddy by Microsoft, one of its resellers, who learned about it from one of its own customers, Thayer said. “The customer who discovered the bug revoked the certificate they obtained, and subsequent certificates issued as the result of requests used for testing by Microsoft and GoDaddy have been revoked.” One user on the Mozilla mailing list pointed out that even without this bug, GoDaddy’s domain validation implementation would still be vulnerable because some web servers are configured to respond with HTTP status code 200 even when the requested resource doesn’t exist. On Wednesday, GoDaddy decided to completely stop using this method of file-based domain control validation, but it’s not clear how many other CAs are using similar validation methods that might allow attackers to obtain certificates for domains they don’t own. The CA/Browser Forum, an organization that creates the regulations governing certificate issuance, has been aware of this issue since at least April last year.
It has drafted new rules according to which the secret codes used to validate domains must not appear in the requests used by CAs to retrieve the files or webpages containing them.

These updated rules will go into effect on March 1st.
Privacy compliance is now mission critical.

Third-party suppliers that fail to meet data protection mandates will be excluded from doing business in lucrative vertical markets. The Health Insurance Portability and Accountably Act (HIPAA) Omnibus Rule and the Federal Information Security Management Act (FISMA) have introduced an unprecedented emphasis on third-party compliance.

For those providing services within the healthcare sector or to the federal government, privacy compliance is now mission critical.

Although vendor compliance has long been clouded in ambiguity, these directives provide much needed and long-overdue clarity to the vast vendor community. Unfortunately, many vendors have yet to address their compliance obligations and are now scrambling to salvage customer relationships.

Federal regulators, awakened by the expansion of outsourcing and the unending drumbeat of vendor breaches, have turned their focus directly toward service providers and the risks they pose.

The result is that vendors face a new and stark reality: comply or good-bye.

Those that fail to meet specific data protection mandates ultimately will be excluded from doing business in these lucrative vertical markets. HIPAA Omnibus RuleThe HIPAA Omnibus Rule represents a dramatic change to healthcare regulation and jolted the vendor community.

Although enacted in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the effective date was postponed until September 2013.

The Omnibus Rule addresses important issues such as disclosure and patient rights, but the most significant change, from a data protection perspective, relates to the responsibilities of "business associates" — any entity that "creates, receives, maintains or transmits protected health information on behalf of a health care provider or insurer." Before September 2013, healthcare vendors were required to meet minimal data protection standards, while hospitals, health clinics, and insurance plans were subject to the full scope of HIPAA's Privacy and Security Rules.

The Omnibus Rule, however, subjects vendors to requirements that had previously applied only to covered entities.

Therefore, vendors must implement a combination of administrative, technical, and physical safeguards to ensure the security of protected health information or be exposed to the consequences of a regulatory violation. Specifically, vendors are required to: Conduct a formal risk assessment Implement measures to mitigate internal and external risk Implement written policies governing the security of protected health information Conduct data security training for all employees Restrict physical access to storage of protected health information Protect workstations and electronic media Implement technologies to prohibit unauthorized access Log all electronic access of protected health information Secure electronically transmitted protected health information In addition to experiencing disruption of customer relationships, healthcare vendors are now exposed to significant financial penalties from the Department of Health and Human Services for failure to comply with HIPAA.
Should you doubt the government's resolve in enforcing the rigorous business associate requirements, several vendors have been fined in excess of $500,000 since the implementation of the Omnibus Rule. FISMAFISMA was enacted in 2002 as a framework for ensuring the security of systems that support government operations.
It requires all federal agencies, entities administering federally funded programs, federal grant recipients, and government contractors to develop, document, and implement a program to secure federal information and corresponding systems.

FISMA mandates that those subject to the law implement "baseline security controls" through a combination of managerial, operational, and technical measures and is aligned with NIST 800-53, the National Institute of Standards and Technology's outline of security controls for federal information systems. Although third-party service providers have been subject to FISMA since its enactment, vendor compliance has been prioritized over the past few years.

This development has prompted government contractors to pursue FISMA compliance or risk exclusion from the federal vendor community.

Enforcement of FISMA's third-party standard is being performed primarily through the procurement process, with all prospective vendors required to attest to adherence with rigorous data security controls when responding to a solicitation.

The specific language within contract awards mandates that vendors submit evidence of FISMA compliance in the form of monthly, quarterly, and annual deliverables. Accordingly, if your company is doing business with a government agency, you will be required to provide detailed and ongoing evidence of compliance.

Additionally, agencies are increasingly deploying audit teams to perform on-site verification of a vendor's control environment. The following list, taken directly from a Federal Highway Administration RFP, details the specific documents that vendors must provide as evidence of FISMA compliance: Security assessment: formal evaluation of control environment (annual) Plan of action: plan to mitigate assessment findings (quarterly) System security plan: documentation of all controls (annual) Security categorization: impact level of each system (annual) System contingency plan: documentation of redundancy (annual) Security policy and workforce training records (annual) Interconnection agreements from sub-contractors (annual) The New RealityAlthough meeting the enhanced requirements of HIPAA or FISMA will entail additional resources, third-party service providers should view this as a critical, long-term investment.

The reality is that vendors operating within highly regulated industries must be capable of demonstrating compliance to each customer.

Therefore, those who are unable to meet the new regulatory mandates will find themselves on the outside, looking in. Related Content: John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ...
View Full Bio More Insights
According to a new study of the top one million domains, 46 percent are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. The big problem is that even when a website is managed by a careful company, it will often load content from other sites, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security, which sponsored the report, which was released this morning. For example, news sites—50 percent of which were risky—typically run ads from third-party advertising networks. And it’s not just ads. “The Economist, for example, has a plugin that does a popup if you are using an ad blocker,” said Guruswamy. “And that popup had malware in it.
I bet The Economist had no idea that their website was hacked.” In fact, unintentional, background requests for additional content outnumber intentional requests by actual human users by 25 to one, according to the report. So an enterprise that blocks its users from accessing domains by category, or only allows certain approved categories of domains, would not pick up on the problem because the The Economist is a reputable, useful news site. “And a lot of enterprises are using security products based on the category of content being delivered,” Guruswamy added. “You get the link and you click on it, and it’s a phishing page, but the security policy allows it because it’s a news site.” The malicious site can then deliver a drive-by malware download, or it can serve up a spoofed banking page and harvest account credentials, he said. News and media sites were most likely to be risky, at 50 percent, followed by entertainment sites at 49 percent, and travel sites at 42 percent. The largest source of risk was vulnerable software.

About 36 percent of all websites were either running vulnerable software, or getting content from other locations running vulnerable software. “What we designed is a passive scan of the page that would identify the type of software the site was running, and not just the main site, but all the sites the page is loading,” said Guruswamy. “And then we’d look up the software version in the national vulnerability database and check for known vulnerabilities.” The next biggest risk factor was if a website was known to be malicious, or pulled content from a malicious domain.

About 17 percent of the top million Alexa websites fell into this category. For example, the single largest category of known-bad sites was pornography, with nearly 38,000 websites known to deliver phishing or other attacks.

But pornography ranked far down the list when it comes to vulnerable software—the business and economy category actually had the most sites with known vulnerabilities, at more than 82,000, followed by society, personal sites and blogs, shopping, news and media. Finally, 3 percent of sites had experienced a recent security incident. Guruswamy suggested that enterprises look beyond simple website categorization strategies to protect their users from phishing attacks since the bad guys have, in effect, half the Internet at their disposal. Enterprises that host websites should also step up and do more to protect their visitors, including making sure that all their software is up to date, and the sites that they embed content from also are current. For example, nearly 70,000 of the top million websites run the vulnerable nginx 1.8.0 server software.

The next most dangerous software is Microsoft’s IIX 7.6 web server, which dates back to 2009. 2010’s PHP 5.3.29 is in third place, with nearly 32,000 websites. This story, "Nearly half of all websites pose security risks" was originally published by CSO.
Press Release Challenge to globalisation and free trade highlighted by US election and Brexit referendum ushers in year of heightened strategic uncertainty for business The distinction for businesses between perceived safe domestic markets and foreign ones rife with challenges has become marginal as risks increasingly come home through political, cyber and terrorism threats A US-led brake on regulation could transform the global regulatory environment London, Monday 12 December, 2016.

Control Risks, the specialist risk consultancy, today publishes its annual RiskMap forecast, the leading guide to political and business risk and an important reference for policy makers and business leaders. Richard Fenning, CEO, Control Risks, said: “The unexpected US election and Brexit referendum results that caught the world by surprise have tipped the balance to make 2017 one of the most difficult years for business’ strategic decision making since the end of the Cold War. “The catalysts to international business – geopolitical stability, trade and investment liberalisation and democratisation – are facing erosion.

The commercial landscape among government, private sector and non-state actors is getting more complex.” The high levels of complexity and uncertainty attached to the key political and security issues for the year, highlighted by RiskMap, mean that boards will need to undertake comprehensive reviews of their approaches to risk management. Control Risks has identified the following key business risks for 2017: Political populism exemplified by President-elect Trump and Brexit.

The era of greater national control of economic and security policy ushered in by the US election and Brexit provides increased uncertainty for business leaders.

Caution prevails because of the lack of political policy clarity from the USA and UK and the impacts on the global trading and economic environment, as well as geopolitics. Political sparks will fly as the new presidency places pressure on the economic relationship between the US and China, vital for the stability of the global economy; and the US withdrawal from the Trans-Pacific Partnership threatens to redraw Trans-Pacific commerce.

The calls across Europe for further referendums on EU membership is causing nervousness and populism in other parts of the world such as sub-Saharan Africa is adding fuel to investor risk. Persistent terrorist threats.

The threat of terrorism will remain high in 2017 but become more fragmented.

The eventual collapse of Islamic State’s territorial control in Syria and Iraq will lead to an exodus of experienced militants across the world. Responding to terrorism is becoming ever more difficult for businesses; risk adjustment is critical, including big data solutions and reviews of potential insider radicalisation, physical security and scenario planning. Increasing complexity of cyber security. 2017 will see the rise of conflicting data legislation: US and EU data protection regulations remain at odds; the EU’s Single Digital Market is isolationist; and China and Russia are introducing new cyber security laws.

This will lead to data nationalism, forcing companies to store data locally, at increased cost, as they are unable to meet regulatory requirements in international data transfer.

E-commerce will be stifled.

Fears of terrorism and state sponsored cyber-attacks will exacerbate national legislation, adding burden to businesses. A potential brake on US regulation could lead to a transformation of the global regulatory environment.

The US adherence to the Paris climate accords is under question, the Dodd-Frank Act could be modified substantially and the Foreign Corrupt Practices Act is not off limits, either.

This could have a domino impact on regulation around the world. Intensifying geopolitical pressures driven by nationalism, global power vacuums and proxy conflicts.
Syria, Libya, Yemen and Ukraine are likely to remain intractable conflicts and the Middle East will continue to be shaped by friction between Saudi Arabia and Iran; China’s increased focus on diplomacy and military influence will extend from Central Asia and the Indian Ocean to sub-Saharan Africa; and North Korea’s systematic nuclear capability development is upending a relatively static regional and global nuclear status quo. Richard Fenning continued: “Digitalisation and the internet of everything take risk everywhere and the distinction between safe home markets and dangerous foreign ones has largely gone.

The sheer mass of stored data, teetering on a fulcrum between asset and liability, has shifted the gravitational centre of risk. “Terrorist attacks across continents in 2016 made possible in large part by the internet have shown that Islamist inspired violence can be planned and carried out anywhere in the world. “With the seismic shift in risk scenario planning now required by businesses, we can expect the competitive playing field in many industries to see significant change as organisations respond in different ways to the multitude of complexities facing them.” Ends For further information please contact:Georgina Parkesgeorgina.parkes@controlrisks.com Simon Barkersbarker@barkercomms.com Note to Editors:About Control RisksControl Risks is a global risk consultancy specialising in political, security and integrity risk.

The company enables its clients to understand and manage the risks of operating in complex or hostile environments.

Through a unique combination of services, wide geographical reach and by adopting a close partnership approach with clients, Control Risks helps organisations effectively solve their problems and realise new opportunities across the world.www.controlrisks.com