Security Software & Tools Tips – February 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* IBM QRadar
* Snyk
* Haven
* HashiCorp Vault
* Nikto

IBM QRadar

Information from the IBM Qradar website:

QRadar Community Edition is a free version of QRadar that is based off of our core enterprise SIEM. Users, students, security professionals, and app developers are encouraged to download QRadar Community Edition to learn and become familiar with QRadar.

Website:

https://developer.ibm.com/qradar/ce/

Snyk

Information from the Snyk website:

A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.

Website:

https://snyk.io/

Haven

Information from the Haven website:

Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy. It is an Android application that leverages on-device sensors to provide monitoring and protection of physical spaces. Haven turns any Android phone into a motion, sound, vibration and light detector, watching for unexpected guests and unwanted intruders. We designed Haven for investigative journalists, human rights defenders, and people at risk of forced disappearance to create a new kind of herd immunity. By combining the array of sensors found in any smartphone, with the world’s most secure communications technologies, like Signal and Tor, Haven prevents the worst kind of people from silencing citizens without getting caught in the act.

Website:

https://guardianproject.github.io/haven/

HashiCorp Vault

Information from the HasiCorp Vault website:

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

Website:

https://www.vaultproject.io/

Nikto

Information from the Nikto website:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Website:

https://cirt.net/Nikto2

Photo by MILKOVÍ on Unsplash

Microsoft IIS DoS, patch install not enough

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Microsoft announced a bug in the Internet Information Services (IIS) where malicious HTTP/2 packets would consume 100% CPU until restarted. Microsoft have published patches that would allow a MS IIS administrator to mitigate this vulnerability, but would not define any sane default values for the thresholds in question, so installation of the patch itself is not enough. The patch will only enable the options for setting threshold values, it will not set them. Luckily this is only an attack on availability, so you will know when you get attacked, and when the attack is over, a so called Denial of Service (DoS) attack. It will not affect confidentiality of data stored or integrity of the website published.

Read more

Top 5 Security News

 
 

SECURE PAYMENTS WITH PAYEX

Why Payex chose basefarm to help build and run their pci dss operational platform

PayEx needed to design, build and run their state of the art Nordic payment solution catering robustness, flexibility and cost efficiency. The platform needed to be PCI DSS compliant as it exchanges, processes and stores huge amounts of card data and financial information. The solution is mission critical and margins and reputation are built over time, by delivering payment services with high quality, competence and value. They needed a secure and stable environment and a partner with solid systems for operations and interaction, as well as an “advisor” regarding technology.

Basefarm designed the platform in close collaboration with PayEx. Since the PCI solution went live in the summer of 2011, it has now passed 300 million transactions with excellent performance, peaking at around 1.3 million transactions per day. PayEx use Basefarm actively and proactively in decision-making regarding the environment and other challenges related to technology.

Read the whole customer case here

Read more about PCI DSS AS A SERVICE

8 security trends 2019

True to tradition, Basefarm’s Head of Security Operation has looked deep into his crystal ball to see what the new year holds. Here are 8 security trends to look out for in 2019.

1. Workforce gap necessitates different solutions

According to the (ISC)2 organisation, we have a shortage of three million cybersecurity professionals. Without the shortfall, the organisation’s 138,000 membership would be even larger. Europe alone has a workforce gap of 147,000. The shortfall calls for a different approach to meeting security needs, for example, through competence-sharing with other enterprises or security operations centres (SOC).

2. DDoS attacks are becoming less common but more powerful

Distributed Denial of Service (DDoS) attacks is a major worry. Initially, this type of attack was designed to sabotage, but the aim nowadays is often to steal important data and then blackmail the victims. The trend among perpetrators is not to spread their efforts widely, but rather to focus the attacks more aggressively.

3. Cryptojacking less risky for the attackers than DDoS

The downside for the bad guys of DDoS and many other cyberattacks is the risk of discovery. For this reason, many are turning to cryptojacking instead. Cryptojacking involves infiltrating a large number of computers in order to “mine” cryptocurrency. It is a quick way for cybercriminals to earn money, by getting thousands of computers to work for them for free. There’s no obvious damage done and many people are scarcely aware of the extra processing power and electricity used. If the victims discover the intrusion, they will often just be content to block access.

4. IoT made for trouble

The security issues linked to IoT are not new, but the trend is from bad to worse. This is caused, in simple terms, by a steep rise in sales of IoT gizmos. Not only are unit sales increasing, but more manufacturers are also trying to join in the fun. Not all of them take security as seriously as the established big brands. The key concerns here are configuration errors, default passwords and a lack of upgrade options.

5. And you thought GDPR was strict? Now NIS is on the way

GDPR sets a deadline to notify impacted individuals of 72 hours from detection of a data breach. Looking the other way and detecting nothing is not a solution. Businesses therefore need to monitor infrastructure and logs using an in-house or external SIRT (Security Incident Response Team). In certain sectors, breach reporting needs to be done within 24 hours. Key aspects of the NIS Directive apply from November 2018. A lot of businesses will need to get their heads round this.

6. Safer in an unlit back alley than online

According to the UK’s Office for National Statistics, you are 30 times more likely to be robbed online than in ‘real’ life. With people’s purses and wallets containing little more than easily blocked credit cards, street robbery is going out of fashion. Money is moving over to cyberspace, with the thieves hot on its tail.

7. Decryption is sneaking up from down under

The Australian Anti-Encryption Bill was passed on 6 December 2018 and comes into force early in 2019. Under the legislation, the law enforcement authorities can oblige the tech giants like Google, Facebook, WhatsApp, Amazon and Microsoft to grant them access to encrypted data. The measures include removing electronic protection, installing existing decryption software and developing new software. Serious financial penalties await non-compliant companies

8. IT pros and the white hats strike back

Some of the largest and best-known cyberhacks have been down to sloppy IT practices. The black hat hackers are becoming more sophisticated, but so too are the white hat hackers and other infosec professionals aswell/too. Measures that go a long way to protect enterprises include scanning applications and fixing detected vulnerabilities, two-factor/multifactor authentication, more user names and long passwords, patching/installation of security updates and controlling user curiosity about funny-looking emails.

SEE ALSO: Star Wars – good versus evil – white hats against black hats.

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: http://bfblogg.wpengine.com . Twitter: @fredriksvantes .

Multi-factor authentication time?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

With billions of user credentials being freely distributed online it’s high time to implement multi-factor authentication as the default way to authenticate.

Wired has written an article about the magnitude of leaks:

“Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all.”

Read more

Top 5 Security News

How to improve control and save cost with Service Organization Controls (SOC) reports.

All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership of your business’s risk.

That is why most companies that outsource must find ways to ensure their service providers are performing according to the rules, the standards and the laws that your business requires.

Traditionally, the way this works is that the companies include “right-to-audit” clauses in their contracts with the service providers. And then, typically once a year, this right is exercised, by having IT auditors visiting the service provider to have a closer look at their set-up, the services they provide, the sites, infrastructure, operational processes, system support and people.

In today’s hybrid, complex and distributed IT world, on-site audits are only able to focus on a very limited set of controls, or they will be extremely time-consuming and expensive. As the contracting party, you normally must cover expenses for IT auditors, your own staff that spends time on preparing, attending and interpreting findings, as well as paying your service provider for the time they spend.

Most of the time, due to time and cost restrains, such audits only scratch the surface at the service provider.

So, what should you do to satisfy your own or your auditor’s need to get assurance that the services are provided in accordance with your security requirements, and with a quality of service that reduces your risk?

Let us introduce Third Party Attestation Reporting (SOC reports)

What is it?

Service Organization Controls (SOC) reports are prepared and issued by an independent auditing company and include descriptions of the service organizations internal security controls, as well as the auditor’s assessment on the suitability and effectiveness of the controls. The full and unedited reports are distributed to the service organizations customers, and their auditors.

Report types and intended use

There are several types of reporting standards:

  • ISAE3402 / SOC1. This primarily includes internal controls relevant for financial reporting, with the purpose of the compliance with laws and regulations. The intended users of these reports are the customer’s management and their auditors
  • SOC2. This will report on internal controls related to general Information Security, Availability and Confidentiality. For each of these domains the control objectives are predefined by the standard. Intended users are customer’s management, Information Security Managers and regulators.
  • SOC3. This is less detailed reports, usually an executive summary of a SOC2 report. As these reports discloses less details, these reports also typically are made generally available, for instance through the service provider’s website.

SOC1 and SOC2 both come in Type I and Type II.

Type I will be point-in-time based, as they only focus on how the security controls have been defined and implemented by the service organization, at the time of the audit.

Type II reports however, will assess and validate both the suitability of the controls (that the controls are defined and implemented in a way that meet the control objectives), and the effectiveness (that the controls are consistently used by the service organization). To prove the latter, the auditor performs randomized sampling and collect evidence from the entire reporting period, typically one calendar year.

What makes this different from ISO certifications?

There is a great deal of overlap between the Information Security Management standard ISO27001 and SOC attestation reports. The ISO-standard however, allow companies to define their own scope, and their own benchmarks (security policies and goals). So, for anyone to accept a Service Provider’s ISO27001 certification as evidence that the provider fulfills your security requirements, you at least need to understand the scope and the security policies the certification is based on and check that it matches your needs.

ISO audit reports are generally not available to other than the audited party. Customers may be provided the actual certificate, perhaps a copy of the security policies, and a document explaining the scope of the audited management system, but organizations are usually not allowed to distribute the full audit report.

For an ISAE3402 or SOC2 report however, you can get full insight into all parts of the very comprehensive reports. The reports among other things include both the organizations management statements and descriptions of their security controls, as well as the independent auditors test procedures, test results and findings.

Note that SOC reports not is a certification as such, but rather compliance reports produced by an independent auditor.

The main benefits

Getting the appropriate SOC report from your service provider will give you the following benefit

  • Save cost on performing your own audits. Such audits will no longer be required, or will at least need to have a much-decreased scope
  • Get the full picture. As the reports will be based on samples from the full (12 months) reporting period, these reports will cover a lot more than you will be able to assess in customer specific audits
  • Leverage these reports in your own audit and reporting. As these reports are based on internationally recognized standards, your auditors can easily make use of them directly
  • Get insight into your service providers security controls. The reports include the service provider’s description of the control environment, processes and the individual controls
  • Get a verification on the control effectiveness. This will enable you to assess if the service provider’s regular control effectiveness is satisfactory, and where you should focus your improvement efforts.

Win-Win strategy

Even the service provider will benefit from this, as the number of audits will be reduced, and the actual auditing more coordinated and efficient. This eventually should result in lower compliance cost, which should benefit all parties.

The next time you are reviewing the security compliance of your service provider, or the next time you select an outsourcing partner, check if you can get access to their SOC reports. That will make you get better control, at a lower cost. That is what we all want, right?

Find out more about Service Organization Controls HERE

 

Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.

Esten Hoel, SVP Security and Compliance, Basefarm

 

Unprotected Government Server Exposes Years of FBI Investigations

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files.

The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password.”

Read more

Top 5 Security News

WORLD-CLASS PUBLIC E-ADMINISTRATION IN NORWAY

“We landed on a mix of suppliers that best fulfilled our criteria. Basefarm was the best operations supplier.”

So says Edvard Pedersen, project manager for the Altinn solution at the Brønnøysund Register Centre. The government’s ambition is that Norwegian public electronic administration (e-administration) should be the best in the world. Altinn is perhaps their most important card.

“We must have a partner and supplier right out of the top drawer in order to achieve this goal. Basefarm is an important part of achieving the government’s ambitious target,” says Pedersen, who counts his supplier as a partner. We must have an operator and supplier right out of the top drawer in order to achieve this goal.
The decision to award the operations contract was made on the basis of stable operation, predictability, economy, scalability and security. Seen as a whole, Basefarm delivered the best bid,” says Pedersen.

Read the whole customer case here

Read more about our PCI DSS as a service

Give Up the Ghost: A Backdoor by Another Name

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, two of Britain’s top spooks introduced what they’re framing as a kinder, gentler approach to compromising the encryption that keeps us safe online. This new proposal from GCHQ—which we’ve heard rumors of for nearly a year—eschews one discredited method for breaking encryption (key escrow) and instead adopts a novel approach referred to as the “ghost.”

But let’s be clear: regardless of what they’re calling it, GCHQ’s “ghost” is still a mandated encryption backdoor with all the security and privacy risks that come with it.

Read more

Top 5 Security News

Security Software & Tools Tips – January 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* Elastic Stack
* Security Onion
* Wireshark
* Cuckoo
* BeEF

Elastic Stack

Information from the Elastic Stack website:

Threats don’t follow templates. Neither should you. The Elastic Stack gives you the edge you need to keep pace with the attack vectors of today and tomorrow.

Website:

https://www.elastic.co/

Security Onion

Information from the Security Onion website:

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!.

Website:

https://securityonion.net/

Wireshark

Information from the Wireshark website:

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Website:

https://www.wireshark.org/

Cuckoo

Information from the Cuckoo website:

Cuckoo Sandbox is the leading open source automated malware analysis system. What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Website:

https://cuckoosandbox.org/

BeEF

Information from the BeEF website:

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Website:

https://beefproject.com/

Photo by Markus Spiske on Unsplash