Infosecurity Europe 2007.A selection of papers from exhibitors at Infosecurity Europe 2007, Europe's dedicated Information security event. Now in its 12th year, providing an education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. 24th--26th April 2007, Grand Hall, Olympia. www.infosec.co.uk How to Build Trust in Modern Web-oriented Applications Eric Battistoni, Director of Marketing and Strategy, Bee Ware Delivery Oriented Security As modern web applications progressively penetrate the Enterprises infrastructure and data, they are becoming more than critical in daily business. One of the consequences of this new age is that business continuity has come to rely on application availability. The preservation of web application availability has now become part of the Enterprise's priorities. To fulfill this requirement IT managers are deploying solutions that range from threat management to disaster recovery. Whatever else may happen, organisations have to be permanently available and running in order to maintain Enterprise activity. Organisations need to underwrite precautionary measures that guarantee application availability. Any potential issue leading to application failure has to be taken into account. It has to be hoped that secure application delivery procures more business benefits than a simple insurance would. Efficient application delivery is a powerful business tool that helps keep end users satisfied, whether they are employees, partners or customers. Performance, Availability and Security Performance relies to a great extent on a high speed infrastructure. But over sizing the architecture is not a good solution and efficient design must also allow for optimisation to be set up at different levels. Areas where optimization can significantly improve performance include: * SSL acceleration SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator. Typically, this is a separate card that plugs into a PCI slot in a computer that contains one or more co-processors able to to offload the web server * Static object cache * Ompression based on supported standards * Protocol and Application optimization for Web Usage * Offloading conformance validation from the application server The list is not exhaustive. From an overall perspective, offloading servers of tasks that are not their primary mission constitutes a guideline for both performance and scalability. Availability Once the required performance level is obtained, it has to be guaranteed against potential problems such as device failure or traffic overload. Solutions covering the availability requirement include Pass Through, redundancy, Fall-Over, Load Balancing The fine tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and/or processing across available resources. For example, in clustering, load balancing might distribute the incoming transactions evenly to all servers, or it might redirect them and High Availability Also called "RAS" (reliability, availability, serviceability) or "fault resilient," it refers to a multiprocessing system that can quickly recover from a failure. There may be a minute or two of downtime while one system switches over to another, but processing will continue. , but also Back Up and Disaster Recovery. At the application level specific criteria have to be considered, including Session tracking and Transparency. Security Objectives such as performance and availability are easy to understand and rarely cause confusion. Security is slightly more complex and can have ramifications ramifications npl → Auswirkungen pl in several areas. The diversity of the application layer makes the question of its security a very large and complex issue. We may ask whether blocking attack is the only goal of application security. This appears to be over simplistic sim·plism n. The tendency to oversimplify an issue or a problem by ignoring complexities or complications. [French simplisme, from simple, simple, from Old French; see simple view of the issue. Firstly attacks are not the only danger to be faced. Scans, site crawling, unexpected browsing and other behaviour can prove to be dangerous at the application level. Secondly a vast majority of applications today possess vulnerabilities, lack controls, or at the very least do not conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" best practice. Securing the delivery of any application is a task that heads in multiple directions and goes well beyond purely attack prevention. Security Policy at Application Level From a product deployment perspective, the setting up of a security policy is normally the task of a Firewall. Created with the first age of network security, Firewalls apply a security policy on both incoming and outgoing traffic. A security policy at the network level mainly relies on access control, in other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently it can be seen as a flow matrix. However trying to define a security policy at the application level difficulties decidedly more complex WAF WAF 1 or Waf n. A member of the Women in the Air Force, organized after World War II, but now no longer a separate branch. [From W(omen in the) A(ir) F(orce).] : The frontier The term Web Application Firewall (WAF) is confusing. Any resemblance to the network firewall stops at the name. The role of current products goes much further than pure security and extends to Application Assurance. Managing availability and security comes from the same expectation. Whatever we may call it, a Web Application Firewall can be defined as a platform that applies a security policy to web application traffic. The policy is made of filtering rues that can trigger different response modes. The filtering process filters both incoming and outgoing traffic, it makes the solution both protective against unwanted traffic flow by preventing attacks or internal information leakages and also should hide the organisation application infrastructure from the outside world using web cloaking. As its role goes beyond security, the nature of the platform and its positioning in front of the web server farm makes it possible to setout set·out n. 1. A start or beginning; an outset. 2. a. An arrangement or display. b. An array of food, as on a buffet table; a spread. 3. An entertaining event, such as a party. a Global Application Delivery Policy including both security and availability. A WAF is then the appropriate tool to set up an Application Delivery Policy, but it is not designed to do more than that. It is a production tool that has to guarantee application delivery. Application testing application testing - system testing , measurements, exploration etc are not the roles of a production tool. These constitute a totally different job, which has to be performed on a different timescale timescale Noun the period of time within which events occur or are due to occur timescale n → délais mpl timescale time (Brit) n . Do * Use a WAF to provide your architecture with independency and flexibility * Use WAF to hide your Web infrastructure (address translation, error message etc.,) * Use a WAF platform to offload a Web server with cache, compression and SSL acceleration * Use a WAF platform to dispatch and balance traffic between server farms * Configure a WAF to reject malformed mal·formed adj. Abnormally or faultily formed. queries, HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. protocol violation, worms, known attacks * Use a WAF to protect against identified application weaknesses before new application releases * Use a WAF to set up your regulatory policy * Position the WAF as the single authentication control point Don't * Expect a default policy provided with the WAF to match your application needs A single false positive can force you to drastically decrease the default security level * Configure your WAF to block any request that looks dangerous or suspicious Your application is likely to immediately stop working because it includes some improper coding practice * Expect a WAF to help you to understand and to create an application security policy WAFs are the best tools to implement a pre-designed policy * Use only navigation from a trusted IP address to build a security policy Because the application often includes vulnerabilities, your application security policy will include them as well. Web Applications today are at the vanguard of enabling organisations to adapt to rapidly changing business requirements. Web services (1) Loosely, any online service delivered over the Web. Such usage appears in articles from non-technical sources, but not in IT-oriented publications, because definition #2 below describes the correct use of the term. are already expanding on this. The new "Application Gateway" challenge is now to deliver performance and availability without compromising on security. In a single word, to deliver trust. www.bee-ware.net The Collaborative Approach to Online Banking Security Andrew Moloney, Senior Product Manager, RSA Security RSA, The Security Division of EMC Corporation, is headquartered in Bedford, Massachusetts, and maintains offices in Ireland, the United Kingdom, Singapore, India, and Japan. RSA organizes the annual RSA conference. Online fraud has evolved. Never before has the financial industry faced such a sophisticated, organised and innovative technological crime wave. No longer is it driven by script kiddies. Financial fraud is a multi-million pound business - and with new tools at their disposal, the fraudsters are playing hardball. In the past three years, phishing has proven to be one of the fastest-growing types of online fraud. RSA Security identified 3655 phishing attacks in April 2006 targeting financial institutions of all sizes. The likelihood is that the phishing epidemic will climb to an average of 4000 attacks a month in 2007, all of them socially- engineered to hoodwink hood·wink tr.v. hood·winked, hood·wink·ing, hood·winks 1. To take in by deceptive means; deceive. See Synonyms at deceive. 2. Archaic To blindfold. 3. Obsolete To conceal. the consumer. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a National Cyber Security Alliance and Bank of America
Bank of America (NYSE: BAC TYO: 8648 ) is the largest commercial bank in the United States in terms of deposits, and the largest company of its kind in the world. survey this year, although nearly 9 in 10 American consumers were confident they could spot phishing e-mails, actually more than 6 in 10 couldn't separate legitimate messages from fraudulent, fake mail. For banks, their immediate need is not simply to reduce fraud in online banking. It's also about retaining consumers' confidence: not just in their bank and its ability to deliver secure access to their money, but also in retaining confidence in online banking as a key delivery channel. The financial organisations know that the online channel plays a significant and growing part in the distribution mix. Banks want to increase the volume of active online customers, drive transaction migration, and increase online revenue generation. But they recognise that can't happen (programming) can't happen - The traditional program comment for code executed under a condition that should never be true, for example a file size computed as negative. Often, such a condition being true indicates data corruption or a faulty algorithm; it is almost always handled until the security concerns, which are the key reason why customers either don't bank online, or don't trade more frequently, are addressed. If not, the banks will literally count the costs: a 10% migration of transactions from online to telephone banking, brought about by consumers' security and fraud concerns, could mean an increase in bank operating costs operating costs npl → gastos mpl operacionales of up to [pounds sterling]9m! According to one poll by German Internet research This article is about using the Internet for research; for the field of research about the Internet, see Internet studies. Internet research is the practice of using the Internet, especially the World Wide Web, for research. company Fittkau and Maas, 87% of online banking users are looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. a secure offering. Other studies show: " 90% of online account holders believe that financial institutions should monitor all Internet banking transactions. " 79% of account holders say they are less likely to respond to an email from their financial institution as a direct result of scams such as phishing " 73% of account-holders feel financial institutions should deploy stronger methods of guaranteeing identity It is the evidence provided by these figures that is driving banks such as Alliance and Leicester and HBOS HBOS Halifax Bank of Scotland in the UK, and a string of US financial organisations, to make it a priority to share information, and build trust relationships with each other in monitoring transactions. Key to monitoring emerging threats for the benefit of a multitude of institutions are collaborative, anti-fraud communities which can amplify the protection provided to all participants. Networks such as this pool observations from a number of financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. partners, enabling them to spot fraudster fraudster Noun a person who commits a fraud; swindler profiles and patterns that could ultimately affect a number of banks. Fraud data is shared in real-time, so when a fraudster attack is identified against one member, all others are instantaneously protected as well. Today, many of the world's top 50 banks, including Bank of America, Credit Suisse The Credit Suisse Group (SWX:CSGN, NYSE: CS) is a financial services company, headquartered in Zürich, Switzerland. It is the second-largest Swiss bank, behind UBS AG. , HBOS, ING Direct ING Direct is a branchless direct bank with operations in Austria, Australia, Canada, France, Germany, Italy, Spain, United Kingdom and the United States. ING Direct is part of the ING Group. It offers services over the Internet, phone or by mail. , Alliance and Leicester and Washington Mutual “WaMu” redirects here. For the Washington, DC radio station, see WAMU. Washington Mutual (or WaMu; NYSE: WM) is the United States' largest savings and loan association. take advantage of such a network due to their use of RSA Security technology, which includes access to the eFraudNetwork, to protect over 455 million consumers worldwide. The eFraudNetwork is the world's largest cross-bank collaborative anti-fraud community. The implementation of such advanced detection and alert-and-blocking capabilities has helped shut down more than 10,000 phishing websites and reduced the average lifespan of a phishing attack from 155 hours to 5 hours. Andy Muddimer, Head of Internet Banking at Alliance & Leicester, comments: "The eFraudNetwork was a unique and important differentiator in Alliance & Leicester's decision to work with RSA (1) (Rural Service Area) See MSA. (2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. . Online fraud is an everyday issue, and the network protects our online customers in real time, twenty-four hours a day, seven days a week." Another RSA eFraudNetwork member, a major US financial institution, was able to detect more than 60% of fraudulent activity while only affecting 0.2% of online users. There is a direct correlation Noun 1. direct correlation - a correlation in which large values of one variable are associated with large values of the other and small with small; the correlation coefficient is between 0 and +1 positive correlation between the level of phishing attacks and the level of online fraud losses. So for the banks, it makes business sense to reduce the number of attacks. Less phishing attacks mean greater security confidence; greater security confidence means more customers. And if phishers believe a bank to be more secure, they'll attack it less - and find easier victims. Forrester Research Forrester Research is an independent technology and market research company that provides its clients with advice about technology's impact on business and consumers. Corporate facts
And they'd be right in knowing the likely effect on their lives a security threat from online banking can cause. The average identity theft victim - and there were 3.4 million of them last year - spends $834 and 77 hours just clearing their name. It's a headache for the banks too. A 2003 Federal Trade Commission report estimated identity theft losses to financial institutions at $47 billion. In comparison, there are about 7,600 bank robberies a year, amounting to roughly $77 million in losses. All these figures demonstrate that collaboration, authentication - incorporating new security technologies to improve the security of customers' transactions - and education - teaching customers to practise 'safe security' by providing them with the information to protect themselves - can help the banks both defeat phishers' increasingly sophisticated attacks, and leverage a competitive advantage. For customers, it's all a question of greater confidence in security. For the banks, the battle to win over those customer hearts and minds is also a question of economics. That's why for those banks using the eFraudNetwork, a problem shared is a problem halved. www.rsasecurity.com Is That A Hacker Next To You! Calum Macleod Calum MacLeod could refer to:
As a leader at a security software company, I'm often asked: what's the most common type of hacker and attack? Over time I've discovered that the general public holds a somewhat romantic image of hackers. One mental picture involves an emaciated e·ma·ci·ate tr. & intr.v. e·ma·ci·at·ed, e·ma·ci·at·ing, e·ma·ci·ates To make or become extremely thin, especially as a result of starvation. young man in a poverty-stricken corner of the world. Greasy-haired and red-eyed, he types late into the night on an old TRS-80 workstation, trying desperately to get your American Express American Express (NYSE: AXP), sometimes known as "AmEx" or "Amex", is a diversified global financial services company, headquartered in New York City. The company is best known for its credit card, charge card and traveler's cheque businesses. account number for nefarious purposes. Another favorite image is of a cherub-faced pre-teen with extreme computer skills and little knowledge of law and order. Thanks to too much hardware and too little parental supervision Parental supervision is a parenting technique that involves looking after, or monitoring a child's activities. Young children are generally incapable of looking after themselves, and incompetent in making informed decisions for their own well-being. , she creates a new virus that brings down every business on the Eastern seaboard. Both images couldn't be more wrong. According to the FBI, the most common hacker is probably sitting in the cubicle next to you, right now. This is someone who gets to work early, takes his or her turn cleaning out the office fridge, tells funny stories at lunch and, at some point, makes a very dumb move. It often starts when this hacker-next-door sees a file directory or workstation that's just too juicy to pass by, like one named "Salary Comparison." It's simply too tempting NOT to peek inside. In other words, curiosity is one scenario motivating the most common hacker. Another is revenge. These situations take place when a web-savvy employee gets ticked off. Maybe their Christmas raise didn't make them too merry. Perhaps their boss just handed them a Work Improvement Plan and a reason to cause trouble. This same hacker-next-door spends some time on the network and wonders ... what if I could get into the email server See mail server. files? What if I could open a few financial statements? Finally, another common reason is industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. . What organization has time to do professional, in-depth background checks on every temporary IT consultant? Often this part-time help is called upon when times are roughest, and corners are most easily cut. The result are people who get easy access to the most sensitive and impenetrable systems (more on that later.) However, no matter what the reason, internal hacker attacks make up 70% of all security breaches according to the FBI. The next question is ... how do these attackers get access to critical systems? The answer is: all too easily. Once that hacker-next-door decides to break into a target system, their next stop is a search engine. A few key words later, and anyone can discover that the most common--and effective--type of hack into a target system is to become what's called a "script kiddie An amateur who tries to illegally gain access to a computer system using programs (scripts) that others have written. Although they may have some programming skill, script kiddies do not have the experience to write programs that exploit vulnerabilities. ." Script kiddies use default lists of privileged passwords, or the super-user/administrative codes built into every piece of hardware and software. Have you ever noticed the "Administrator" ID next to your name when you login to your workstation? That's a privileged user and password, a backdoor See trapdoor. into your system built by the manufacturer. It can not be disabled or destroyed. Let's turn back to our hacker-next-door who wants into the "Salary Comparison" workstation. They don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. who owns this workstation, but they can search to find what the default Administrator passwords are for a Dell Latitude Dell's Latitude laptop brand is specifically targeted at the business market which means that standardized parts are used throughout the line and are available for several years for support purposes, as opposed to the Dell Inspiron which is aimed at the consumer market and whose D600. According to a recent survey, 20% of all workstations have an Administrator ID that's still set to the default password (Cyber-Ark Enterprise Privileged Password Survey 2006, www.cyber-ark.com/survey.asp). If the built-in default doesn't work, the would-be hacker may try some simple passwords like CompanyName123. You'd be stunned stun tr.v. stunned, stun·ning, stuns 1. To daze or render senseless, by or as if by a blow. 2. To overwhelm or daze with a loud noise. 3. how often these basic password scenarios -- also available as mini computer programs on the web - are the fastest way into any organization's data. Once the hacker enters a target system with a privileged password, the evil-doer now has more access to data than the system's legitimate users. I know of one company, for example, where a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see IT professional changed every password on the network. All software had to be reloaded. The company was basically shut down for days. Meanwhile, the angry ex-employee denied all knowledge of the incident. And who could prosecute him? The deed was done under an anonymous identity, the Administrator. Another recent example of a script kiddie in action took place at the FBI (see "Consultant Breached FBI's Computers" by Eric Weiss
Eric Weiss, played by Greg Grunberg, is one of Sydney Bristow's CIA co-workers on the television series, Alias. Biography Eric Weiss is another field agent at the CIA. , Washington Post, 7/6/2006.) In this case, the hacker-next-door was a paid consultant. The suspect used "computer programs easily found on the Internet" to go snooping into passwords and files throughout the FBI's organization, including data related to the Witness Protection Program. In no time, the suspect gained access to the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. So there you have it: the most common hacker is actually someone working in your organization today, a non-professional trouble-maker who -- when tempted -- can easily find his or her way into your organization's most sensitive data. This lead to another question I am commonly asked: why do most enterprises leave their privileged passwords, the keys to their kingdom, open and unmanaged? The reason is simple: manually changing these codes is extremely time-consuming, so these back doors generally stay open. Visit professional hacker sites, and their biggest complaint about script kiddies is not that they exist ... but that once these amateurs do something flagrant and dumb with privileged passwords, these wonderful secret passages into a company's data get closed to the professionals. Of course there are automated ways to securely change privileged passwords, and to tie an individual ID to a shared one - this very software is now being used by many security savvy enterprises around the world. However until these solutions become standard tools in most enterprises, I'd keep a close eye on the folks around you. You never know who is privileged to YOUR information! www.cyber-ark.com To ensure your 2007 issues contact your agent or A.P.Publications - email: smpluton@ntlworld.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion