Information Security & Occasional Forays Into Adjacent Realms
The National Institute of Standards and Technology (NIST) has announced the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. Outstanding.
via El Reg's Darren Pauli, comes good news from David Litchfield, this time, in the form of a newly authored security product targeting the in-built security issues within Oracle Corporation's (NYSE: ORCL) DBMS. Outstanding.
The kind folks at DevOps have made their video collection of HD quality Security DevOps content from RSAC 2015 available (with the only catch of a registration form). Highly recommended.
'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel
via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.
I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.
Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).
If you read anything today focusing on warfare in the electronic realm, read the Lawfare blog's Ashley Deeks posting on this year's Tallinn-based NATO CCDCoE's CyCon 2015 confab. In particular, a Chinese academics' take on cyber jus ad bellum and jus ad bellum criteria to wage war, as targeted by Tallinn 2.0. Fascinating.
Just getting around to examining the Microsoft Corporation (NasdaqGS: MSFT) Security Intelligence Report (SIR)... Now in it's eighteenth volume, the SIR is typically well-wrought, and might be considered pithy.
News, via TrustedSec, of the release of the latest version of the eponymous PenTesters Framework (written by David Kennedy, CEO of TrustedSec). Download the PTF at GitHub or clone the project (git clone https://github.com/trustedsec/ptf). Enjoy.
Gotta love the 90's... Regardless of that affection, avoid, if you will, blasts from the past such as this newly reported flaw via Peter Bright (writing at Ars Technica) with tinges of that bygone decade... Read it and Weep.
via TechnoBob's Lambert Varias comes news, of the astounding Arduinio-based automated combination-lock breaker hand-crafted by Samy Kamkar.
"The Combo Breaker can guess all three numbers on its own within a few minutes, but if you manually find the first number that makes the dial get stuck when you pull on the shackle, then Samy’s device can open the Master combination lock within 30 seconds, using a maximum of only eight attempts. To be more precise, Samy’s technique will give you the exact first and third numbers of the combination, plus eight possible second numbers." - via TechnoBob's Lambert Varias
via Maria Korolov, writing at CSO, tells the tale of software robotic entities, who now, apparently outnumber wetware entities on the interwebs.
Yes, the Information Age is supposedly kaput... Bid a Hearty Welcome to the Infrastructure Age; if Gizmodo is to be trusted with the proverbial crystal ball, that is.
Evidently, they are unaware that everything is, of course, information...
Image courtesy of 401(K) 2012 @ flickr.com
Ira Winkler and Araceli Treu Gomes rebuttal of critics of the Irari Rules. Today's Must Read.
The Eight Irari Rules:
The malware used should have been detected.
The attack exploited vulnerabilities where a patch was available.
Multifactor authentication was not in use on critical servers.
Static passwords were used in attacks on critical servers.
If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training.
Detection mechanisms that could have stopped the attack in progress were not in place or were ignored.
There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems.
User accounts that were compromised had excessive privileges.
via Ira Winkler and Araceli Treu Gomes - 'The Irari Rules for Declaring a Cyberattack ‘Sophisticated’ - Computerworld Apr 22, 2015 8:10 AM PT
via Anthony M. Freed, writing at InfosecIsland comes this unfortunate, and unsurprising story of the top ten exposed applications currently on a majority of computational devices hereabouts, and the ramifications thereof.