Articles by Andy Jordan
There are two types of people in the world as it relates to privacy. Those that care about their privacy and sadly, those that don't. This divide continues to be further separated with the constant flood of cyber security breaches that we hear about. We, as consumers, can no longer get a cheap hamburger without hearing that once again, the information we want to be kept secret, has been breached. The old phrase of "you can lead a horse to water but you cannot make him drink" rings true as we approach helping consumers take charge of their digital and personal privacy. Governmental regulations for privacy Law makers have started taking up the charge to help protect the privacy of consumers Law makers have started taking up the charge to help protect the privacy of consumers. This has been executed with the newly European General Data Protection Regulation (GDPR) which went into effect on May 25th, 2018. The core premise is the consumer owns their data. Despite any company which uses, stores, or profits from a consumer's data, the consumer still owns it. This is a major shift away from how businesses are forced to protect the consumer's data. Even though many of us have likely heard about GDPR, it is not the only privacy law that's taking the world's stage. In fact, in California there is a new law called the California Consumer Privacy Act of 2018 which is focused around the same principles GDPR. This new California law goes into effect in 2020 and goes one step further by considering privacy as an alienable right for all consumers. Encouragement for consumers to take charge of their digital and personal privacy is becoming ever more important Taking ownership of privacy Despite the new regulations due to a corporation's lack of controls around consumer privacy data, the truth is that even though these regulations provide consumers with a mechanism to take ownership with how their personal data is used, doesn't mean they will. It's at this point we, as the security industry, need to step back to consider how we can improve the problem. Just because laws have paved a way, we still need to help consumers travel down the road to better privacy. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rightsThere are two further mechanisms that we still need, governmental social programs and continued passionate discussions from the security industry. Governmental social programs will help provide free or low-cost classes for consumers to learn about how they can protect their privacy. However, governmental programs can only go so far and this by itself will not be enough. History has shown that social progress is often accomplished by a passionate minority that stands up against the oppression of human rights. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rights. Not only do we need to exercise the capabilities new GDPR laws has created for us, but we should tell the important people in our lives. We need to stand up for our privacy because if we don't, we'll end up losing even more of our privacy.
PenTesting, also known as “ethical hacking” or “white-hat hacking,” has always been viewed as the “sexy” side of cybersecurity, a task that is far more exciting than monitoring systems for intrusions, shoring up defenses, or performing compliance audits. Numerous security conferences are devoted to the fine art of attempting to hack into systems – with an owner’s full knowledge and permission – and reporting on the results. At an organisational level within businesses, they also value PenTesting under the premise that it allows them to identify security vulnerabilities before cyber criminals can. There are some regulatory requirements like PCI-DSS that require penetration assessments as part of their PCI compliance. However, many organisations have come to over-rely on PenTesting, thinking that if all the issues were identified in a PenTest, they’re good to go. Not only is this not helping them improve their security posture, it is also leaving them with a false sense of security. A penetration test is a simulated, live attack on your environment by a white-hat hacker What is PenTesting? A penetration test is a simulated, live attack on your environment by a white-hat hacker, customised to address specific problem areas, such as web-based applications, mobile applications and infrastructure services like border VPNs and firewalls. The PenTest may include different types of attacks based on the requested scope from an organisation so that the tester attempts to come at each system from all sides, the way a cyber-criminal would. The goal is to identify which systems and data the tester was able to access and how an organisation can address the vulnerabilities that allowed them to get in. The limitations of PenTesting There is great value in performing periodic PenTests, which is why PCI DSS and other security standards mandate them. However, PenTesting has three significant limitations: PenTesting does not provide solutions Let’s be honest: No one likes reading technical reports, but typically, that's the only deliverable provided by a PenTester. The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability. The tester may miss some things, or not clearly convey their findings. Additionally, a PenTest is a snapshot in time and the PenTester could miss changes in the systems, configurations, attack vectors and application environments. Even if your system “passes” a PenTest, will it crumble in the face of a brand new, more powerful attack vector that emerges a week later? The worst type of “PenTest report” consist of an analyst producing nothing more than the results of a vulnerability scan. Even if the PenTester produces a well-written, comprehensive report filled with valuable, actionable information, it’s up to your organisation to take the action, which leads to the next limitation of PenTesting. The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability PenTesters only exploit vulnerabilities and do not promote change PenTesting does not highlight the missing links in your organisation's technology stack that could help you address your security vulnerabilities. This is often in the guise of being agnostic to the technologies that exist because their expertise is only offensive security – unless, of course, the performing company has “magic software” to sell you. PenTests also do not help to develop your organisational processes. Additionally, they do not ensure that your employees have the knowledge and training needed to treat the identified fixes. Worst of all, if your in-house expertise is limited, any security issues that are identified during a PenTest aren't validated, which leads to a misrepresentation of their magnitude and severity while giving your team a false sense of security. PenTesters are self-serving Too often, PenTesting pits the assessment team against the organisation; the goal of the assessment team is to find the best way to "shame" the business into remediation, purchasing the testing company’s “magic software”, then call it a day. Once the PenTesters find, for example, a privilege escalation or a way to breach PII, they stop looking for other issues. The testers then celebrate the success of finding a single “flag”. In the meantime, the business is left in a precarious situation, since other unidentified issues may be lurking within their systems. Shifting the paradigm of PenTesting The goal of PenTesters is to find the best way to "shame" the business into purchasing the testing company’s “magic software”, then call it a day Penetration testing can uncover critical security vulnerabilities, but it also has significant limitations and it’s not a replacement for continuous security monitoring and testing. This is not to say that all PenTesting is bad. PenTesting should be integrated into a comprehensive threat and vulnerability management programme so that identified issues are addressed. The purpose of a mature vulnerability management programme is to identify, treat and monitor any identified vulnerabilities over its lifecycle. Vulnerability management programme Additionally, a vulnerability management programme requires the multiple teams within an organisation to develop and execute on the remediation plan to address the vulnerability. A mature threat and vulnerability management plan takes time and is helpful to partner with a managed security services provider (MSSP) to help you in the following areas: Improve your cyber-risk management program so that you can identify and efficiently address vulnerabilities in your infrastructure, applications and other parts within your organisation’s ecosystem on a continuous basis; Perform retests to validate any problems identified through a vulnerability scan or a PenTest assessment; Ensure that your in-house staff has the knowledge, skills and tools they need to respond to incidents. Cyber risk management and remediation is a "team sport." While periodic testing conducted by an external consultant satisfies compliance requirements, it is not a replacement for continuous in-house monitoring and testing. To ensure that your systems are secure, you must find a partner who not only performs PenTesting but also has the engineering and development experience to assist you in fixing these types of complex problems in a cost-effective manner and ensuring that your systems are hardened against tomorrow’s attacks.
Cloud computing has many benefits, including greater flexibility, infrastructure cost savings, and enhanced computing performance. However, the cloud presents new security challenges that organisations need to address. A failure to implement security controls and adhere to solid data governance practices could result in a breach. Preventing worst case scenarios Consider this scenario, a company begins their migration by getting excited about the possibilities the cloud can provide to their applications. They task a few of infrastructure engineers to work with the developers to start a proof of concept. The migration team modifies the settings and access controls to ensure the application is works. The migration team, excited with the success of their proof of concept, adds in a few more application features and submits the change ticket for the applications to be moved into production. The migration then grids to a halt. An assessment comes back saying the cloud environment has security holes so large you could drive a truck through them. The migration team discusses how to adjust the cloud application to meet compliance requirements, only to find out they need to completely rebuild the entire cloud environment. The organisation executives pull the funding on the now failed project and any future discussions about the cloud are met with frustration. One of the benefits of cloud computing is that you won’t have to log into every virtual machine to maintain it; you can use code Sadly, this scenario isn’t rare. However, there are things you can do to make sure this scenario doesn’t happen to you. Four ways to improve your cloud security 1. Understand how the cloud changes your paradigms While cloud security and in-house security have many similarities, in some ways, they are quite different, which requires a paradigm shift on the part of the organisation: Use automation to make your life easier. One of the benefits of cloud computing is that you won’t have to log into every virtual machine to maintain it; you can use code. For example, AWS has several features to automate some security functions, including security groups, which act as firewalls for EC2 instances; network access control lists (ACLs), which act as firewalls for associated subnets; and flow logs, which capture information about the IP traffic going to and from the network interfaces in your virtual private cloud. Be aware of where your cloud provider’s responsibilities begin and end. While there are some differences depending on your specific setup (private, public, or SaaS), in general, cloud providers are responsible for security of the cloud, and their customers are responsible for security in the cloud. This means that your cloud provider must secure the cloud infrastructure, but your organisation is responsible for the applications, data, and services you place within your cloud environment. Remember, if there is a breach, your organisation is the one who is ultimately responsible. Written cloud security and data governance policies must be established before the migration commences 2. Create your governance and project plans before you start Define limits on what data classification types you will allow in the cloud. Written cloud security and data governance policies must be established before the migration commences. These policies should clearly define which information and data classifications are to be stored in the cloud, where they belong in the cloud hierarchy, who should have access to each section, and what level of access they should have. Create and follow a project plan. Successful cloud migrations are never built on luck and you should develop a project plan for your migration, just as you would for any other large project. Additionally, be realistic about your scope as cloud migration projects often fail because organisations often try to build too much in their scope. Conversely, if you have not defined what will be in-scope for your cloud environment, then it’s likely you will have some poor architecture design elements that could be easily exploited by hackers. Stick with your plan, and don’t “chase the shiny.” There always seems to be a new “silver bullet” tool hitting the market that promises to solve all your tech problems, security and otherwise, overnight. Resist the urge to deviate from your cloud migration plan in favour of these tools. They almost never turn out to be as magical as they promise, and you’ll end up wasting money and time. 3. Use your past to change your organisation’s future Cloud migration is a long, tedious process, but it’s also a great opportunity for your company to assess all the old issues you’ve been gritting your teeth and dealing with, and start over with a clean slate. Many organisations are appointing “home-grown” administrators who havelittle or no training in cloud computing or cloud security Start by picking a specific target, such as a single application or system. Then, review your asset and application inventory, along with your old architecture map. Identify all interdependencies and determine how they will work in the cloud environment – or if they even make sense anymore. Don’t repeat your in-house mistakes in the cloud. Update your disaster recovery and security incident response plan. Since your data environment is fundamentally changing, your disaster recovery and security response plan needs to change, too. Define who will support and maintain your cloud environment once it’s in production. You must also decide which team within your organisation will manage your cloud security during migration and going forward. This needs to be done by someone with adequate security experience; it should not simply be assigned to the help desk. 4. Don’t hesitate to obtain expert help The biggest contributor to the outbreak of AWS breaches is a lack of expertise. AWS and other cloud environments are very powerful. They are also intricate and highly complex, yet many organisations are appointing “home-grown” administrators who – while they may be very well-versed in in-house data security – have little or no training in cloud computing or cloud security. If you do not have sufficient cloud expertise in-house, it’s imperative that you partner with a managed security services provider (MSSP) with deep experience in your chosen cloud environment. In addition to ensuring that your environment is configured properly and securely, an MSSP can help you develop a realistic migration plan; address governance, risk, and compliance issues; identify in-house data governance issues and ensure that the same mistakes are not replicated in the cloud; and provide cyber security and incident response services going forward.