Here are a few articles I found interesting this week:
Secure Software Standard In The Spotlight
“A little-known ISO standard for application security is gathering steam with the help of Microsoft. The ISO/IEC 27034-1, "Information technology -- Security techniques -- Application security" standard released in the fall of 2011 until this week mostly had remained in the obscurity of the standards community, when Microsoft announced that its Secure Development Lifecycle (SDL) framework and strategy for secure coding conforms with the ISO standard.” The fact that it has taken so long since the original “heyday” of computer security thrusting to the forefront of the industry and society to produce an industry wide measuring stick for “security” is disappointing and somewhat embarrassing. Don’t get me wrong- I am excited that we are finally seeing such an effort move forward and gain momentum. There absolutely needs to be a definitive place to point to that defines security standards that should be met in order to claim due diligence- and allow recourse for those that have or are looking at solutions that do not meet that standard. Whether it be an enterprise shopping for an ERP solution, a vendor proclaiming that their product is secure, a security tester justifying remediation of a vulnerability, or a trainer helping developers learn what to do (and what not to do)- the adoption of this standard could be it. Will it be a perfect one-size fits all solution? Probably not (but we can hope!). Is it a great start towards filling a gap that is sorely needed? Yes! Especially in the absence of regulations that set such a standard.
Security Think Tank: Cloud, BYOD and security – lock your doors
“Cloud computing and bring your own device (BYOD) are fundamentally dangerous, but manageable, concepts from a security perspective. An organisation storing data is like a house – you can break in through vulnerable points such as doors and windows, but not through the walls. The cloud and BYOD represent the introduction of two new windows or doors.” This piece is a good high-level view of the risks of the cloud and BYOD, in that it lays out many of the varied issues that are faced and concedes that there are some issues with addressing each one individually. The author offers some advice, such as taking a step back, and for example- instead of addressing the issue of securing documents on various devices directly, focus on more manageable pieces first:
- minimizing who has access to the data in the first place
- creating an inventory of data to audit data loss or theft
- implementing remote wipe capabilities.
On top of that, make sure to test the security of the system- having an untested policy and mitigation strategy isn’t much better than not having one at all. A great point of this article is that software solutions, such as MDM, can help with the goal of securing devices- but also warns that adding software alone won’t solve the issue as human behavior must also be addressed.
Which Workers Are the Best Fit for BYOD?
“What kinds of workers should be allowed to use their smartphones and tablets on the job, in a growing trend called "Bring Your Own Device," or BYOD? Opposing sides are forming about two distinct groups: hourly workers and salespeople.” …An interesting take on the trends and issues facing BYOD However, I was a bit dismayed to see that the infosec risks of mobile devices in general, and BYOD specifically, was represented solely by a statement that sales people like to avoid the risk of lost contacts- and the liability that comes with it. It seems that the sales people are ahead of the pack when it comes to the information security risk gut instincts. BYOD has many facets of risk that should be looked at holistically, which we have covered and several previous blog posts. Check them out!
Mass Customized Attacks Show Malware Maturity
“Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.The evolution is no different for malware.” It almost sounds like an oxymoron- “mass spear phishing”. But here we are at the next step in the evolution of malware. Spear phishing techniques, such as tailoring exploits to the target’s environment or using pertinent subject lines to appeal to a specific organization-specific demographic, made sense. In that, if you are targeting an organization for a specific reason and they are an all Mac shop, sending Windows based malware at them probably won’t reel in too many victims. But, if you target a range of organizations, can keep the same messaging but simply change out the exploit, and do that in an automate fashion- there you have mass spear phishing. Need to target a particular office suite? Use that exploit and pepper the users. Need to target a particular document reader? Swap out the exploit for that. Better yet- use a Java exploit! Write once, pwn anywhere! Malware is a product just like any other, and the purveyors of malware will continue to streamline, cut time and costs, and automate in order to push their goods out to a wider audience and maximize market penetration.
Hacking charge stations for electric cars
“The vision of electric cars call for charge stations to perform smart charging as part of a global smart grid. As a result, a charge station is a sophisticated computer that communicates with the electric grid on one side and the car on the other. To make matters worse, it’s installed outside on street corners and in parking lots.” Another item in a growing list of “things where software- and it’s vulnerabilities- meet the real world”. This time- a bit more literal to say “where the rubber meets the road”- so to speak. Any time software interacts with or controls real world entities such as utilities or machinery, there exists the very real possibility of a vulnerability exposing the system to mischief (changing a highway sign to warn of zombies), tampering (changing the cost of a vehicle charge to be free), loss of service (creating a power blackout), or even worse- a loss of human life. Application and information security may seem simply inconvenient when document software crashes due to malware, but a software controlled vehicle braking system vulnerability causing a crash takes it to the next level.
