Opportunities to Meet GuidePoint Security at SecureWorld Boston

GuidePoint Security is looking forward to exhibiting, speaking, and hosting an SecureWorld Logo-Icon 2015after hours reception at the 2016 SecureWorld Expo in Boston.

You’ll find us at booth #118, where we will be hosting a Technology Showcase this year with our partners Cyberark, Cyphort, Exabeam, Tenable, and Varonis.
When: March 29-30, 2016
Where: Hynes Convention Center, Exhibit Hall D, Booth #118, Boston, MA

The software and services offered by our partners enables GuidePoint to create comprehensive security solutions for virtually any client’s network, large or small. Below you’ll discover a few reasons why we will be showcasing their technologies at SecureWorld.

  • For over a decade CyberArk has led the market in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets.
  • Cyphort helps you respond to an avalanche of network attacks, prioritize your work, and go after the really harmful security threats that are targeting your enterprise.
  • Exabeam is a leading provider of user and entity behavior analytics, based on security-based data science and innovative Stateful User Tracking technology. Exabeam enables customers to detect and thwart cyber attacks that would otherwise go unseen by most enterprises.
  • Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.
  • Varonis protects sensitive information from insider threats, automates time-consuming tasks, and extracts valuable insights from enterprise data.

At the 2016 SecureWorld Expo in Boston, you’ll have the opportunity to attend the following GuidePoint speaking sessions:

GRC – Trials & Tribulations
Speaker: Michael Cook, Senior Security Consultant, GuidePoint Security
March 29, 1:15pm – 2:15pm
Session description: This session addresses GRC Industry status (Gartner, OCEG, CSA) and tips for planning, implementation, and maintenance of a GRC Program (learned the hard way).

Industry Expert Panel: You’ve Got Humans on Your Network
Speakers include: Michael Cook, Senior Security Consultant, GuidePoint Security
March 30, 1:15pm – 2:15pm
Session description: Breaches are expensive. So expensive that cyber insurance coverage is often lacking. This presentation explores the economics of breaches, the differences between breach and incident response and how you can align your security team’s goals with company values.

GuidePoint will also be hosting a networking event in Boston with our technology partners. Register here to connect with your peers and industry professionals.
Security Social Hour at Kings Bowling Alley
March 29, 4-7pm

For more information about the 2016 SecureWorld Expo in Boston, visit www.secureworldexpo.com/boston/home.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Tips on Cloud Security Vol. 4: Is Your Data Safe in the Cloud?

Is your data safe in the cloud? Security practitioners often have very strong opinions on the security of data in the cloud. In fact, many believe that hosting data in a remote data center simply cannot be more secure than hosting data locally.

I spent 14 years working for the US Army and other government agencies. As such, I fully understand the reluctance that many feel about shifting data and operations to the cloud. The simple notion of hosting any content outside of a government-controlled enclave was, for most of my tenure, heresy.

I’d like to begin by scoping this article to include only data, which falls into the categories of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Controlling and securing data in Software as a Service (SaaS) environments, like Google Drive or Salesforce, will be discussed in another article.

The Shared Responsibility Model

In an earlier article, Jonathan Villa discussed the concept of the Shared Responsibility Model. The premise of that model is that the cloud service prover (CSP), by necessity, assumes the responsibility for some of your security burden. Depending on the service category (IaaS or PaaS), you and your CSP share a different set of responsibilities for the security of your data.

In an IaaS model (e.g. compute VMs, virtual networks), the customer is given the most flexibility in services, but also has a greater responsibility for securing the data. Inversely, with PaaS services (e.g. hosted databases, queue systems), the consumer may be somewhat restricted by the service offerings, but they also don’t (and usually can’t) control any underlying operating or security infrastructures.

But Not-So-Shared Responsibility?

The Shared Responsibility Model provides a convenient framework in which to delineate between the responsibilities of you and your CSP. However, at the end of the day, your data is your responsibility. If you suffer a data breach, the chances are that Amazon or Microsoft aren’t going out of business; but you might.

Like any other IT and security initiative, you need to look at the cloud from a risk standpoint. There will most certainly be new risk areas to consider when putting your data in the cloud. However, you must weigh those risks against your current risks; something that many fail to consider.

For example, one concern that many cloud adopters have is administrative access to the hypervisor (e.g. the management plane). In the case of AWS, access is granted to administrators when justified, logged, and audited, and the credentials are revoked when the specific work is completed. This is in sharp contrast to what happens in most traditional data centers. In a traditional data center, administrative users generally have access to all data, all the time, regardless of specific need-to-know. In this one area, access to your data is likely controlled better inside AWS than in a traditional data center. On the other hand, this presumption requires an implicit trust of the AWS personnel and key management systems. This is just a single example, however.

Compliance is another issue that AWS and Azure can help with, without much effort at your end. In many cases, moving data to the appropriate cloud services (in the right way) can satisfy a vast majority of your compliance requirements.

In the End, CSPs Are Safer Than You Think

If you’re reading this article, the chances are that you’re a security practitioner and likely very skeptical of the cloud; that’s a good thing! But, anecdotally speaking, it’s exceedingly rare to see a data center secured to comparable standards of a major CSP. While certain risks will be inherent to cloud operations (or remote hosting in general), there are other benefits and risk reduction mechanisms that must be weighed into the decision. In the end, it comes down to the larger security strategy, sound architecture and risk-based prioritization.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Attackers DROWN TLS Security with SSLv2 Vulnerabilities

Decrypting RSA using Obsolete and Weakened eNcryption (DROWN) attacks allow attackers to decrypt intercepted Transport Layer Security (TLS) traffic by abusing vulnerabilities in the obsolete Secure Socket Layer Version 2 (SSLv2) protocol. A successful DROWN attack can provide the attacker with the encryption keys used to secure client-to-server communications. The attack works by making repeated requests to a server using the deprecated SSLv2 protocol instead of the recommended TLS protocol. Each SSLv2 connection request allows the attacker to decipher a few bits of the encryption key. With enough requests, attackers can piece together the entire encryption key, allowing interception and decryption of TLS-protected traffic encrypted with the same keys.

SSLv2 was deprecated in 1996 due to serious security flaws in its implementation. TLS is the current recommended protocol for protecting client-to-server communications; all versions of SSL have been rendered obsolete by significant security flaws in the protocols. Unfortunately, SSLv2 and SSLv3 are still prevalent due to the need to maintain backward compatibility with legacy systems, the lack of adequate vulnerability management and patching, and most significantly, the lack of proper configuration for public-facing server resources and applications that rely on encrypted client-to-server communications. The most recent estimates indicate that SSLv2 is directly supported by approximately:

  • 5.9 million Web servers (17% of all HTTPS-protected machines)
  • 81,000 of the top 1 million most popular web sites
  • 936,000 e-mail servers

Even though SSLv2 has been deprecated for more than 20 years, it is still available as an option for negotiating encryption during client-to-server communications in many applications and servers. Modern applications will attempt to use the more secure TLS protocol, but attackers can manually request to use SSLv2 on a vulnerable server to force the insecure protocol to be used, giving them the opportunity to conduct a DROWN attack. An attacker that successfully conducts a DROWN attack against a vulnerable server can use the deciphered encryption keys to intercept and decrypt TLS-encrypted network traffic if the same compromised key is used to encrypt the data. This also means that an attacker that successfully uses DROWN on one server could use the compromised keys to decrypt traffic from any other server that uses the same keys. For these reasons, these vulnerabilities should be addressed, or adequate workarounds implemented immediately, until vendor patching is made publically available.

Public-facing servers can be scanned using the free Qualys SSL Labs SSL Server Test to determine if the SSLv2 protocol is available to be used to encrypt communications. The scanner can be found at https://www.ssllabs.com/ssltest/.

Preventing the exploitation of these vulnerabilities and subsequent DROWN attacks can be achieved by removing SSLv2 support from your servers and then immediately updating any keys that could have been exposed by successful DROWN attacks to ensure that future TLS encrypted communications cannot be intercepted or decrypted by attackers.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, and with offices in Georgia, Massachusetts, Michigan, Minnesota, Missouri, Florida, Texas, and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.