Virtual Security and Compliance Webcast

Recorded last week, go here to register and listen (sorry, the sound is ahead of the slides, I am trying to get that fixed).

Shout out to Tarry and everyone else who participated.

Risk mitigation for virtual infrastructures

Virtualization in the Data Center introduces the following: (skip down below)

	EFFECT	RISK
1.	Flattens infrastructure and networks	Unauthorized network access or communication
2.	Adds new operating system and infrastructure layers	Denial of service and data security breach due to software defects
3.	Collapses roles and increases privilege of administrators	Escalation of privilege, abuse of privilege
4.	Increases transience, mobility and frequency of change within the data center	Misconfiguration, server sprawl and data security breach

1. Virtual machine (VM) hosts, clusters and data centers reduce the logical and physical segmentation of systems and networks. This flattening exacerbates the risk of unauthorized access due to reduced visibility of events on the virtualized network.



Mitigation: implement increased monitoring and access controls for each virtualized access layer and network. Monitoring must correlate virtual infrastructure management, network traffic, security events and validation of intra-VM access control policies.

2. The Hypervisor is a new operating system, which along with hypervisor and virtual infrastructure management tools increases the defect, vulnerability and attack threat surface of the data center.



Mitigation: incorporate all new software and management layers into your vulnerability management system (VMS). The VMS must be mandatory and integrated with automated discovery and validation of virtualized infrastructures.

3. Like the introduction of DBAs for SQL databases and Domain Administrators for Window’s systems, Virtual Administrators have privileges that allow them to bypass existing controls and effectively access underlying systems and data at the hardware layer.



Mitigation: implement compensating controls to log and audit all Virtual Administrator activities. Introduce dual controls and separation of duties for critical functions. You must deploy tools to perform continuous validation of these secondary controls to detect and prevent abuse of privilege. This will also reduce the risk from virtual machine breakout and hyperjacking.


4. Servers are now files. Virtual machine mobility, snapshots, roll-backs and other features of virtualization have magnified the rate of change within the data center. This increase in operational velocity leads to increased risk of configuration error, capacity failures and for a security breach due to incorrect configuration or a lapse of controls.



Mitigation: extend configuration and life-cycle management processes to track virtual machines. These processes must be effective regardless of the mobility and non-linear attributes of virtual machines. Configuration management tools must enforce mandatory controls and support correlation of virtual and physical infrastructure configuration attributes – extending from virtual machine internals to external network access layers. Monitor and audit direct access to virtual machines files at the operating system and storage access layers.

A few Podcasts with Dane Deutch

These were done with a Catbird partner DCS NetLink.

7 Years Later

Public release of PSA's WMD REPORT CARD

Focusing on efforts since 2005, our Report Card gives the government a "C".

"Moving from a D to a C in three years is progress, but not really acceptable progress," Hamilton said.

"What we need now is for the next Administration to commit itself to unwavering dedication to ensure that we capitalize on the progress we've made and push forward to improve and solidify our efforts on all fronts," Gorton said. "Now is the time to turn our resolve into action."

PDF for full report card here.

I've spent the last couple of weeks re-reading the full commission report, and I am struck by how few of their direct recommendations have been implemented. It's possible that the current administration has done more than I know, but here is the focus of the recommendations:

Chapter 13: HOW TO DO IT? A DIFFERENT WAY OF ORGANIZING THE GOVERNMENT

This chapter emphasizes 13 (see below) of the 41 recommendations made by the commission.
Of these 13, two may have been implemented, two others partially implemented, the remaining 9 are incomplete.

Failing on 9 out of 13, I give them an F!

---------------------------

1. Recommendation: We recommend the establishment of a National Counterterrorism Center (NCTC), built on the foundation of the existing Terrorist Threat Integration Center (TTIC). Breaking the older mold of national government organization, this NCTC should be a center for joint operational planning and joint intelligence, staffed by personnel from the various agencies. The head of the NCTC should have authority to evaluate the performance of the people assigned to the Center.

NCTC was established in 2004. Does the head of the NCTC have the authority to evaluate the performance of their personnel?

2. Recommendation: The current position of Director of Central Intelligence should be replaced by a National Intelligence Director with two main areas of responsibility: (1) to oversee national intelligence centers on specific subjects of interest across the U.S. government and (2) to manage the national intelligence program and oversee the agencies that contribute to it.

ODNI established in 2005. Current report card indicates incomplete, why?

3. Recommendation: The CIA Director should emphasize (a) rebuilding the CIA's analytic capabilities; (b) transforming the clandestine service by building its human intelligence capabilities; (c) developing a stronger language program, with high standards and sufficient financial incentives; (d) renewing emphasis on recruiting diversity among operations officers so they can blend more easily in foreign cities; (e) ensuring a seamless relationship between human source collection and signals collection at the operational level; and (f) stressing a better balance between unilateral and liaison operations.

The President issued a memorandum on November 23, 2004. This report from October 2005, reported "some progress." Is there anything more current?

4. Recommendation: Lead responsibility for directing and executing paramilitary operations, whether clandestine or covert, should shift to the Defense Department. There it should be consolidated with the capabilities for training, direction, and execution of such operations already being developed in the Special Operations Command.

Incomplete, this consolidation has not occurred.

5. Recommendation: Finally, to combat the secrecy and complexity we have described, the overall amounts of money being appropriated for national intelligence and to its component agencies should no longer be kept secret. Congress should pass a separate appropriations act for intelligence, defending the broad allocation of how these tens of billions of dollars have been assigned among the varieties of intelligence work.

House Appropriations Select Intelligence Oversight Panel established January 9, 2007.

6. Recommendation: Information procedures should provide incentives for sharing, to restore a better balance between security and shared knowledge.

This is addressed by H.R. 6575, Over-Classification Reduction Act, adopted on September 9, 2008. Currently incomplete pending passage by the Senate and signature of the President.

7. Recommendation: The president should lead the government-wide effort to bring the major national security institutions into the information revolution. He should coordinate the resolution of the legal, policy, and technical issues across agencies to create a "trusted information network."

Incomplete, no indication of implementation beyond studies. Ironically, the Center for Strategic and International Studies may have done this for themselves without the participation of classified networks.

8. Recommendation: Congressional oversight for intelligence-and counterterrorism-is now dysfunctional. Congress should address this problem. We have considered various alternatives: A joint committee on the old model of the Joint Committee on Atomic Energy is one. A single committee in each house of Congress, combining authorizing and appropriating authorities, is another.

Incomplete, no Joint committee comprising members of both House and Senate.

9. Recommendation: Congress should create a single, principal point of oversight and review for homeland security. Congressional leaders are best able to judge what committee should have jurisdiction over this department and its duties. But we believe that Congress does have the obligation to choose one in the House and one in the Senate, and that this committee should be a permanent standing committee with a nonpartisan staff.

Incomplete, DHS still overburdened with too much oversight. This lack of focus wastes resources and probably still leaves oversight gaps.

10. Recommendation: Since a catastrophic attack could occur with little or no notice, we should minimize as much as possible the disruption of national security policymaking during the change of administrations by accelerating the process for national security appointments. We think the process could be improved significantly so transitions can work more effectively and allow new officials to assume their new responsibilities as quickly as possible.

Incomplete, no sign that these procedural recommendations have been implemented.

11. Recommendation: A specialized and integrated national security workforce should be established at the FBI consisting of agents, analysts, linguists, and surveillance specialists who are recruited, trained, rewarded, and retained to ensure the development of an institutional culture imbued with a deep expertise in intelligence and national security.

The President issued a memorandum on November 23, 2004. Has it been implemented?

12. Recommendation: The Department of Defense and its oversight committees should regularly assess the adequacy of Northern Command's strategies and planning to defend the United States against military threats to the homeland.

Incomplete, as of April, 2008 the "GAO making several recommendations to DOD to direct NORTHCOM to take actions to address the challenges it faces in its planning and interagency coordination efforts."

13. Recommendation: The Department of Homeland Security and its oversight committees should regularly assess the types of threats the country faces to determine (a) the adequacy of the government's plans-and the progress against those plans-to protect America's critical infrastructure and (b) the readiness of the government to respond to the threats that the United States might face.

Incomplete, as stated above too many committees is more likely to lead to a failure of oversight and assessment rather than to a successful assessment and response.

Flash parties, flash crowds, now we have "flash dump"

Panic ensued, as they say, and United Airlines stock price plummeted 75 percent (down from $12.30 to $3 a share) before someone realized it was an old news story and things righted themselves. The stock rebounded to $10.92 a share by Monday's closing. But not before United Airlines contacted the Sun Sentinel and demanded the newspaper retract its (6-year-old) story.

I wonder how long before we see the Google spider being intentionally manipulated?

With web 2.0 there wouldn't even be a human brain in the publishing loop.

PCI compliant but still hacked

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

It looks to me like Hannaford made the mistake of allowing "multi-level access" in a "single level" network. Servers that handle payment card data must be prevented from access to an unauthorized network or end-point.

These servers and the processors they communicate with should have been in a "PCI trust zone." All other systems would have been in an "untrusted zone." Then it would be a simple matter for IDP/NAC appliance to detect and prevent this type of breach.

Virtualization Security Getting Some Attention

My response to "Who Owns Virtualization Security" blog:

Virtualization absolutely presents us with the possibility of avoiding past mistakes and making virtual infrastructure (VI) more secure than the physical infrastructure it replaces.

Why?

1. Virtual security appliances and hypervisor APIs have made it possible for us to build security into the VI fabric at all layers.
2. The virtualization platforms give us the tools to automate deployment of primary controls, secondary controls and separation of duties throughout the virtual data center.
3. Virtualization means we can simplify security management and make true defense-in-depth affordable for everyone.
4. Secure hypervisors, their APIs and the right application of security smarts means we can build agent-less security that protects against rootkits, spyware and almost all forms of malware.
5. Virtual security appliances allow us not only to write good security policy but also to automatically enforce policy and provide continuous compliance auditing for the VI.
6. All of the above means, we can create tools for secure life-cycle, trust zones, trusted data paths and secure management in ways never possible with physical infrastructure.

We (as vendors) have a responsibility to educate the IT community to the myths and realities of VI security. The platform OEMs must recognize that simply saying virtual is more secure than physical – is a disservice to all of their customers. Then, when the manufacturers provide the security community the tools and support we need _and_ intelligently inform the market about real risks, then, and only then can we make virtual more secure than physical.

(more to come)