RSS

Category Archives: Security Posts

PCI-DSS Compliance in the Cloud – Top five recommendations to ensure smooth sailing

PCI-DSS (Payment Card Industry Data Security Standard) is a norm, a standard for any organization involved with card transactions and storing card data. I won’t be going to rudiments of PCI-DSS as these are well covered in many articles across the Internet. The whole idea of this post is to understand the key considerations for implementing PCI-DSS in public cloud.

Here are top five recommendations from my experience with implementing cloud ecosystems for financial institutions. These are based on PCI-DSS v3.2

Recommendation 1: Restrict AccessJust IAM isn’t enough, segmentation is the key.

PCI compliance requirements entail that the access to key data and data storage systems is limited. The access can be limited/restricted by using IAM. As leading practice. segment your production and test, QA, or development environments. Prevention is the key and by segmentation you can ensure that no unintended audience gets access when segmentation (VPC or VNET based) is augmented by the IAM controls. It’s really important to make sure that your IAM user policies allow users in your environment only to do what they need to do.

Recommendation 2: Leverage more than Native Cloud SecurityMultiple VPC/VNET based segmentation complemented by ISVs for advanced security controls.

PCI-DSS requires that card holder data is secured. The best way is to have this data in your private subnet(s) that isn’t directly accessible from the Internet. The combination of security group policies and network access control list is an effective way to ensure only traffic that’s intended to get in or out, get’s in or out. Additionally, leveraging advance security controls is beneficial to get more visibility inside the cloud. For example, deploying ISV firewalls at perimeter of VPCs/VNETs can give a lot of threat and DLP protection that cloud native security doesn’t offer. Moreover, the logs from ISV offered firewalls can be used for threat monitoring as well as incident response.

Recommendation 3: Encrypt Data in Transit Data security is paramount, even more so in transit.

Data in transit is most susceptible to attacks from within and outside an organization. An absolute requirement is to encrypt your data using VPN (site-to-site) or with SSL/TLS. Make sure that the cipher suite only allows secure ciphers for example – do not allow SSLv1.0 in the list of ciphers. Also, it is important to understand where to terminate the incoming SSL streams i.e. at ELB or at web servers. While it depends on environment to environment on where the SSL/TLS would be decrypted, a nominal schema could be if you have a large setup sitting behind external/elastic load-balancers, you can terminate your SSL at the elastic load balancer. For a small subset of servers you can terminate it on servers. Again, the question of being able to look into encrypted streams by firewalls or threat-prevention systems would lead to one or the other decision.

Recommendation 4: Patching and Vulnerability ManagementBoth go hand in hand

Making changes first in staging environment and testing patches on a regular cadence helps avoid usual issues and pitfalls pertinent to vulnerability management. Patching doesn’t end up at operating system layer however, application patches also matter. Once, testing is completed, you can roll out patches to production during a maintenance window. For example, you come across a new POS software that needs to be patched and the application at the back end also needs patching. You won’t wait forever to patch these as, PCI-DSS 3.2 mandates the patches to be deployed outside of usual vulnerability management cycle as soon as an exploit is discovered; within a month. This is better known as prioritized approach. Besides patching, there’s vulnerability scanning of your web servers and other applications, which must be done on regular basis – to be more precise at least every six months unless there’s a change in any network configuration.

Recommendation 5: Secure Your System and AppsSecure Development is Key, Let’s not forget Logging

While developing applications in a PCI environment, it is common to follow top 10 project and guidelines from Open Web Application Security Project (OWASP). Secure development of code and deployment leveraging OWASP is a key not to get hacked (easily). Besides secure development, there are some nifty logging services offered by AWS and Azure to help secure your applications. For AWS, logging services for example – CloudTrail, ELB logging, and S3 logging helps identify the sources of changes in your cloud environment and offers audit trail. On the other hand, Activity Logs, Azure Diagnostic Logs, AAD Reporting, and Virtual Machine & Cloud Services are some of logging services offered by Azure.These services allows you to understand if and when changes are made to your environment and enable you to observe any discrepancies.

These by far, are not a comprehensive list of recommendations, security controls or services that may be used with your cloud implementation for PCI-DSS environments. This is just a small list of most viable and possibly critical services and controls that you would want to enable / deploy for your cloud setup.

Give a thumbs up if you like this article and if these recommendations are useful to you. Comments and feedback – most welcome.

 

 

 

Advertisements
 
Leave a comment

Posted by on June 24, 2018 in Clouds and More

 

I don’t ‘Wanna Cry’ – And that’s for a fact!

So, there’s been a rant about the Windows vulnerability and un-patched systems being exploited by Wanna Decryptor. Well, while some of that is supposedly the user’s fault (why to click on something you’re not sure of what it is) and some of it is fault of the way the ransomware has been described in the wilderness. Why the latter you may ask? Simply because, there’s been a lot of hoax and noise about what seems to be yet another ransomware attack – only this time it is related to a vulnerability that was supposed to be fixed only if the users updated Windows.

Apart form the noise, here are some facts and finds pertinent to this specific ransomware.

The malware itself: Wanna decryptor (wncry) ransomware is reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code is publicly available and can be found in https://github.com/RiskSense-Ops/MS17-010

Delivery: The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link.

Activation and exploit: Once wncry is activated, the ransomware spreads through the computer and locks all the files. Once the files have been encrypted wncry deletes the originals and delivers a ransom note in the form of a read me file. Moreover, it changes the victim’s computer’s wallpaper to a message demanding payment to return the files.

The specifics: wncry malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.

Mitigation: Use latest AV definitions, personal / corporate firewalls, and don’t click on anything that doesn’t sound right.

Repercussion: $300 ransom to be paid to un-encrypt your data.

Story from Microsoft: Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch.  Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Either way, here’s the location of the security update https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Summarizing – this is a big outbreak and getting to know the malware well before running into it serves well. Patch your Windows machines and make sure the AV signatures are updated. And above all, don’t click on anything unintended or unaccounted for.

 
Leave a comment

Posted by on May 15, 2017 in Security Posts

 

Tags: , , , ,

Good Friday Just Became Better – With My CCSK Certification!

Holy Moly – The sweet taste of achieving the much coveted certification in the wake of furthering my Cyber Security journey. Aced the certification with a strong 90%. I’m now Certified Cloud Security Knowledge (CCSK) certified. My Good Friday just became a whole lot better!!!

 

It’s been sometime that I’ve been dragging my feet and finally decided to write the CCSK certification. Been busy with authoring and mentoring (cannot really complain as it’s my passion) hence, the delay. Like they say – better late than never!!

CCSK

In the following sections I’ve shared my experiences, my preparation, the insights and details to the certification exam. Hope these get you to your own CCSK summit.
The exam itself – This exam has been there for sometime now and I took the v3.0 (v2.1 is alo available but hey, latest is greatest right!). CCSK is a pretty comprehensive exam. It covers all basis (and more) from cyber security / security from a Cloud Service Provider (CSP) and a Cloud Consumer perspective, and then some. It also addresses domains which are usually blind spotted for example – cloud risk management, vendor management, supply chain management and such.

The insights to the exam – The exam can be daunting if you have little to no security experience and specially – if you come in with minimal (all encompassing security) virtualization, security controls, risk management, physical security and traditional DC experience. The exam consists of 60 questions – multiple choice and true and false type, to be completed in 90 min. It is an open book, take anywhere exam however, that doesn’t demean its importance at all, in fact – it take a lot of time to understand the subjects and topics and then be prepared for the exam itself. It’s the journey in this matter that’s much more valuable than the result itself.

My experience during the exam – I completed the first pass in about 30-35 min (of the allocated 90 min) and marked all questions for second pass (Yes, you can mark questions for review and come back to them). Finally submitted the questions for grading by 45-50 min mark and passed with 90% (80% is the minimal score to pass) and that calls for a jolly moment!

The preparation – For the prep I used the two documents (both available here https://ccsk.cloudsecurityalliance.org/index.html) i.e.

  1. Cloud Security Guidance https://cloudsecurityalliance.org/research/security-guidance/
  2. ENISA Cloud Risk Assessment Report: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport

These two documents cover all basis in terms of questions. Just a thorough read and you should be fine.  One of my dear and old time friend (who happens to be a security geek as well) Sumanta Bhattacharya helped me by brainstorming on the topics and coming out with logical and conclusive derivations.

Summarizing – This is a certification that’s a must to do for security practitioners and professionals who intend to or currently engage with cloud. An excellent certification that pushes a person beyond their scope of thinking in context of Cloud and so much more.

 

 
1 Comment

Posted by on April 15, 2017 in Cyber Security, Security Posts

 

Tags: , , , , , ,

Ransomware as a Service – It’s as real as it gets!

The world of information technology is changing rapidly. So much so that – now you can get your hands on a service that offers creating ransomware to commission based returns on jacked machines. Yes, that’s true.

Here’s an excerpt from an ‘underground’ forum:


Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan only requires a user name and password to create an account, althrough, if you wish, you can set a public key for two-factor authentication.
Satan has a initial fee of 30% over the victim’s payment, however, this fee will get lower as you get more infections and payments. All of the user transactions are covered by the server, you’ll always get what the victim paid, minus the fee of course.

When creating your malware you can specify the ransom value (in bitcoins), a multiplier for the ransom after X days have passed, the number of days after the multiplier takes place, a private note so you can keep track of your victims.
Satan is free. You just have to register on the site.
Satan is very easy to deploy, you can create your ransomware in less than a minute.
Satan uses TOR and Bitcoin for anonymity.
Satan’s executable is only 170kb.

If english is not your first language or you speak a second language you can translate the ransom notes to help your victims understand better what is happening.
In case you’re looking for a way to spread the ransomware, there is a droppers page, where you can generate a crude code for a Microsoft Word macro and CHM file.

If you have any problem with the ransomware, you can report it using the leftmost button on the malwares table. The middle blue button is used to update the malware to a newer version, if available, and the green one is used to edit your malware configuration.


 

All in all – this is a big step forward in luring in and incubating talent pertinent to ‘Anti-Security’ professionals aka. hackers, attackers, and the list goes on.

The the humorous part is that – the way this has been publicized; it’s much much better than any security vendors’ product or service offering in terms of marketing the packaged product.  An its an excellent business model for the provider as it fuels not just their current investment however, also takes it a notch up and adds to the revenue from the exploits to next iteration of R&D.

 
Leave a comment

Posted by on February 7, 2017 in Security Posts