Security Software & Tools Tips – February 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* IBM QRadar
* Snyk
* Haven
* HashiCorp Vault
* Nikto

IBM QRadar

Information from the IBM Qradar website:

QRadar Community Edition is a free version of QRadar that is based off of our core enterprise SIEM. Users, students, security professionals, and app developers are encouraged to download QRadar Community Edition to learn and become familiar with QRadar.

Website:

https://developer.ibm.com/qradar/ce/

Snyk

Information from the Snyk website:

A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.

Website:

https://snyk.io/

Haven

Information from the Haven website:

Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy. It is an Android application that leverages on-device sensors to provide monitoring and protection of physical spaces. Haven turns any Android phone into a motion, sound, vibration and light detector, watching for unexpected guests and unwanted intruders. We designed Haven for investigative journalists, human rights defenders, and people at risk of forced disappearance to create a new kind of herd immunity. By combining the array of sensors found in any smartphone, with the world’s most secure communications technologies, like Signal and Tor, Haven prevents the worst kind of people from silencing citizens without getting caught in the act.

Website:

https://guardianproject.github.io/haven/

HashiCorp Vault

Information from the HasiCorp Vault website:

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

Website:

https://www.vaultproject.io/

Nikto

Information from the Nikto website:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Website:

https://cirt.net/Nikto2

Photo by MILKOVÍ on Unsplash

Microsoft IIS DoS, patch install not enough

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Microsoft announced a bug in the Internet Information Services (IIS) where malicious HTTP/2 packets would consume 100% CPU until restarted. Microsoft have published patches that would allow a MS IIS administrator to mitigate this vulnerability, but would not define any sane default values for the thresholds in question, so installation of the patch itself is not enough. The patch will only enable the options for setting threshold values, it will not set them. Luckily this is only an attack on availability, so you will know when you get attacked, and when the attack is over, a so called Denial of Service (DoS) attack. It will not affect confidentiality of data stored or integrity of the website published.

Read more

Top 5 Security News

 

Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

On November 30, 2018. nccgroup disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.

Read more

Top 5 Security News

Multi-factor authentication time?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

With billions of user credentials being freely distributed online it’s high time to implement multi-factor authentication as the default way to authenticate.

Wired has written an article about the magnitude of leaks:

”Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all.”

Read more

Top 5 Security News

How to improve control and save cost with Service Organization Controls (SOC) reports.

All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership to your business’s risk.

That is why most companies that outsource must find ways to ensure their service providers are performing according to the rules, the standards and the laws that your business requires.

Traditionally, the way this works is that the companies include “right-to-audit” clauses in their contracts with the service providers. And then, typically once a year, this right is exercised, by having IT auditors visiting the service provider to have a closer look at their set-up, the services they provide, the sites, infrastructure, operational processes, system support and people.

In today’s hybrid, complex and distributed IT world, on-site audits are only able to focus on a very limited set of controls, or they will be extremely time-consuming and expensive. As the contracting party, you normally must cover expenses for IT auditors, your own staff that spends time on preparing, attending and interpreting findings, as well as paying your service provider for the time they spend.

Most of the time, due to time and cost restrains, such audits only scratch the surface at the service provider.

So, what should you do to satisfy your own or your auditor’s need to get assurance that the services are provided in accordance with your security requirements, and with a quality of service that reduces your risk?

Let us introduce Third Party Attestation Reporting (SOC reports)

What is it?

Service Organization Controls (SOC) reports are prepared and issued by an independent auditing company and include descriptions of the service organizations internal security controls, as well as the auditor’s assessment on the suitability and effectiveness of the controls. The full and unedited reports are distributed to the service organizations customers, and their auditors.

Report types and intended use

There are several types of reporting standards:

  • ISAE3402 / SOC1. This primarily includes internal controls relevant for financial reporting, with the purpose of the compliance with laws and regulations. The intended users of these reports are the customer’s management and their auditors
  • SOC2. This will report on internal controls related to general Information Security, Availability and Confidentiality. For each of these domains the control objectives are predefined by the standard. Intended users are customer’s management, Information Security Managers and regulators.
  • SOC3. This is less detailed reports, usually an executive summary of a SOC2 report. As these reports discloses less details, these reports also typically are made generally available, for instance through the service provider’s website.

SOC1 and SOC2 both come in Type I and Type II.

Type I will be point-in-time based, as they only focus on how the security controls have been defined and implemented by the service organization, at the time of the audit.

Type II reports however, will assess and validate both the suitability of the controls (that the controls are defined and implemented in a way that meet the control objectives), and the effectiveness (that the controls are consistently used by the service organization). To prove the latter, the auditor performs randomized sampling and collect evidence from the entire reporting period, typically one calendar year.

What makes this different from ISO certifications?

There is a great deal of overlap between the Information Security Management standard ISO27001 and SOC attestation reports. The ISO-standard however, allow companies to define their own scope, and their own benchmarks (security policies and goals). So, for anyone to accept a Service Provider’s ISO27001 certification as evidence that the provider fulfills your security requirements, you at least need to understand the scope and the security policies the certification is based on and check that it matches your needs.

ISO audit reports are generally not available to other than the audited party. Customers may be provided the actual certificate, perhaps a copy of the security policies, and a document explaining the scope of the audited management system, but organizations are usually not allowed to distribute the full audit report.

For an ISAE3402 or SOC2 report however, you can get full insight into all parts of the very comprehensive reports. The reports among other things include both the organizations management statements and descriptions of their security controls, as well as the independent auditors test procedures, test results and findings.

Note that SOC reports not is a certification as such, but rather compliance reports produced by an independent auditor.

The main benefits

Getting the appropriate SOC report from your service provider will give you the following benefit

  • Save cost on performing your own audits. Such audits will no longer be required, or will at least need to have a much-decreased scope
  • Get the full picture. As the reports will be based on samples from the full (12 months) reporting period, these reports will cover a lot more than you will be able to assess in customer specific audits
  • Leverage these reports in your own audit and reporting. As these reports are based on internationally recognized standards, your auditors can easily make use of them directly
  • Get insight into your service providers security controls. The reports include the service provider’s description of the control environment, processes and the individual controls
  • Get a verification on the control effectiveness. This will enable you to assess if the service provider’s regular control effectiveness is satisfactory, and where you should focus your improvement efforts.

Win-Win strategy

Even the service provider will benefit from this, as the number of audits will be reduced, and the actual auditing more coordinated and efficient. This eventually should result in lower compliance cost, which should benefit all parties.

The next time you are reviewing the security compliance of your service provider, or the next time you select an outsourcing partner, check if you can get access to their SOC reports. That will make you get better control, at a lower cost. That is what we all want, right?

Find out more about Service Organization Controls HERE

 

Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.

Esten Hoel, SVP Security and Compliance, Basefarm

 

Unprotected Government Server Exposes Years of FBI Investigations

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

”A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files.

The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password.”

Read more

Top 5 Security News

Give Up the Ghost: A Backdoor by Another Name

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, two of Britain’s top spooks introduced what they’re framing as a kinder, gentler approach to compromising the encryption that keeps us safe online. This new proposal from GCHQ—which we’ve heard rumors of for nearly a year—eschews one discredited method for breaking encryption (key escrow) and instead adopts a novel approach referred to as the “ghost.”

But let’s be clear: regardless of what they’re calling it, GCHQ’s “ghost” is still a mandated encryption backdoor with all the security and privacy risks that come with it.

Read more

Top 5 Security News

Security Software & Tools Tips – January 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* Elastic Stack
* Security Onion
* Wireshark
* Cuckoo
* BeEF

Elastic Stack

Information from the Elastic Stack website:

Threats don’t follow templates. Neither should you. The Elastic Stack gives you the edge you need to keep pace with the attack vectors of today and tomorrow.

Website:

https://www.elastic.co/

Security Onion

Information from the Security Onion website:

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!.

Website:

https://securityonion.net/

Wireshark

Information from the Wireshark website:

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Website:

https://www.wireshark.org/

Cuckoo

Information from the Cuckoo website:

Cuckoo Sandbox is the leading open source automated malware analysis system. What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Website:

https://cuckoosandbox.org/

BeEF

Information from the BeEF website:

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Website:

https://beefproject.com/

Photo by Markus Spiske on Unsplash

EU launches bug bounty programs for 15 software

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The European Commission decided to launch its bug bounty initiative, the Free and Open Source Software Audit (FOSSA) project.

Starting in January, the European Commission is going to fund bug bounty programs for a number of open source projects that are used by members of the EU. The initiative is part of the third edition of the Free and Open Source Software Audit (FOSSA) project, which aims to ensure the integrity and reliability of the internet and other infrastructure.

Read more

Top 5 Security News