Dimensional Data

Published March 25, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The successful attack in 2020 on the SolarWinds Orion network management software showed that indirect, or third-party, attacks on organizations of all sizes are feasible. Where direct attacks used to be the most common attack vector, especially when attempting to target large organizations, attacking smaller suppliers is becoming a more attractive approach. Any attack that attempts to compromise an organization by directly attacking one of its suppliers of hardware or software is called a supply chain attack. The SolarWinds attack was not the first attack on the IT supply chain, and it looks like the number of similar attacks is increasing. As more organizations become more secure, attackers are looking for creative ways to sneak their attacks in under the radar. Let’s look at the risk of IT supply chain attacks and what you can do to mitigate them. Understanding supply chain attacks Supply chain attacks were up 430% in 2020 over the previous year. The dramatic increase in supply chain attacks means that organizations must mobilize immediately to counter this emerging threat. Cybersecurity specialists are getting better all the time. Cybersecurity education and training is becoming more commonplace and in-depth, along with the development of increasingly sophisticated tools and techniques. Unfortunately, cybercriminals are getting better as well. Over the last decade, the increased level of security awareness and control sophistication has driven cybercriminals to search for softer targets. Security defense maturity is often consistent with size. Larger organizations generally have larger security budgets and can end up maintaining more secure IT environments. Saying that larger means more secure isn’t always accurate; there are lots of insecure large organizations and many very secure smaller ones. On average, though, cybercriminals know that smaller organizations are more likely to lack sophisticated security controls. Simply put, smaller organizations often do not have the budget for the best security. Consequently, many cybercriminals are recognizing a unique opportunity to indirectly attack large organizations by focusing their efforts on the smaller — hopefully softer — suppliers that those large organizations use. The basic approach in a supply chain attack is for the cybercriminals to add malicious code to software products during the development or release process. The malicious code becomes part of a software product that then gets sold to — and installed in — numerous unsuspecting customers’ environments. While the direct target of the attack is the supplier’s code, the eventual target is the customer’s environment into which the tainted code gets installed. The main reason an attack like this works is due to its novelty and the presence of general trust between supplies and customers. Few customers of SolarWinds products probably worried about the quality of the SolarWinds product line before the news of the Orion attack. The general perception is that a trusted supplier takes the necessary precautions to ensure their software is clean. Very few existing security tools or procedures validate the security of purchased products. That’s the problem, and the opportunity for cybercriminals. It has long been known that tampering with a product during delivery is possible, and controls […]

Published March 17, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Software security isn’t a state of being, or even a single action; it is a process, and one that requires more than just hardening your software. The year 2020 saw a dramatic rise in cyberattacks, with many attacks specifically targeting IT infrastructure. Any attack that compromises an IT environment interrupts normal operations, which can effectively interrupt critical software operations. Regardless of how secure your software is, if you can’t access critical data or services, your application won’t be available to authorized users. And since availability is one of the “big three” tenets of security, unavailable effectively means insecure. Ensuring software security is an organic and community-driven effort. For the most effective result, focus on actions that provide benefits for your software and its surrounding environment.  The last thing you want to do is constantly put out fires. A better approach is to get ahead of the fires. Learn to anticipate attacks and take proactive measures. Here are some ways to create a balanced threat-handling environment to make your software more secure. Responding to attacks The first step to handling any attack is to recognize that there is an attack being carried out. That may sound simple, but in many cases it isn’t. Non-disruptive attacks like data exfiltration may go unnoticed for months. Security is challenging even under normal circumstances, and the problem of handling attacks is even worse given the pressures of today’s realities.  Organizations of all types were put under more pressure when the new realities of covid-19 changed the way people work and interact. But few sectors were impacted more than healthcare. In addition to changes in the workforce and patient interaction protocols, covid-19 stretched every aspect of delivering quality healthcare. IT service and security concerns were just one part of the bigger problem. And in the midst of all the additional pressure, ransomware attackers sensed an opportunity and launched an unprecedented number of attacks against the healthcare sector. For example, in October 2020, the University of Vermont (UVM) Medical Center suffered a successful ransomware attack that ended up disabling all online systems for several weeks. At first it wasn’t evident that the interruption was an attack, but once the nature of the attack did become clear, UVM personnel searched for nearly two hours before they found a file that contained a note from the attackers. CNN picked up on the alarming statistics and published a story about the UVM Medical Center attack, and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning of the increasing number of ransomware attacks on healthcare organizations. UVM had taken some precautions to harden their systems, but the attackers were still able to succeed. While there is no guaranteed approach that leads to an impenetrable defense, there are ways to make your organization far less vulnerable. There is a constant need to iterate over updated threat information to stay ahead of the attackers. The goal is to approach the problems of security in parallel. If all you do is respond when you receive a new attack alert, you’re […]

Published February 24, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Few, if any, other repositories for data and meta-data within an organization exceed the importance and value of its databases (DBs). In fact, databases often provide a home for an organization’s personnel information, financial data of all kinds (pay, taxes, purchases, income, and other monetary transactions), and data describing its physical inventory and assets. Thus, it’s not unfair to observe that most of the data that defines “who, what, where, when, and why” for an organization is likely to reside in a database. All of this goes to explain why DB security is vitally important to an organization’s health and its ability to conduct business. Principles that drive DB security are well-understood In the realm of database security, informed professionals understand that while basic security principles definitely apply, they can (and often do) take a database-specific slant. Thus, any enumeration of such principles will often play to the special circumstances involved in defining database metadata (often called a “database schema” to emphasize its scope and coverage for some specific and related collection of data) and in setting up and managing a database engine of some kind (which may be on-premises, in one or more clouds, and various permutations on those themes). That said, here are how some of these basic principles play into the world of database security. 1. Principle of least privilege (aka PLP) In general, PLP means providing the minimum of access rights and user privileges necessary to perform some specific task, run an application, or work with database contents, software or infrastructure elements. As with other PLP situations, periodic review to avoid “privilege creep” (gradual accumulation of more rights and privileges than are really needed) is essential. But in general database designers and database administrators (DBAs) should grant only rights and privileges that users, applications, and services need, and no more than that. 2. Platform hardening Across the board, platform hardening requires a deep understanding of a platforms vulnerabilities and its attack surfaces, so that organizations can take pre-emptive measure to address known potential weaknesses. Among other things this means uninstalling or disabling features or services that you don’t need or use. It also means resolutely enforcing password discipline, especially when it comes to changing well-known passwords and their associated accounts (best to delete them if you don’t use them). Make sure all security controls that the database engine offers are enabled, and set to maximum tolerable levels. Checks on hardening success are covered further in the upcoming “monitoring and auditing” item. 3. Data protection Data and metadata for the database should be encrypted both in motion and at rest (and this applies to backups and snapshots, too). Data and meta-data should include security tags or classifications to permit full-blow security policies and protections to apply. Data protection also includes monitoring its access and use, export and exfiltration, especially wholesale copying activity not readily explained or understood. 4. Monitoring and auditing The old saying goes “If you don’t monitor it, you can’t measure it.” This applies equally to […]

Published February 17, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The year 2020 will go down in history as being a year of uncomfortable changes. Just about everyone was forced to approach aspects of personal and professional life differently, from buying groceries to conducting business to maintaining safe interactions with others.  Fortunately, existing technology and service offerings allowed us to make adjustments and work through the changes. Zoom went from being a useful way of meeting virtually to a staple of business, education and social interactions. Likewise, the financial technology industry, often called fintech, expanded products and services to make contactless financial exchanges safer and more accessible. But as Fintech’s popularity grew in 2020, so did its attack surface. Fintech is the industry that provides individuals and businesses with the technology to carry out financial transactions. If you’ve ever sent someone a payment using Venmo, accepted a payment card using your smartphone, or applied for a loan online, you’ve consumed fintech services. In short, fintech’s goal is to leverage technology to compete with, or even replace, traditional financial services by making them cheaper, easier and more accessible. Smart devices and nearly universal internet access make the process of carrying out financial transactions in a socially distanced environment easy. But to keep fintech’s growth on track, cybersecurity has to stay ahead of the attackers. Fintech companies can’t afford to lose their customers’ trust. Let’s look at the most important cybersecurity trends in fintech that are needed to keep that trust. Technology reliance creates risk Any transition to a greater reliance on technology introduces risk. Additional devices and software can provide opportunities for attackers to find and leverage weaknesses. The COVID-19 pandemic punctuated the importance of touchless and socially distanced interactions. One of the most common pre-COVID-19 close-proximity interactions was paying for products and services. Although touchless and remote payment options were available prior to 2020, the pandemic made touchless payments a welcome feature. The number of suppliers and consumers who used touchless payments for the first time skyrocketed in 2020. Any industry-wide growth naturally attracts cybercriminals to prey on a new group of potential victims. According to a recent Fintech News article, attacks are up across the industry and included a 600% increase in phishing attempts and a 630% increase in cloud-based attacks. One reason for such large jumps is the increased use of personal devices to engage in financial transactions. Personal devices often aren’t managed to be as secure as many legacy devices owned by service providers. In addition to facing increased attack frequencies and veracity, many fintech companies are still in the process of digital transformation. While startups may begin their commercial lives with new infrastructure and software, most fintech companies still rely on some legacy devices and software. Each type, or layer, of software, devices and infrastructure means the potential for security vulnerabilities to exist. While it is possible to upgrade hardware devices with the latest models, software poses a bigger challenge. Even startups go through a software development process that results in code written using outdated standards or best practices. It isn’t possible to write […]

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected over 3,000 SolarWinds customers, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also impacted were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into SolarWinds’s Orion Platform software. This code created a backdoor which later was used to access customers’ networks. Experts believe the attack was instigated by hackers based in Russia who may have managed to access sensitive government data. SUNBURST is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers use a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker use multiple servers based in the US and mimick legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This is an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators remove the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company expresses concern that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovers that SolarWinds had been attacked. They realize that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompts the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they pose a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye discloses that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issues guidance explaining how the attack could affect its customers. The attack receives media coverage for the first time. Reuters reports that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds releases a software fix. The media identifies victims that include the Department of Homeland Security (DHS), the State Department, and […]

Published February 3, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this time of the COVID-19 pandemic, we’re all spending more time on our PCs and smartphones. It might seem odd, but The Business Research Company’s Global Online Gambling Market report asserts that online gambling has skyrocketed in 2020. This is because home-bound punters, blocked from visiting brick-and-mortar gambling dens, are turning to online gambling destinations in droves. This makes protecting games of chance — and their players — against online gambling security threats more important than ever, especially where mobile gambling security is concerned. Online gambling is in hackers’ crosshairs In June 2020, Security Boulevard published a discussion of cybersecurity for the online casino and gambling industry. It exposes a number of clear and present dangers that face online gambling developers and involve more than hack attacks (though those are also quite prevalent). Access to gambling platforms themselves can come under direct attack, but smart attackers also recognize that scamming gamblers is another avenue of more indirect attack. By stealing customer information, attackers can ultimately access their money at far less risk to themselves than a “fair game” of chance. The revenue streams involved can also be quite substantial. Grand View Research estimates the size of the global online gambling industry as $53.7 billion in 2019, and a compound annual growth rate of 11.5% is projected from 2020 to 2027, for a global market size of $127.3 billion by that year. Europe dominated the 2019 market with $22 billion in receipts, but the US appears headed for the top in the short term, with Grand View Research projecting its market size at nearly $103 billion by 2025. The Asian market is also coming on strong, as more online venues that serve its populations keep appearing. Cryptocurrency payments are becoming the norm in gambling apps and applications, as online gambling and casino operators switch to Bitcoin and its various counterparts. From a security standpoint, cryptocurrency is attractive because gamblers need not enter their personal data during deposits, and blockchain systems are nearly hack-proof. In addition, cryptocurrency transaction fees are much smaller (sometimes zero) than for a traditional payment method such as credit or debit cards, bank account access, and so forth. Deposits and withdrawals are faster, too, while maintaining player anonymity. More players means more attack vectors Desktop PCs, with their larger monitors and display areas, still dominate online gambling by user count. But as smartphone size and resolution have increased over the past decade, momentum is shifting toward mobile users. Mobile online gambling applications are looking for traction, with more variety in deposit options for playing funds, loyalty points, and interactive play with others around the globe. Mobile technology continues to exert a massive influence on online gambling. Trends such as social gambling and a proliferation of mobile gambling applications signal oncoming changes in gambling habits and practices. Given that somewhere between a third and half of the global population has ready access to a smartphone, casinos and online gambling organizations are investing ever more heavily in gaming applications, especially […]

Published January 28, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The Kiuwan team is excited to announce the availability of our latest release, with new features for both cloud and on premise customers. Kiuwan is a fast, reliable and scalable Application Security and Enterprise Software Analytics solution. Kiuwan includes several tools for management and development that identify and guide remediation of security vulnerabilities in source code. These tools support the implementation of critical shift-left strategies that many companies desire today. Fluent in major programming languages and frameworks, Kiuwan allows extensions and customization for customer-specific needs and integrates with leading DevOps IDEs and tools, in an on-premise or SaaS model. Support for custom components in Kiuwan Insights As requested by our customers, Kiuwan Insights now supports custom artifacts, allowing the creation and maintenance of custom artifacts along with their associated licenses and vulnerabilities. This allows Kiuwan users to identify the use of custom artifacts stored in their own repositories and to track their use in their development, and signal during Insights analysis vulnerabilities added to the application, license issues, and obsolescence caused by the use of these custom components. Custom components, licenses, and vulnerabilities can be added and modified both through the UI and the REST API. With this new functionality, customers will be able to have a complete view of the components used either public or private, avoiding the need to track custom components out of Kiuwan. Engine tuning pack The Kiuwan engine is able to perform source code analysis on a wide variety of programming languages. It parses source code into memory structures, and these structures are checked with rules to identify quality and security issues. Each customer has their own way of using their languages and libraries, so we rely on continual feedback from our customers in order to continuously improve the quality and performance of our analysis to benefit customers. This engine tuning pack incorporates new cases and includes widely requested small enhancements. Add new detection rules or improve existing rules to find more security vulnerabilities in code Updates to reduce some of the false positives returned by the product Performance improvements Revisions to our security and protection rules for more accurate results Improvements to our discovery elements for Oracle, HTML5, and Javascript allowing for greater security detection Language parsing improvements for more language coverage Update language levels Additional bug fixes and improvements Documentation for this release is available in the product documentation repository. For a full list of additional bug fixes and improvements, refer to our Change Log. How to get the new release The new release is available immediately to our Cloud customers. Access the new version via the customer portal. Customers using the On-Premises version of Kiuwan should reach out to their account representative for an updated license key. Would you like to know more Kiuwan solutions? Get in touch with our Kiuwan team! We love to talk about security.

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issued guidance explaining how the attack could affect its customers. The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds released a software fix. The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National […]

Published January 14, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated criminals; organizational growth, increased infrastructure complexity and expanding compliance requirements also require more time, people and technology to avoid becoming a victim of a cybersecurity breach. Security used to be focused on physical access to facilities and resources, or adding layers of logical controls to protect software and data. However, security concerns of the 21st century don’t fit into nice buckets anymore. Security concerns affect every aspect of an organization’s operations and should be an integral driver of strategic planning. Information security used to be a good idea to include “if there is time.” Then it became more important as cyberattackers became more sophisticated at leveraging vulnerabilities. Now, information security is an integral component organizational strategic viability. It is just as important as fiscal integrity and product quality. Executives have become acutely aware of the impact of poor information security on their organization’s profitability and longevity. A lack of security focus at the executive level could easily result in hefty fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. The risk of undervaluing information security is too great to ignore. To address the growing awareness of information security’s importance to strategic planning, many larger organizations now include a Chief Information Security Officer (CISO) in the executive suite. A CISO provides executive leadership guidance on keeping organizations secure and compliant. But with the average median salary for a CISO being over $200,000, many companies cannot afford their own CISO. The need is still there, but the budget doesn’t allow for a full-time person in that position. However, there is an attractive alternative. Organizations that lack the budget for a CISO are increasingly turning to an outsourced solution: the virtual CISO, or vCISO. Let’s look at what a vCISO does and how one can benefit small and medium-sized businesses. Benefits of a vCISO A vCISO is generally a cybersecurity professional who works part-time offering security services to multiple organizations, working for several throughout any year. This job-sharing approach gives organizations access to a CISO without having to hire one full time. The vCISO fills several needs through different types of services, including: Cybersecurity guidance to executives Security readiness assessment Compliance alignment recommendations (for HIPAA, GDPR, PCI-DSS, CCPA and dozens more) Remediation prioritization Security architecture guidance Incident response Governance Business continuity A vCISO helps organizations transition from viewing security as a tactical requirement to a strategic one. This transition isn’t an easy one without support from the top. That’s the most important role of a vCISO: to solicit and ensure ongoing support of security from the very top of the organization’s leadership. The strategic nature of a vCISO’s approach to security isn’t in contrast to existing security activities or other organizational goals. The vCISO should help ensure […]