Dimensional Data

Published July 1, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The Certified Information Systems Security Professional (CISSP) certification, granted by the International Information System Security Certification Consortium Inc., or (ISC)2, is one of the most prestigious vendor-neutral information systems security leadership certifications. The CISSP certification is a credential that signifies its holder possesses professional experience and demonstrates a high level of knowledge across information systems security domains. (ISC)2 periodically updates the information systems security Common Body of Knowledge (CBK) to reflect the state of today’s organizations and environments. The latest version of the CISSP exam was released on May 1, 2021. This updated exam addresses the latest cybersecurity challenges. Some of the noticeable changes from the previous exam are in the software security domain. New CISSP exam takers must demonstrate a deeper knowledge of developing secure software than those who took previous editions of the exam. Software security has taken on a higher profile. Let’s look at how the 2021 CISSP exam changes add focus on developing secure software. Why the CISSP certification is important The CISSP certification is not the only cybersecurity certification, but it is one of the most respected certifications in the industry. Although criticized as an overly broad certification, its focus is on demonstrating a working knowledge in eight defined domains that cover most cybersecurity concerns. The CISSP exam focuses more on cybersecurity leadership and a grasp of pertinent concepts and topics, as opposed to a deep knowledge of a specialized practitioner. The certification tends to be more sought after by those either in or pursuing management and leadership positions. There are currently over 147,000 CISSPs worldwide, and the certification enjoys international recognition as a high-quality and difficult-to-attain certification. The CISSP was the first information security credential to meet the ISO/IEC 17024 standard requirements, which define criteria for certification-granting organizations. The CISSP is also approved by the Department of Defense to satisfy multiple DoDD 8570 Level III certification requirements. And in May 2020, the UK National Recognition Information Centre (UK NARIC) granted the CISSP a Level 7 ranking, which equates the certification with a master’s degree. The popularity of the CISSP certification, along with its longevity and demonstrated rigor, make it an attractive target for managers and executive leadership in information systems security roles. In short, there are many information systems security leaders who are CISSPs. Whatever (ISC)2 deems important in their CBK and exams will be considered important by its credential holders. Changes to the 2021 CISSP exam related to application security Domain 8 of the CISSP exam is Software Development Security, and it represents 11% of the questions test takers will encounter. The previous edition of the CISSP exam weighted Domain 8 at 10%. A single percentage increase in weight may not seem like very much, but some of the covered content has changed quite a bit. Previous coverage of Software Development Security was a bit generic and high-level, but the 2021 CISSP exam objectives are more granular with some interesting additions.   To give an overview of the CISSP exam objectives, here are the eight domains: Security and Risk Management Asset Security […]

Published June 24, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel The ever-increasing popularity and use of smartphones dwarfs that of more conventional computing devices, such as desktop, laptops, tablets and so forth. Here are some numbers to put things in perspective: according to Statista the total number of mobile devices should reach 17.71B by 2024, up from just over 14B such devices in use in 2020. The same source puts the size of the installed base of PCs worldwide at 1.33B in 2019, with a slight decline over the period from 2013-2019. Interestingly, Microsoft recently claimed 1.3B “active Windows 10 users” which tells us the overwhelming majority of PC users seem to favor their operating system. Putting Mobile Devices Into Proportion The real impact of this comparison, of course, is that mobile devices outnumber PCs by over an order of magnitude. In addition, that balance continues to swing to favor mobile devices ever more firmly. Mobile devices run mobile apps. Indeed this simple observation makes mobile app security crucial, simply because most of the human race (mobile devices currently outnumber humans by almost 2 to 1) uses such devices and the apps to go with them to communicate, access the Internet, and get on with the business of living. The Continuing Sad State of Mobile App Security Even as mobile apps keep proliferating, and more and more users rely on them to learn, work and play, the state of mobile app security can only be described as deplorable. On the one hand, App Annie reported that mobile app usage grew 40% year-over-year in Q2 2020 as compared to the preceding year. On the other hand, security firm Synopsys entitled its most recent survey Peril in a Pandemic: The State of Mobile App Security. The company found that significant causes for concern about the security in mobile apps were both abundant and alarming, primarily owing to three major factors: Commonly used apps that displayed well-known open source vulnerabilities Unsecured and unencrypted sensitive data in mobile application code that present potential points for information leakage and unwanted access and disclosures Frequent assignment of higher levels of access and permission to mobile apps than the “principle of least privilege” (PLP) would allow All of these unsafe programming or administrative practices leave mobile apps overly open to attack and potential compromise. The report analyzed over 3,000 mobile apps and reported some scary statistics – namely: 63% of apps included known security vulnerabilities, with an average of 39 vulnerabilities per app, of which 44% were rated “high risk,” 94% of which had publicly documented fixes, and 73% of which has been reported two or more years ago. Thousands of sensitive data items were exposed in the application code, including over 2K passwords, tokens and keys, over 10K email addresses, and nearly 400K IP addresses and URLs. Use of overly powerful device permissions showed just over 33K instances of normal permissions, with just over 15K of sensitive permissions, and just over 10K of permissions “not intended for third-party use.” What Can (and Should) Mobile Developers Be Doing? […]

Published June 17, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel On or about May 7, 2021, Colonial Pipeline had to shut its pipelines down because of a ransomware attack. Colonial is a major fuel pipeline operator in the southern and eastern US. Its pipelines stretch from Texas to New Jersey, and reach into Louisiana, Mississippi, Alabama, Georgia, both Carolinas, Tennessee, Virginia, Maryland and Pennsylvania. After a week of downtime that saw gas shortages in many of the more eastern states just mentioned, the company announced on May 12 it was restarting pipeline operations. By May 15, those operations had more or less returned to normal. One burning question remains: What happened? Understanding The Colonial Pipeline Ransomware Attack A Word from Joseph Blount, Colonial Pipeline’s CEO In an interview with the Wall Street Journal, Blount recounted he authorized a ransom payment of $4.4 million. He did so because company executives, in the words of the WSJ story, “were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.” According to the WSJ, “Colonial Pipeline provides roughly 45% of the fuel for the East Coast…” Essentially Colonial Pipeline chose to disregard long-standing advice from the FBI and other law enforcement agencies not to pay ransom demands in such situations. Blount demurred and is quoted as saying he authorized payment because “…it was the right thing to do for the country.” More About the Attack Security experts are in agreement with US government officials who attribute the attack to a criminal gang based in eastern Europe named DarkSide. This shadowy organization builds malware to attack systems for extortion, and shares the proceeds obtained from its ransomware with affiliates who actually foist the attacks that see its ransomware take over business and government systems all over the world. As reported in the WSJ story, Colonial worked with experts who had prior experience dealing with the organization behind the attack. That said, the company declined to share details on the negotiations involved in making the payment, or how much of its losses might (or might not) be covered by its cyber insurance coverage. Once the attackers received payment, they provided a decryption tool to unlock affected systems. To underscore law enforcement advice, Colonial also disclosed that the decryption key did not provide everything needed to restore its systems to normal operation. According to CNN, and contrary to many other reports, the sponsoring Darkside organization is not “believed to be state-backed.” Instead Lior Div, CEO of cybersecurity firm Cybereason, describes DarkSide as a “private group that was established in 2020.” That said, consensus is emerging that DarkSide operates in Russia for two compelling reasons. According to CNN, “its online communications are in Russian, and it preys on non-Russian speaking countries.” Div is further quoted as saying “Russian law enforcement typically leaves groups operating within the county alone, if their targets are elsewhere.” DarkSide runs what CNN and other call a “ransomware-as-service” business. That it, it builds tools that it makes available to other criminals, who then use […]

Published June 10, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In early April, numerous sources disclosed discovery of a pool of Facebook records including information on more than 530 million of its users. The leaked information included users’ names, dates of birth, and phone numbers as posted to a website for hackers. Business Insider’s (BI) April 3 story represented some of the first reporting on this breach, and focused on a database that security researcher Alon Gal of cybercrime intelligence firm Hudson Rock discovered in January 2021. BI reports further that it “reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with IDs listed in the data set.” Facebook’s Response and Explanation The BI story states that a “Facebook spokesperson told Insider that the data has been scraped because of a vulnerability that the company patched in 2019.” Scraping attacks involve downloading account pages from a Website and parsing their contents to discover personal information amongst the data the underlying Web markup contains. The vulnerability involved was based on the ability to import contact lists from users’ cellphones (with their permission) to extend friend lists and associated data. But while the vulnerability is no longer open to current exploit, even PII (personally identifiable information) data from 2019 can serve as entry points for various types of attack, including impersonation, identity theft, targeted phishing, and potential fraud. According to numerous sources who’ve analyzed the database in question, users from 106 countries are included in its contents. Of the over 500 million users represented therein, over US-based users number 32 million, with 11 million more from the UK, and an additional 6 million from India. For most users, their data includes Facebook IDs, phone numbers, full names, locations, dates of birth, and self-descriptions (bios). For some users, email addresses are also disclosed. How the Breach Was Identified Mr. Gal found the leaked data in January when a hacking forum users advertised a bot that could provide phone numbers for hundreds of millions of Facebook users at a price. At around that same time, Joseph Cox at Motherboard reported the existence of this automated Telegram bot, with a proof of function demo, with charges ranges from US$20 to get information for a single user account, and up to US$5K for 10,000 users. Motherboard reports it tested the bot and confirmed that it provides a valid phone number for a Facebook user known to them who elected to keep that number private. The exploit was documented in 2019 for Instagram users (Instagram is a subsidiary of Facebook) and included this statement “It would … enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.” This is apparently just what the database that Gal discovered contains. Since his initial findings in January, that database has been posted to a hacking forum at no charge. Thus, it’s available to anyone able to access the site. And indeed it could provide ample data to drive attacks even […]

Published June 3, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The COVID-19 pandemic drove many companies to rapidly expand their support for remote work. This change was not simply to appease a changing workforce; it was simply to survive. When most of the workforce was suddenly told to stay home, many organizations had to either adapt or cease to exist. The increased reliance on transforming previously manual or hybrid procedures to purely digital ones required updated (or completely new) applications, supporting software and infrastructure. Digital transformation was no longer an aspirational goal — it became a survival necessity.  Let’s look at some fundamental changes the pandemic forced on companies and consumers, and how those changes affect all aspects of doing business today, including software development organizations developing secure application security in a decentralized world. Digital transformation plans were accelerated Prior to 2020, face-to-face interactions were not only the norm, but also the preferred way to communicate and carry out business. While a growing number of younger workers and consumers who preferred digital interaction were encouraging digital communication to gain popularity, total adoption was a long way off.  Digital transformation (DT) is the common term used to represent the process of replacing manual business processes or services with digital processes. The push for DT was underway in 2020, but only as it aligned with long-term strategy. A few existing companies and many startups relied on digital processes, but most companies approached DT conservatively. After all, the requirement to produce revenue today trumped the desire to innovate for the future. Once the pandemic hit, companies of all types suddenly had to carry on unhindered without face-to-face interactions. Some companies were built on the concept of offices full of workers. Others depended on the ability to serve a steady flow of physical customers. Regardless of the business model, the disruption of face-to-face interaction required solutions where technology could provide the connection. One of the first shifts was to simulate the business meeting, customer interactions or even the classroom. Zoom went from a video conferencing tool to a generic term for an online meeting. The term can even be used as a verb, as in “I’ll Zoom you.” COVID-19 shifted DT from a long-term strategic goal to a survival requirement. Although all companies could not simply “go digital,” many could. Restaurants, airlines, hotels and a long list of other service-oriented companies had to undergo radical transformations. Other types of companies, such as insurance companies, software development organizations and banks, could continue operations, but had to find a different way. Reliance on face-to-face interactions had to defer to digital transactions. Customer service was required to rise to the occasion and provide an acceptable level of service using remote workers and digital connections. Some companies, like Amazon, were up to the challenge. After all, they were already relying on a decentralized model for much of their business process. They encountered challenges at their warehouses that relied on many human workers, but the rest of their organization had already embraced digitization and automation. Other organizations were not as fortunate and had to accelerate their digital […]

Published May 27, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce that, among other things, maintains physical science laboratories and produces guidance for assessing compliance with a wide range of standards. NIST has a long history of providing documents that help organizations and agencies assess compliance with cybersecurity standards and implement changes to strengthen compliance and security. The NIST Special Publication (SP) series provides “guidelines, technical specifications, recommendations and reference materials, comprising multiple sub-series.” One sub-series, SP 800, focuses on cybersecurity, specifically containing guidelines for complying with the Federal Information Security Modernization Act (FISMA). (If you are interested in digging further into NIST cybersecurity offerings, check out the relatively new SP 1800 cybersecurity practice guides as well.)  How NIST SP 800-53 Revision 5 Affects Application Security NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations,” provides guidance for selecting the most effective security and privacy controls as part of a risk management framework. The latest revision of NIST SP 800-53, revision 5, was released on September 23, 2020. Revision 5 includes requirements for RASP (runtime application self-protection) and IAST (interactive application security testing). While these approaches to application security are not new, making them a required element of a security framework is a first. Let’s examine how NIST SP 800-53 revision 5 affects the secure application development process. What NIST SP 800-53 contains The initial version of SP 800-53 was released in 2005, titled “Recommended Security Controls for Federal Information Systems.” SP 800-53 always focused on federal information systems, at least up through revision 4. Then, revision 5 dropped the word “federal” from its title. That means SP 800-53 is now a more general guidance document that applies to commercial information systems as well as federal systems. This may seem to be a minor change, but it really means that NIST just expanded the scope of their recommendations. SP 800-53 isn’t a mandate at all, but it does signal a strengthening of guidance from the federal government for non-federal environments. SP 800-53 contains a catalog of security and privacy controls, organized into 20 control families. Chapter two of SP 800-53 “describes the fundamental concepts associated with security and privacy controls, including the structure of the controls, how the controls are organized in the consolidated catalog, control implementation approaches, the relationship between security and privacy controls, and trustworthiness and assurance.” The other major chapter of SP 800-53, chapter three, includes a catalog of security and privacy controls, each of which includes a discussion of that control’s purpose and how it fits into a layered security approach. The goal of SP 800-53 is to provide a consolidated guidance document that describes security and privacy controls, how they are related to one another, and how to best select, deploy and assess the controls required for specific use cases. What revision 5 means to application security Although SP 800-53 revision 5 provides general guidance for selecting security and privacy controls, a noticeable portion of changes since revision 4 focus on software. As […]