accelerated-mobile-pages domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121easy-digital-downloads domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121edd_cfm domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121edds domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121Newsmag domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121The post Pro Tips: Things to Remember Before Leveraging IaaS for Cloud Computing appeared first on CISO MAG | Cyber Security Magazine.
]]>Being the most common cloud computing service model, IaaS offers the fundamental virtual servers, networking, operating systems, and data storage – on-demand to enterprises. It represents the virtual equivalent of a traditional data center. Those who decide on the IaaS service model don’t have to own any personal hardware or manage its components. It is all managed by the service provider. And they pay for it on a usage basis – with pay-as-you-go payment options. Furthermore, businesses can easily deploy their apps on IaaS. Organizations can deploy their own virtual machines, workloads, and apps on top of the hypervisor layer – in the region and availability zone of their choice. IaaS key features include an enterprise-grade infrastructure, OPEX, flexible features, ease-of-use, and virtual management. There are additional services like performance and usage monitoring, load balancing, and scaling. This makes IaaS ideal for small and medium-sized organizations that look for a cost-effective IT solution.
Not a single system is entirely safe, and there will always be security issues to address. Some of the most crucial security challenges of IaaS are listed below.
Using SLAs guarantees the acceptable level of quality of service (QoS). An SLA contains contract definition, negotiation, monitoring, and enforcement. Contract definition and negotiation are essential to determine the benefits and responsibilities of both sides. Any ambiguity in SLA will leave a client exposed to vulnerabilities since it will affect the system’s security.
This component allows for faster scaling and is one of the fundamental parts of cloud computing. Every virtual machine (VM) should remain in isolation and not have access to other virtual disks, memory, or apps on the same host. When the communication between a VM and a host happens, attackers might exploit some features and gain access to data transfers. Sysadmin could also take advantage of the position and exploit the features.
The IaaS interface is stored in distributed physical resources, such as network components, CPUs, and other storage devices. Even though service providers keep the physical components in a secured area, about 70% of attacks happen within the organization. If the attacker physically reaches the machine, two things could happen, depending on their intentions:
There are no perfect solutions to issues that might occur in evolving systems. Service providers need to do their best to keep track of new security solutions and implement them if necessary.
To ensure the proper service and trust between the providers and clients, SLA needs to be monitored, together with QoS. Proper monitoring and enforcement of SLA could be delegated to a third party.
Since IaaS is a shared environment, it needs a precise configuration to keep the VMs isolated. Cloud service providers need to work on securing their VMs, and a Trusted Virtual Datacenter can help. TVDc solves both infrastructure and management security problems. It enforces control access schemes on the network, based on security labels and management prototype. It acts as a closed box that prevents tampering or inspecting any content that circulates.
The possibility of an attacker shutting down the machine can be minimized by keeping strict control over who has access to the location. When it comes to stealing or corrupting data, the recommended solution is encryption, using both the session ID and the user’s ID for key management.
Other issues that happen with IaaS are provider outages, permanent data loss, the vulnerability of applications, lack of expertise. To solve these, companies must focus on staff training. Providers must ensure data and network encryption, use the Cloud Access Security Broker (CASB) tool that identifies data risks, and monitor/audit the anomalies.
Cloud computing is a new way of storing data and running platforms and apps. Infrastructure as a Service is one of three service models of cloud computing, and it has its advantages and disadvantages. While many businesses turn to IaaS, some tend to ignore the other side of the coin. Paying attention to the SLA will ensure both sides are satisfied while the service runs. Virtual Machines can be kept safe with control access schemes such as access control lists (ACLs). Physically located data storage should be kept secured using proper encryption keys. With the implementation of these recommended solutions, Infrastructure as a Service becomes a safe place where businesses can thrive.
The post Pro Tips: Things to Remember Before Leveraging IaaS for Cloud Computing appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Continuous Tests in Cybersecurity Controls and Process appeared first on CISO MAG | Cyber Security Magazine.
]]>By Glauco Sampaio, CISO, Cielo
We usually use this type of test with a focus on systems or new technologies, but how do we ensure that our legacy, what is already in production continues to work as planned and implemented? This is a question that must torment our minds and be the object of our efforts. It’s utopia to think that once implemented, the controls will be 100% functional with all the changes that the company makes in its environment, as a result of new initiatives or necessary adjustments. We cannot have the illusion that we will be able to have the complete and preventive visibility that allows us to know all the impacts and side effects of these changes.
Thinking about how to ensure the continuous operation of controls and processes is important, to ensure the security of our environments. It also helps us to avoid unpleasant situations such as an audit note on a situation that had already been mitigated.
The use of tools classified as Breach and Attack Simulation (BAS) has been widespread in the market is very interesting and mainly adds to this testing process a greater capacity to perform the validations. However, we must expand our testing horizons, also validate the associated processes that support the security operation, in addition to the particularities of our environments, which is not the main focus of these solutions.
Test an end-to-end process:
This is just an example of a possible “complete” test script, this can and will vary according to the level of security maturity and the characteristics of each company. What we should keep in mind is that the life cycle of that scenario is the test objective, to ensure that all steps are being carried out as planned and agreed as the result.
The visibility generated by this type of test also helps in the management of operational teams, regarding the fulfillment of defined SLAs. In the incident response process, time is precious, and handling an alert within the expected timeframe can be vital to containing an incident, and prevent it from taking on greater proportions.
Often, stages of the incident response process are performed outside the security team or by service providers. Measuring the effectiveness of these actions has always been a challenge. The approach of continuous and complete tests is a tool for us to have inputs and be able to charge these third parties the level of effectiveness, defined through SLAs. Showing practical cases, helps us in the discussions or even in possible contractual penalties for outsourced services.
The results of these tests must be shared with all those in charge, or involved, in the incident response processes, as well as with the company’s executives. It can also be a security indicator that shows the effectiveness of the existing controls or where we need to reinvest money and efforts.
It seems utopian to think that we will be able to test 100% of the security controls continuously. For this issue, the automation tools or even the use of internally developed scripts can help us giving scale. Even so, planning is necessary so that we do not cause overwhelm in our response team by the test alerts. The classification and prioritization of the tests must be made based on the importance of the target control. Critical controls must be tested with greater frequency against those of less importance.
It’s important to have a Chinese Wall so that those responsible for the tests have the freedom to run them freely. It’s also important for security managers to have the maturity to understand that the purpose of these tests is to be preventive and help us to not be caught off guard by an incident.
In summary, continuous tests give visibility to our controls and guarantees against faults already identified and mitigated previously. We can start small by testing the most basic and simple controls, not necessarily with an end-to-end vision. But we have to start and define an objective within a feasible horizon to achieve this maturity. I guarantee that the most basic tests will give results and help us a lot!
About the Author
Glauco Sampaio is a Chief Information Security Officer (CISO) at Cielo, where he is in charge of the security strategy for the largest Brazilian credit and debit card operator. Sampaio has been working for 20 years as information security professional in Brazil in media companies such as iG and Editora Abril, and also in financial institutions such as Santander Bank, Votorantim Bank and Original Bank.
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article
The post Continuous Tests in Cybersecurity Controls and Process appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Don’t Overlook the Security of Your Supply Chain appeared first on CISO MAG | Cyber Security Magazine.
]]>Not long ago, the IT Head—and we are using this as a generic term–of an organization was concerned with securing all the infrastructure behind the company firewall. In those days, threats were largely viruses, trojans and worms. The Internet was still in its early days, so interconnecting networks was rare in the corporate world, and more common in academic (Yale, Columbia, Stanford) or military networks (ARPANET). However, that paradigm has changed today. The Internet has percolated all strata of our society, the business world and governments. While we have benefitted greatly from this omnipresent interconnectivity, there is a downside to it—the attack vectors have increased multifold. Today a business’s infrastructure interconnects to partners, suppliers, developers, customers (app connectivity) and other ecosystem players. It is a borderless enterprise or the extended enterprise. Therefore, a CISO must worry about the risk profile of other networks too—on the supply chain.
In its 2020 Predictions report, Trend Micro states that organizations will face a growing risk from their cloud and the supply chain. The reliance on open source and third-party software—and the introduction of modern workplace practices all present immense risks. Organizations are increasingly allowing employees to work from home (remote workers). Financial institutions are working with startups. Third-party software could have vulnerabilities. The report states: “Cloud and DevOps environments will continue to drive business agility while exposing organizations, from enterprises to manufacturers, to third-party risk.”
As more organizations opt for Managed Services, the onus and responsibility of security shifts to Managed Service Providers (MSPs). The Trend Micro report states: “Managed service providers (MSPs) will be targeted in 2020 as an avenue for compromising multiple organizations via a single target. They will not only be looking to steal valuable corporate and customer data but also install malware to sabotage smart factories and extort money via ransomware.”
Key message: The security of the supply chain is as crucial as the security of the company network. And this should be intrinsic–built into contracts, SLAs, legal documentation. Ensure the security of not just your enterprise IT infrastructure but also that of your supply chain.
The post Don’t Overlook the Security of Your Supply Chain appeared first on CISO MAG | Cyber Security Magazine.
]]>