One this last day of Cyber Security Awareness Month, I thought this was an excellent article outlining two core principles in keeping our PII safe from bad guys: strong authentication and user awareness.
A good friend and colleague Michael Burgess, CISSP, sent me the following message this morning:
“I’ve been doing some research and thought you may benefit from (if you haven’t already ran across it). Some have begin adding an addition to a well known acronym and a core principle in information security. I think it is picking up steam and with good reason.
Accountability as in the process of tracing, or being able to trace activities to a responsible source….I think it is a good addition given experiences and how often accountability is needed, or would have been helpful.”
I think Mr. Burgess and the growing movement to expand the traditional triad are spot on. Accountability is an important principle in IT Security and is closely tied to the principles of data integrity, confidentiality and availability. It speaks to the responsibilities of data stewards and data owners and the need for security analysts to capture activities and report on anomalous behavior.
Kudos to Michael for bringing this idea forward and continuing the conversation to our profession stronger.
This type of sharing is an absolutely vital component in the war against the spread of malware and malicious code intended to compromise PII. Every industry should entertain these types of open conversations and organizations.
This is a scary proposition. If you waited more than 7 hours to patch the vulnerability reported on 10/15, you are probably compromised. This speaks to the pressing need to be diligent and actively monitor for threats via news outlets, RSS feeds and other sources.
Many of you have seen press coverage or the many online updates involving the POODLE vulnerability. After the fallout surrounding the HeartBleed vulnerability, websites and web application vendors are not taking any chances and have saturated mailboxes and web banners with alerts for their potential users. I sincerely appreciate this diligence, but it can lead to some confusion over the risks facing customers and application owners.
Let me start by saying there is a significant difference between HeartBleed and POODLE. HeartBleed is based on a flaw found in a version of OpenSSL that was extremely popular for web servers hosting some of the most frequented sites on the web including national banks and the world’s largest online retailer. HeartBleed affected millions of online customers and resulted in the loss of tens of thousands of hours in IT resources to validate and upgrade web servers around the world.
Pardon the pun, but POODLE is a completely different animal. POODLE is based on a flaw within SSLv3. SSLv3 is a block cipher dating back more than 18 years and this particular vulnerability manipulates the padding added to an encrypted block when it is too short for the algorithm. Based on its age, it is rarely used on webpages today. It has been largely replaced by one of several versions of TLS (Transport Layer Security). Consider these facts:
- SSLv3 was originally released in 1996. TLS 1.0 (Transport Layer Security) was released in 1999 as an upgrade to SSLv3. The latest released version of TLS is 1.2 which became available in August 2008.
- SSLv3 only accounts for approximately 0.3% of all HTTPS Internet connections.
- Of the Alexa Top Million Domains of the Internet, only 0.42% have some reliance on SSLv3, and that is typically tied to a subdomain.
Clearly, the threat footprint for POODLE pails in comparison to HeartBleed. That does not mean we should not take steps to alleviate the threat. Most of the websites that still leverage SSLv3 are moving away from it and toward TLS. Internet Explorer 6.o is the only major browser still in production that does not support TLS 1.0 or higher, making it the last hurdle for those still forced to utilize it. In fact, most web browsers are moving to disable support for SSLv3.
- Firefox Version 34, slated for release on November 25, will disable SSLv3 by default.
- Microsoft has announced its plan to disable support for SSLv3 in Internet Explorer and all of its online services over the next few months.
- Microsoft has also released a FixIt tool that allows users to disable SSLv3 support in any of the currently supported version of Internet Explorer.
- Google Chrome and Firefox both currently support SCSV (Signaling Cipher Suite Value) which is a TLS Fallback mechanism to prevent protocol downgrade attacks such as POODLE.
As an IT Security professional, I am always thrilled to see the world at large take threats and vulnerabilities seriously. But I do become concerned when the media overreacts to a threat or begins to paint all vulnerabilities and incidents with the same broad brush. By doing so, we either become hyper-sensitive to every threat, large or small, or we become completely desensitized to all threats, leaving us more vulnerable to criminal activity. At the end of the day, I hope we can reach a balance where each incident is dealt with appropriately and given the weight it deserves.
This breach is a bad sign for the future of MCX and CurrentC. Member retailers (Target, Walmart, Dicks, Chili’s, among many others) have already been hedging their bets in this partnership since the announcement of Apple Pay. This will give them yet another reason to reconsider their payment options and the exclusivity of a CurrentC digital wallet.
The ability to find and/or remote wipe stolen or lost smartphones has always been important, but in the age of growing mobile payments via smart devices, this feature is all the more crucial. A potential flaw in Samsung’s offering is a significant red flag, and potential boon for iPhone proponents.