Category: Cloud Security

How to Suck at Information Security

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don’t give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don’t have to worry about security, because your company is too small or insignificant.
  • Assume you’re secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as “top secret.”

Security Practices

  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say “no” whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don’t apprise your manager of the security problems your efforts have avoided.
  • Don’t cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! ismail@realinfosec.com

Legal and Electronic Discovery in the Cloud

Cloud Computing creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.

A complete analysis of Cloud Computing-related legal issues requires consideration of functional, jurisdictional, and contractual dimensions.

•The functional dimension involves determining which functions and services in Cloud Computing have legal implications for participants and stakeholders.

•The jurisdictional dimension involves the way in which governments administer laws and regulations impacting Cloud Computing services, the stakeholders, and the data assets involved.

•The contractual dimension involves the contract structures, terms and conditions, and enforcement mechanisms through which stakeholders in Cloud Computing environments can address and manage the legal and security issues.

Cloud Computing in general can be distinguished from traditional outsourcing in three ways: the time of service (on-demand and intermittent), the anonymity of identity of the service provider(s) and anonymity of the location of the server(s) involved. When considering IaaS and PaaS specifically, a great deal of orchestration, configuration, and software development is performed by the customer — so much of the responsibility cannot be transferred to the cloud provider.

Compliance with recent legislative and administrative requirements around the world forces stronger collaboration among lawyers and technology professionals. This is especially true in Cloud Computing, due to the potential for new areas of legal risk created by the distributed nature of the cloud, compared to traditional internal or outsourced infrastructure.

Numerous compliance laws and regulations in the United States and the European Union either impute liability to “ subcontractors or require business entities to impose liability upon them via contract.

Courts now are realizing that information security management services are critical to making decisions as to whether digital information may be accepted as evidence. While this is an issue for traditional IT infrastructure, it is especially concerning in Cloud Computing due to the lack of established legal history with the cloud.

Recommendations

√ Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.

√ Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files.

√ Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.

√ Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.

√ Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.

√ Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.

√ As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format.

√ Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.

√ The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.

√ The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.

√ The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.

References: Cloud Security Alliance Guide