Showing posts with label Web Security. Show all posts
Showing posts with label Web Security. Show all posts

Wednesday, May 23, 2018

You Need to Know: Shadow IT

Troy Hunt just posted a new free Pluralsight video about "Shadow IT." That term sounds nefarious, but it's actually quite innocent. It's someone creates or uses software or a resource that hasn't been documented in the IT inventory and approved for use inside the organization. Because it hasn't been through the on-boarding process for IT resources, it also hasn't passed security checks.

Some examples include: A Google Drive or a One Drive to store or share files. A share drive with open access. Cloud services on Azure, AWS, Google Could, IBM Bluemix, etc.

What Are the Issues?

It's not that using these resources are an issue in and of itself; it's that they present potential security and management issues.

Security

Because the security of "Shadow IT Resources" are unknown to the organization, they could open security holes. Those security holes can be either external (exposing information outside the organization) or internal (exposing information to unintended people inside). It may not always be a problem per-se, but either scenario could really cause problems for the organization. Those problems can result in loss of business, legal proceedings, and even cause the business to fail.

Web app services on Cloud platforms are designed to be open to the world be default. They can be secured by deploying them inside a VPC (Virtual Private Cloud) which is accessible from within the network only. This same concept applies to many other Cloud services.

Besides Cloud services, there are countless tools, games, and application that are easily accessible to anyone with an internet connection. Security problems unknown, these could contain malicious code which is designed to leak information

Cost

Besides the costs of recovering from an information leak, another potential cost concern is an unplanned expenditure. Particularly with cloud services since its relatively easy to create a new resource on a cloud platform. Cloud services are pay as you go so it would be a slow-burn rather than a fast explosion that leaked information would present.

This kind of issue is easier to resolve since all activities are logged and can therefore be monitored easily. Services like Alert Logic and Stackify give you insight into activities on the Cloud.

Scaling is another source of cost. Cloud resources are made to scale -  meaning new servers or service handlers are created to handle increased traffic. Configure scaling appropriately and set limits to ensure that a DDOS (Distributed Denial of Service) attack doesn't end up costing you a fortune overnight. For example: the cost difference between a single small AWS server and many XXXL servers is in orders of magnitude of 100x the cost.

Goldilocks

Despite the aforementioned concerns, it's not worthwhile to be too restrictive when it comes to using the tools available. The trick is to find a path that's just right.

The Tale of Goldilocks According to Me

In the classic Goldilocks fable, Goldilocks happens upon a cottage in the woods. The cottage is the residence of three bears (papa, mama, baby). She "innocently" does a B&E (Breaking and Entering). Besides the unauthorized entry into the abode, she eats their food; sampling the porridge of each until she finds the one that's not too hot and not too cold, but just right! After that she samples the chairs. Baby's chair is just the right size, but she breaks it. Then she proceeds upstairs to the bedroom and tries all the beds: papa's is too hard, mama's is too soft, but baby's is just right. She falls asleep only to be awakened by the angry bear family returned from their morning walk ready to maul her. She barely escapes with her life after her little crime spree.

Lock-Down?

Besides the rampant crime in the story, Goldilocks has to try what's available until she finds what's right for her. Follow this practice, starting with most restrictive. However, do be open about the strategy so that those in the organization aren't taken aback by the sudden lock-down! Some of what exists in Shadow IT-land may be business critical! In that case a total lock-down would cause serious business disruption. Consider that they do lock-downs in prison when a fight breaks out...

Stay Calm and Keep Innovating

Another extremely important factor in applying the right level and doing so with care to respect the autonomy of individuals is the innovation factor. Theodore Henderson of the Forbes Coaches Council notes that "Innovation Is Crucial To Your Organization's Long-Term Success." He cites many success stories of innovative products that have lead to serious growth of organizations. One such example is GMail, which is the fruit of Paul Buchheit's 20% time according to Time.com (free time given for the purpose of innovation).

Disallowing the use of applications and services can seriously stifle innovation. It can do so in two ways:

1. Denying access to tools that can make people more productive.
2. Making employees feel less autonomous.

Autonomy is important to innovation which stems from motivation. Going into total lock-down mode can make people like they're under total external control which stifles their innovations and productivity. As a business model, that isn't going to go well unless you're business is 20th century line assembly.

Concluding

While it may be natural to knee-jerk and enter into total lock-down, it's important to find the right level of control. The right level of control means keeping Shadow IT to a minimum and plugging security holes while keeping all employees on the same side as Info Sec and Governance.

Read Troy Hunt's post here: https://www.tyroyhunt.com/new-pluralsight-course-the-role-of-shadow-it-and-how-to-bring-it-out-of-the-darkness/

Tuesday, February 6, 2018

Web Basics - TLS/SSL https

We've been looking at the basics of the internet. If you've been wondering about how it all works or are interested in web programming, you need to know the things in this series of posts.

Today's topic is TLS - Transport Layer Security. The transport layer is essentially the connection itself. The web can be divided into a model with 4 layers - two of which we've been talking about: application (HTTP) and transport (TCP and UDP). The other two are "network goo" that we really don't interact with directly. They're important, don't get me wrong, just not important to this series.

As we saw in the last post on TCP, your information is flying around the world at light speed. With the right equipment and wrongful intent, someone looking to make a buck could easily tap into your data in transit (that's what we call it when its on the move) and sell your information (usually a big batch of information) to someone who will exploit it to steal money. That is, unless its scrambled before it's sent, then unscrambled on the receiving side. Enter encryption.


Encryption



The newest big business buzz of currency - crypto-currency -  is all possible because of encryption (that's the crypto- part). It's built on the premise of uniquely encoding a "block-chain" and adding that to the existing chain to make it more valuable.

Encryption took off during WWII because radio transmissions were used by all of the militaries participating in that war. As we know, anyone can tune into radio frequencies and listen in (we can also listen to the radio transmissions of the cosmos - all the way back to the beginning of our universe!). Unless you can send a message in a way that only the receiver knows how to understand, you're toast! Every one of your moves will be known. It would be like playing chess while thinking your whole strategy out loud - you just can't win that way!

So they encoded the messages. With the messages encoded only those listeners with the decoding sequence would be able to understand. The U.S. got really good at cracking the code - which was one of the main reasons why the Allies won. Another was the perseverance and sacrifice of millions of lives of Russian soldiers. And the third was massive industrialization in the U.S. - both automated and manual industry.

History lesson aside, encryption has been used to protect privacy long before the internet. In modern times, it is used to protect data both in transit and at rest (in a database or on a hard-drive). TLS represents encryption in transit. SSL (Secure Sockets Layer) is the outdated predecessor to TLS - it's been deprecated by the authorities on internet security (the IETF*) as of June 2015.

TCP establishes a connection to communicate between two servers. TLS secures that connection by ensuring that all information transmitted through it is encrypted. The mechanisms for applying this encryption involve a certificate.

Certificates



Certificates operate on a trust basis. There are companies that issue certificates (issuer). Those companies are called certificate authorities (CA) and your computer has their root certificate pre-installed. If you are securing your server, you would purchase a certificate from one of those companies. Your URL would then be registered to that certificate. You install the certificate on your web server. When https requests are made to your server, the requester gets a copy of your certificate. Your certificate is used to establish your authenticity. It's kind of like a driver's license, passport, or other form of id.



If you are the requestor, your browser will check the certificate's signature against the signature you have on the root certificate of the issuer. The domain in the URL also has to match the domain name on the certificate you receive from the server. If there is a match, the server has been Authenticated. Once the Authenticity of the server has been established, your computer and the server will generate an encryption key for the session. All of the information shared between you and server will be encrypted and decrypted on either end using that key.

Issues

This site is not https, but it's readonly - you don't exchange any sensitive information. Be careful when you have sites that require sending sensitive info and there is no https or it is mis-configured.
This site is configured for https.


This is how most of your information is secured on the internet today - provided you and the server are using https properly. Often we see misconfigurations on servers or servers that still support unencrypted http connections (http without TLS). There are also different versions of TLS which creates more configuration issues. The best you can do is pay attention to what your browser is telling you and think a bit about what kind of information you are willing to compromise - and remember some hackers are fairly sophisticated and can piece information together from multiple sources if you are a specific target (e.g. have a lot of money or power or work for a target organization/industry).

TLS works well to protect us when configured properly, but we should still remain vigilant. It can be easy to think that https solves all of our internet security problems, but there are other ways that hackers will try to pwn you.

Continued Learning



Encryption is a vast subject in and of itself. It comes in many flavors and varieties. There are one-way and two-way hashing algorithms, asymmetric and symmetric keys, private-private and private-public keys. And it all involves some pretty intense mathematics. Crypto-masters are a rare breed but the work they do is vital to our lifeblood - secure data!


IETF - Internet Task Force



OWASP is the go-to for internet security - they have great info about TLS



Some certificate authorities along with more details are listed on WikiPedia here:


Wikipedia has a lot on the subject of TLS in general:



Friday, July 28, 2017

Friday Challenge #4: Hack Troy

Ok...it's time for another Friday Challenge! This one is for a bit of fun...be a hacker for a day. Hack Troy Hunt's site. Don't worry it's legal, he invites you to do so. You see, Troy is a world-class security guru and set up the site to accompany his PluralSight training video - Hack Yourself First. You can learn a lot from him in this free course, so why not check it out!

And while your at it, pop over to OWASP and see what the top 10 web security vulnerabilities are. Spoiler Alert!!! The top 3 haven't changed in the last 4 years. Jeez guys...aren't we getting it yet!?!?