Information security e-learning

The Internet gives us unlimited opportunities to educate ourselves. Here I want to share with you some free resources, which can help you understand information security concepts better.

1. For those of you who want to familiarize yourself with ISO 27001 standard  I recommend free e-learning course

“The purpose of this course is to enable information security practitioners to successfully implement an ISO 27001 compatible information security management system in their respective organizations. This course is made freely available to interested candidates and is modeled on ISO 27001 Lead Implementer courses.” (c) ISQ

2. Designing and Executing Information Security Strategies course provides you with opportunities to integrate and apply your information security knowledge. Following the case-study approach, you will be introduced to current, real-world cases developed and presented by the practitioner community. You will design and execute information assurance strategies to solve these cases. A term-long capstone project leads you through an actual consulting engagement with a local organisation  adding experience to your resume before you even complete the program.

3. Stanford University provides free online cryptography courses.

Basic

“This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.” (c) Dan Boneh

Advanced

“The course begins with constructions for digital signatures and their applications.   We will then discuss protocols for user authentication and zero-knowledge protocols.    Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup.  We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography” (c) Dan Boneh

4. One-hour seminar by Xeno Kovah (Mitre) on rootkits highlights the few weaknesses in detection methodologies and many weaknesses in tools

5. Using buffer overflows

– Understanding the Stack – The beginning of this video explain Intel x86 function-call conventions when C code is compile

– Buffer Overflow Exploitation Megaprimer for Linux video series

6. Series of videos introducing wireless networking and the application of penetration testing tools to WLANs


PCI DSS Compliance in a Cloud Computing Environment. Part 3

According to the statistical survey [1] security is one of the main concerns for enterprises when making the decision to outsource their applications and infrastructure to the cloud computing environment

The inability to clearly identify where the sensitive data is stored and how it is processed is a major concern of many companies.

The problem becomes more serious when the enterprise processes cards payments and has to comply with regulatory requirements, such as PCI DSS. A need for compliance of the infrastructure with regulatory requirements plays an important role when having to decide whether to move applications or infrastructure to the cloud.

This chapter will identify specific requirements for PCI DSS compliance in a cloud computing environment and will look at research done in the field of continuous auditing.

1. PCI DSS compliance and virtualization

Virtualization, which serves as a foundation for cloud computing, introduces new unique types of risks that must be taken into consideration when deciding on adopting cloud computing in cardholder data environment. [2]

To address these concerns and to achieve PCI DSS compliance in such environment, PCI Security Standards Council issued “PCI DSS Virtualization Guidelines,” providing an example of how scope and responsibility may differ by type of cloud service (Figure 1) [2]

cloud{responsibility

Figure 1 – Area of responsibility by type of cloud service [2]

In their supplement guidance PCI Security Standards Council also focuses on following risks [2]:

– Vulnerabilities in the Physical Environment Apply in a Virtual Environment

– Hypervisor Creates New Attack Surface

– Increased Complexity of Virtualized Systems and Networks

– More Than One Function per Physical System

– Mixing Virtual machines of Different Trust Levels

– Lack of Separation of Duties

– Dormant Virtual Machines

– Virtual machines Images and Snapshots

– Immaturity of Monitoring Solutions

– Information Leakage between Virtual Network Segments

– Information Leakage between Virtual Components

For each risk they provide a set of recommendations, specifically covering compliance aspects of the cloud computing environment.

2. Continuous compliance monitoring in cloud computing environment

Ensuring the compliance of outsourced business processes to regulatory requirements is one of the key problems in the deployment of cloud computing environment [3],  [4]

Some research has been done in the field of developing models to automate the process of continuous auditing in order to ensure adherence to regulatory requirements.

Building on Speeter’s research [5], Chieu, Viswanathan, and Gupta in their work [6], push the concept further and not only provide solutions on gathering information on network and server configuration, but also provide a tool to automate this process and use collected evidence for assurance purposes.

The researchers acknowledge all possible benefits of cloud computing, but mention that “the steps of validating the configuration and security of the target workload for compliance and assuring its quality may be complex and very time consuming.” Emphasizing the difficulties of the validation process when performed manually, the authors present the design of an automation system (Figure 2) to carry out the validation of configuration on target cloud services for compliance [6].

cloud_scheme_app

Figure 2 – Architecture of the automation system for service activation [6]

The authors describe in detail how to use the presented system to collect and verify all collected evidences and ensure adherence with the regulatory requirements in the cloud computing environment. This development makes a large practical contribution, and supports various operating systems and middleware stacks. It also was deployed in shared private enterprise cloud (IBM SmartCloud Enterprise Plus [7]. However, authors acknowledge that the developed system “lacks the flexibility to support the diverse private cloud environments in which different back-end tools may have to be integrated.” [6] Allowing such flexibility may result in wider adoption and use for practical purposes, such as automation of PCI DSS compliance checks.

Acknowledging the contribution of Breaux and Antón’s research [8] Accorsi and Sato claim that there is still no sufficient research results to support creation of a uniform way of expressing the compliance requirements [9]. Moreover, in their paper, the researchers emphasize the absence of tools for automating certification procedures, and that the “multitude of regulations and contractual rules increases the complexity of checking compliance” [9].

The authors analyze some regulatory requirements and develop nine common categories. They then focus on workflows and create Petri net [10], [11], [12], [13] representation of these categories. They use the developed model to check the compliance of a given business process in relation to a given requirements. In case of non-compliance, the developed model gathers necessary evidence and points out to the problem.

Unlike Sadiq, Governatori, Namiri [14], who focus only on a single legislation, Accorsi and Sato present their categorization using several different legislations, which may be beneficial for cloud service providers who need to comply simultaneously with many different regulations. However, in their research, the authors analyze mainly business process design issues and only several legislations, ignoring, for example, PCI DSS and, more importantly, many requirements which may be specific for this legislation.

Hizver and Chiueh in their paper [15] tackle another side of automated compliance monitoring – discovering credit card flow, which is a pre-requisite to the implementation of PCI DSS.

Their research has valuable practical application, because in order to comply with PCI DSS requirements, merchants must understand how credit card data flows in their information technology infrastructure and must document it. This may result in problems with out-of-date and difficult to maintain documentation of this flow when infrastructure changes.

To avoid manual effort, the authors develop a tool that can discover payment card data flow from distributed systems in an automated manner. The foundation of the tool is virtual machine introspection technology [16].

Researchers present and thoroughly analyze the developed tool and show evidence that it can fulfill its purpose, despite the fact that communications between distributed systems are encrypted.

Conclusion

Existing issues with compliance monitoring prevent companies from outsourcing their application and infrastructure to a third party cloud computing environment [17] and slow down the process of realization of the cloud computing potential [19].

Although some positive results are achieved in the field of identifying problems with cloud computing and compliance, more research should be done in the field of automation of continuous monitoring for PCI DSS requirements in a cloud computing environment. Models should be developed and tested to allow companies to ensure their adherence with requirements not only of application, but also of external environment, especially if outsourced to third parties.

References

[1]       IDC Survey (2009) http://blogs.idc.com/ie/?p=730

[2]       PCI DSS Virtualization Guidelines (2011) https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

[3]       ENISA (2009)” Cloud computing—benefits, risks and recommendations for information security”. European Network Information and Security Agency

[4]       Cloud Security Alliance (2013)” Top threats to cloud computing”

http://www.cloudsecurityalliance.org/

[5]       Speeter, Framba, Duncan, Talla, Bullis, (2006) “Configuration management system and method of discovering configuration data”, US Patent Pub. No. 20060179116

[6]       Chieu, Viswanathan, Gupta (2012) “Automation System for Validation of Configuration and Security Compliance in Managed Cloud Services”

[7]       IBM SmartCloud, http://www.ibm.com/cloud-computing/us/en/

[8]       Breaux, Antón (2008) “Analyzing regulatory rules for privacy and security requirements”. IEEE Trans Software Eng 34(1) p.5–20

[9]       Accorsi, Sato (2011) “Automated Certification for Compliant Cloud-based Business Processes” DOI 10.1007/s12599-011-0155-7

[10]    Murata (1989) “Petri nets: properties, analysis and applications”. Proc IEEE 77(4 :p.541–580

[11]    van der Aalst (1998) “The application of Petri nets to workflow management”. Journal of Circuits, Systems, and Computers 8(1): p.21–66

[12]    Katt, Zhang Hafner (2009)” Towards a usage control policy specification with Petri nets”. Springer LNCS 5871: p.905–912

[13]    Huang, Kirchner (2009)” Component- based security policy design with colored Petri nets”. Springer LNCS 5700: p.21–42

[14]    Sadiq, Governatori, Namiri (2007) “Modeling control objectives for business process compliance. Business process management”. Springer LNCS 4714: p.149–164

[15]    Hizver, Chiueh (2011) “Automated Discovery of Credit Card Data Flow for PCI DSS Compliance”,  30th IEEE International Symposium on Reliable Distributed Systems

[16]    Garfinkel, Rosenblum (2003) “A virtual machine introspection based architecture for intrusion detection,” Proc. Network and Distributed Systems Security Symposium,, p. 191-206.

[17]    Chow, Golle , Jakobsson  Staddon, Masuoka, Molina (2009) “Controlling data in the cloud: outsourcing computation without outsourcing control”. In: Proc ACM workshop on cloud computing security. ACM, New York, pp 85–90

[18]    Etro (2009) “The economic impact of cloud computing on business creation, employment and output in Europe”. Review of Business and Economics 54(2):p.179–218