Presentations – Cyber Security Leadership

Giving a lecture at the Royal Holloway University of London

I was invited by the RHUL Computing Society to give a lecture on human aspects of security.

After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.

It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.

Presenting at the ISACA London Chapter event

I shared some research findings with the ISACA London Chapter members at the November event. We discussed resolving conflicts between security compliance and human behaviour. The talk was followed by a panel discussion with other presenters, where I answered questions regarding human aspects of information security.

During the networking session after the presentation I’ve had many other interesting conversations with the participants. People were sharing their stories and experiences implementing and auditing security controls.

The video of the talk is available on the ISACA London Chapter website.

Teaching Information Security Concepts at KPMG

I delivered a 1,5-day Information Security Concepts course at KPMG UK.

We covered a wide range of topics, including information security risk management, access control, threat and vulnerability management, etc.

According to the feedback I received after the course, the participants were able to understand the core security concepts much better and, more importantly, apply their knowledge in practice.

Leron is very engaging and interesting to listen to
Leron has the knowledge and he’s very effective making simple delivery of a complex topic
Leron is an effective communicator and explained everything that he was instructing on in a clear and concise manner

There will be continuous collaboration with the Learning and Development team to deliver this course to all new joiners to the Information Protection and Business Resilience team at KPMG.

Delivering a Seminar at the London Metropolitan University

I was invited to give a talk on industrial systems security at the London Metropolitan University.

The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.

The professors shared their perspective on this subject. This resulted in the identification of several research opportunities in this area.

Image courtesy of Vlado / FreeDigitalPhotos.net

Delivering a Seminar at the IT Security & Computer Forensics Pedagogy Workshop

I presented at the HEA STEM Workshop on human aspects of information security.

The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.

During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.

Presenting on Industrial Control Systems Security at the University of Westminster

I delivered a seminar to a group of students at the University of Westminster on industrial control systems security. We discussed the history of these systems, current developments and research opportunities in this area. There was some debate around the hypothesis that these systems weren’t designed to be secure and the trade-offs between confidentiality, integrity and availability helped the participants to better understand modern challenges. Practical recommendations were given pertaining the areas of risk management, disaster recovery, and resilience.

I also facilitated a workshop, where I divided the audience into several groups representing various stakeholders within the company: shareholders, process engineers, and security managers. This helped to drive further discussion regarding different points of view, priorities, and the complexity of communication.

Giving a seminar at the University of East London

This morning I delivered a seminar for a group of graduate students at the University of East London. An enriched mix of participants from various degrees, including information security, forensics, and IT law made the classroom discussions very interesting.

I was very glad to see that students were very eager to learn more about the subject and were willing to share their ideas and experience. We were even able to managed to identify new research opportunities in the field of economics of information security.

After the presentation, I facilitated a workshop which was designed based on a case study around USB drive encryption. This exercise helped the students to understand the perspective of both a security manager and an end-user on the same problem.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Teaching Computer Science in Uganda

I went to a volunteering trip this summer to work with a local NGO and teach basic computer science to disadvantaged communities in Kampala, Uganda.

It was a very interesting experience. Young people are very eager to learn new things there. We additionally discussed information security aspects in IT.

Convergence of Physical and Information Security

Had an opportunity to give a talk at the BSides London conference.

Discussed convergence of physical and information security in organizations.

Many thanks to Javvad and Thom for their help and support.

Leron Zinatullin: Convergence of Physical and Information Security from Leron Zinatullin on Vimeo.

Cloud Computing Security – A brief overview of Threats, Vulnerabilities, and Countermeasures

Threats

In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing [3]. This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.

The identified threats are listed in accordance to their severity:

1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].

2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].

3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].

4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs. Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].

5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].

6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].

7. Abuse of Nefarious Use: CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].

8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues [3].

9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud [3].

Vulnerabilities in the Cloud

Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.

What makes a Vulnerability cloud specific?

According to the research conducted in [5] there are several criteria, which can be met by a vulnerability to make it cloud specific.

Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics [4]. A Vulnerability is cloud specific if its root cause is in one of those characteristics.
Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services

Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper [1] has identified in total 7 major vulnerabilities of cloud computing:

1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key [8]. Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website [1].

2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper [1] give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.

3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks [1].

4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business [1].

5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker [1].

6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers [1].

7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable [1].

Countermeasures

Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices [4].

For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as [6], [3], and [9] give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking [6]. The CSA has issued a report to provide a list of best practices such as separation of duties and identity management [2]. For the threat of data leakage for example the main countermeasure is encryption [8, 6].

Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services [7]. The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.

We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.

References

[1] Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).

[2] Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.

[3] Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]

[4] Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.

[5] Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.

[6] Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.

[7] Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.

[8] Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).

[9] Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.