Gartner Releases Magic Quadrant for Application Security Testing (AST)

Gartner Group used the following definitions when evaluating vendors in the Application Security Testing sector in their August 2015 report:
Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases (see "Hype Cycle for Application Security, 2015").
Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically Web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.
Interactive AST (IAST) technology combines elements of SAST and DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes attacks and identifies vulnerabilities.
Mobile AST uses a combination of traditional SAST and DAST and behavioral analysis using static and dynamic techniques to discover malicious or potentially risky actions the app may be taking unbeknown to the user (for example, activating the user's address book or GPS).

The technology approaches can be delivered as a tool or as a subscription service. Many of the larger vendors offer both options to reflect enterprise requirements for both a product and service. Collectively, AST is adopted by the majority of enterprises, but the various technologies differ in adoption and maturity. DAST, followed by SAST, is the most widely adopted, while IAST and mobile AST have only recently emerged. This Magic Quadrant focuses on a vendor's maturity in offering SAST and DAST features as tools or as security as a service, and has weighted more heavily vendors' innovation in AST for mobile applications, IAST and emerging runtime application security protection (RASP) capabilities.So who are the winners and loosers? Send your comments to the Cloud and Cyber Security Center.

Business Risk Survey 2015 Results - Healthcare Costs and Cyber Security Top Threats

A national survey found that even though business leaders perceive that they are taking the adequate measures to protect their organizations, in reality they’re falling short of doing what’s necessary to mitigate the risk associated with these potential threats. “In the modern-day business environment where everything is interconnected, the potential threats facing a business are immense,” said Ken Ewell, President and COO of The Graham Company. “This complexity of risks has caused many business leaders to become overwhelmed and unknowingly expose their businesses to risks that threaten their bottom line.”

When asked to consider the single biggest risk facing organizations, business leaders’ opinions varied, but cyber security had the highest proportion with 21% of respondents naming it as the number one risk they were most concerned about. Tied for the second greatest risk was professional liability (i.e., employee errors and omissions) and legal liability issues (16%), followed by healthcare costs (14%). Share your comments here at the Cloud and Cyber Security Center.

Cyber Security Market Projected to Reach $170.21B by 2020

MarketResearch.com issued a new report which projects the cyber security market to grow to $170B USD by the year 2020. This is the true sign of an megatrend at work worldwide growing at 7.32% CAGR. With the exponential growth and sophistication of cyber-attacks in the last few years, security solutions and services are in demand to protect the huge confidential data of the government, military, public data, Banking Financial Service and Insurance (BFSI), hospitals, and other business. With regards to this, security solutions such as security intelligence, managed security services, advance threat protection, and incident response are being used for data privacy.

Download this report at: http://www.marketresearch.com/land/product.asp?productid=9081818&progid=87749 Will the cyber security sector reach the $170B mark by the end of this decade? All macro trends - government-backed hacking from Iran, China and Russia combined with Middle East and domestic terrorism along with the rise of social media all point to continued growth. Send your comments to the Cloud and Cyber Security Center.

Accenture Publishes New IoT Security Report

Accenture has just published a new report entitled "Securing the Internet of Things". While few doubt the IoT's transformative power, many recognize the new security risks that arise when businesses incorporate the IoT at the edge of their networks. In fact, businesses surveyed by the World Economic Forum identified cyber-attack vulnerabilities as their most important IoT concern.

Proposed best practices include:                                                            

• Engineer trust into connected products
• Adopt a new operational mindset
• Develop contextualized threat models
• Apply mobile and cyber/physical system (CPS) security lessons
• Adopt privacy by design (PbD) principles
• Track and use emerging standards
• Continue to educate system users

To download this report visit: https://www.accenture.com/us-en/insight-security-internet-of-things.aspx?c=ops_ussectecvispsgs&n=Cyber_Security_-_US&KW_ID=seszSNLxo_dc|pcrid|66156967047
Send your comments about this report to the Cloud and Cyber Security Center.

Twelve Top Start-ups in the Government Cyber Security Sector

Twelve start-ups have caught significant attention in their efforts to help the US government protect against cyber security threats from China, Russia, Iran and other countries. In a recent cyber security tradeshow in Washington, DC the following companies seemed poised for success. They include Axon Ghost Sentinel, Synack, Cylance, Shape Security, Cloudlock, Bitglass, Threatstream, Fire Eye, Confer, Bitsite, Trustwave and Veracode.

Which of these upstarts can break through with bleeding edge solutions that will truly protect government agencies, especially the White House and the DOD Joint Chiefs of Staff fight off tomorrow's cyber threats? Share your comments here at the Cloud and Cyber Security Center.

Preview: FireEye Cyber Defense Summit in Washington, DC (October 12-14)

FireEye will host its Cyber Defense Summit in Washington, DC on October 12-14. Among the keynote speakers are General Colin Powell - USA (Ret.), FireEye Chairman of the Board and CEO David DeWalt, and FireEye President Kevin Mandia. Workshops sessions will include Cloud Forensics on Amazon Web Services, Transforming Incident Response to Intelligent Response using Graphical Analysis, Offensive Operations to Build a Strong Incident Response Program, Information Security Operations Center (ISOC): Cybersecurity Collaboration and many more. The register fee is $375.

This event will be held at the Washington Hilton hotel which ironically is the very site where President Ronald Reagan was shot be John Hinkley some 30 years ago. For registration information visit: https://www.fireeye.com/company/events/fireeye-summit/2015/index.html Send your comments about this summit to the Cloud and Cyber Security Center.

Firewalls - Distinguishing Between Application and Session Layer Solutions

How do IT security professionals distinguish between application and session layer firewalls? Well, managing a network using only access control lists and some basic filtering was more than enough protection for deterring unauthorised users. This was the case because routers were at the heart of every network and more specifically these devices were used to route traffic to and from WAN connections like branch offices and the Internet. 

Session layer firewalls are also known as Circuit level firewalls or circuit gateways. These session layer firewalls have the following features; they operate at the TCP layer of the OSI model. Typically these firewalls use NAT (Network Address Translation) to protect the internal network and these gateways have little or no connection to the application layer, thus cannot filter more complicated connections. These firewalls are only able to protect traffic on a basic rule base like application source destination port. Send your comments to the Cloud and Cyber Security Center.

US SEC Charges 32 Defendants in Hacking Probe

Yesterday the Securities and Exchange Commission announced fraud charges against 32 defendants for taking part in a scheme to profit from stolen nonpublic information about corporate earnings announcements.  Those charged include two Ukrainian men who allegedly hacked into newswire services to obtain the information and 30 other defendants in and outside the U.S. who allegedly traded on it, generating more than $100 million in illegal profits.  

 
The SEC’s complaint unsealed today was filed under seal on August 10 in U.S. District Court in Newark, N.J., and the court entered an asset freeze and other preliminary relief that day. Is this lawsuit valid and what will be the outcome? Send your comments to the Cloud and Cyber Security Center.

DEFCON 23 Concludes: Who has the Advantage - Hackers or their Targets?

DEFCON 23 concluded last week in Las Vegas amid a backdrop of major hacking attacks against both the US government and private sector businesses. Once again the DEF CON NOC worked hard to provide you the internetz via WiFi access throughout the Paris & Bally’s convention centers.

There are two official ESSIDs to access the conference network: the encrypted and cert/user-based authentication (DefCon) and the unencrypted free-for-all one (DefCon-Open): choose wisely. Most of the devices these days should are 802.1x compatible, despite the corks some of them still present without an MDM solution behind it, and no one really want your managed devices. If you attended DEFCON 23 let us know your thoughts here at the Cloud and Cyber Security Center.

Preview: ASIS International Conference September 28-October 1 (Anaheim, CA US)

The ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) will bring 20,000 security professionals together security vendors, IT professionals and customers in Anaheim, California next month.
The educational sessions at ASIS 2015 and (ISC)² Congress span industries and disciplines to address the complex challenges facing today’s security management and cyber security professionals. From current and emerging issues to industry best practices, you’ll find a wealth of information and topics to choose from. There’s something for everyone in this peer curated program.

 More than 20,000 security professionals from across the globe are expected to attend the four-day event. ASIS is the largest organization of security management professionals worldwide. (ISC) ² is the largest membership body of certified information and software security professionals worldwide.  The education lineup reflects trending security issues including targeted violence, use of force, cyber fraud, counter terrorism strategies, and information security and privacy. On the business side attendees will examine security management issues such as customer service security, collecting and measuring the right data, and security master planning. Are you planning to attend ASIS 2015? What are your expectations? Let us know here at the Cloud and Cyber Security Center.

Russian Cyber Crime Group Purportedly Behind Attack on US Joint Chiefs of Staff

A Russian cyber attack around July 25 shut down the Pentagon’s Joint Chiefs of Staff’s unclassified email system for 11 days and affected around 4,000 military and civilian personnel who work for the Joint Chiefs. No classified information was taken or put at risk.

 Only unclassified email accounts were infiltrated.The Joint Chiefs of Staff has not said anything publically about the breach, but news reports said investigators believe it to be the work of a Russian hacker group. The same group got inside the State Department's unclassified system last year and also accessed parts of the White House network, gaining access to some correspondence sent and received by President Obama.Is Russia really involved? Let us know your thoughts here at the Cloud and Cyber Security Center.

How Valuable are Symantec's Norton Services to Consumers?

Norton Services may be purchase with or without Norton desktop anti-virus and malware software from Symantec. Norton Services allow a consumer or business end-user to grant access to their desktop to the Norton Call Center personnel to remotely resolve security issues.

There is no need to roll a truck, such as the Geek Squad, an customers have the luxury to remain in their homes or offices and engage with the Norton Call Center at their convenience. This concept is not new and related "Customer Assistant Services" are offered by Microsoft, Cisco-WebEx and other vendors. Nonetheless, the service works and saves time and money. If you have used Norton Services send us your feedback here at the Cloud and Cyber Security Center. Cheers.

How Large is the Security Threat from "Air-Gapped" Computers?

In environments where networks or devices are rated to handle different levels of classified information, the two disconnected devices/networks are referred to as "low side" and "high side", low being unclassified and high referring to classified, or classified at a higher level. This is also occasionally referred to as red (classified) and black (unclassified). To move data from the high side to the low side, it is necessary to write data to a physical medium, and move it to a device on the latter network. Traditionally based on the Bell-La Padula Confidentiality Model, data can move low-to-high with minimal processes while high-to-low requires much more stringent procedures to ensure protection of the data at a higher level of classification.

Air-gapped computers are isolated — separated both logically and physically from public networks — ostensibly so that they cannot be hacked over the Internet or within company networks. Researchers at the Ben-Gurion University of the Negev (BGU) Cyber Security Research Center have discovered that virtually any cellphone infected with a malicious code can use GSM phone frequencies to steal critical information from infected “air-gapped” computers. Just how serious is the "air-gapped" computer threat? Send us your comments here at the Cloud and Cyber Security Center.

Will Microsoft's VCE on SGX Truly Secure Data in the Cloud?

VC3 the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, confidentiality and integrity are preserved even if these large components are compromised.

VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Will VC3 on SGX truly enhance cloud security? Let us know your comments here at the Cloud and Cyber Security Center.

How Secure is Active Directory with Azure?

The integrity of AD when used with Azure from Microsoft remains an open issue for many IT professionals. This is the era of the cloud – and most references to “hybrid network” mean a network that operates with a combination of on-premises and cloud-based services. This is also called a “hybrid cloud.” When you have an on-premises directory service along with an Azure subscription with Azure AD, you can integrate the two to simplify administrative tasks and manage both cloud and on-premises applications, identities and devices from one interface, and provide your users with an easier and smoother sign-in experience with single sign-on.

The first step is determining which type of directory synchronization is best for your organization’s needs. Your options include directory synchronization (DirSync) with password sync, DirSync with single sign-on, or multi-forest DirSync with single sign-on. These use the DirSync tool, which makes a copy of the local directory and then propagates to the Azure AD. You install DirSync on a server that is a member of the domain, either an on-premises server or one running in Azure. Let us know your experience with Azure AD here at the Cloud and Cyber Security Center.

BIND DNS at Threat to Corporate Servers

Organizations domestically and possible worldwide are being impacted by a threat to the BIND DNS server code. The Domain Name System is the Internet's phone book. It's used to convert domain and host names into numerical Internet Protocol (IP) addresses that computers need to communicate with each other. The DNS is made up of a global network of servers and a very large number of them run BIND, a software package developed and maintained by a nonprofit corporation called the Internet Systems Consortium (ISC).
The vulnerability announced and patched by ISC Tuesday is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.

Are you and your clients experiences the consequences of the BIND DNS threat? Let us know here at the Cloud and Cyber Security Center. Our goal is to identify valid mitigation tactics for your infrastructure. For tips on the BIND DNS issue see: http://www.tldp.org/HOWTO/DNS-HOWTO-5.html