Archive

Archive for September, 2010

Legal Risks in the Cloud: Part 2

In my last blog posting I discussed barriers in achieving compliance and responding to eDiscovery orders when data are stored in the cloud. But these are just a few among the many legal risks in connection with cloud computing. One of the most serious risks is customers not knowing exactly where their data are being stored and processed and how (if at all) they are being safeguarded. This in turn translates to a number of concerns: Read more…

Categories: Uncategorized Tags:

Legal Risks in the Cloud: Part 1

I am sure that you are by now aware of the fact that there are many potential security risks associated with so-called cloud computing. Although we are still learning about the nature and extent of these risks, it is important to not focus so much on security risks that we overlook the legal risks that are also part of the cloud risk formula.
One of the most serious cloud legal risk issues is how to achieve compliance when you have lost full or partial control of your IT environment. Suppose, for example, that a company that takes in, processes, stores and transmits credit card data decides to move its credit card operations to the cloud. The cloud service provider (CSP) can provide every assurance of PCI-DSS compliance, but that does not relieve the company of its responsibility in safeguarding these data in a way that meets the provisions of the PCI-DSS standard. The company will undoubtedly breathe a sigh of relief if and when the CSP passes a QSA audit. Still, the direction of PCI-DSS is toward continuous, not once a year compliance. Read more…

Categories: Uncategorized Tags:

The Stuxnet Worm

The Stuxnet worm stole the headlines last week, the second time a self-reproducing program came into the limelight in less than three weeks. What is distinctive about this worm is not only its proficiency in infecting Windows systems, but also its seeking and infecting supervisory control and data acquisition (SCADA) systems. Stuxnet attempts to exploit several Windows vulnerabilities, some of which have been zero-day vulnerabilities, and if successful in doing so, then tries to infect Siemens SCADA systems. Read more…

Categories: Uncategorized Tags:

Data Encryption in the Cloud

With cloud services (better called “utility computing services”) proliferating like crazy, the security of an organization’s data stored in the cloud is starting to become a very serious issue. Suppose that an organization has decided to contract with a cloud service provider (CSP) for Infrastructure as a Service (IaaS) storage services. Although the organization may assume that the CSP will adequately safeguard the stored data, in reality the opposite is likely to be true. Why? Encryption of data stored in the cloud is not a trivial issue in that it precludes being able to conduct operations that are normally done in connection with data storage–searching and indexing. Without the ability to do both, data storage becomes downright inefficient. So unless provisions in a service level agreement (SLA) or statement of work (SOW) explicitly state that encryption will be provided for all data stored by the CSP, data are likely to be stored in cleartext. Read more…

Categories: Uncategorized Tags:

Anti-virus Software: Is it Getting Any Better?

I attended a presentation by a major anti-virus product vendor at an ISSA chapter meeting yesterday, something that got me thinking and brooding sufficiently to motivate me to write this blog entry. In some of my previous entries I have stated that the proficiency of detecting and eradicating of viruses and worms by today’s generation of anti-virus software is with a few exceptions o.k., but not spectacular. The detection and eradication of Trojan horse software is another matter, however–most current anti-virus products are deficient in these areas. But how do these products fare in detecting “client-side exploits,” attempts to exploit vulnerabilities in browsers (e.g., Internet Explorer and Firefox), browser plug-ins, desktop applications, and other software frequently run by users? NSS Labs, which is rapidly becoming one of my heroes in the information security arena because of its vendor-independent stance and sound testing procedures, conducted such tests earlier this year and announced the results only a few weeks ago. Read more…

Categories: Uncategorized Tags:

The VBMania Virus

Just when we were thinking that “all is quiet on the virus and worm front,” a new virus started spreading rapidly yesterday. Dubbed the VBMania virus by McAfee, this virus arrives in email with a subject line of “Here you have.” Interestingly, this is the same subject line as the Anna Kournikova worm that surfaced years ago had. The body of the message says something to the effect of “Hello… this is the document I told you about, you can find it here” and contains a link to a Web page hosted on members.multimania,co.uk. If an unsuspecting user clicks on this link, what appears to be a screensaver file with an .scr extension is downloaded to the user’s machine. The file is the virus code, however. Once the virus infects a system, it uses the Outlook address book to mail itself to addresses therein, although there is evidence that the virus also mails itself to other addresses. Read more…

Categories: Uncategorized Tags:

The VBMania Virus

Just when we were thinking that “all is quiet on the virus and worm front,” a new virus started spreading rapidly yesterday. Dubbed the VBMania virus by McAfee, this virus arrives in email with a subject line of “Here you have.” Interestingly, this is the same subject line as the Anna Kournikova worm that surfaced years ago had. The body of the message says something to the effect of “Hello… this is the document I told you about, you can find it here” and contains a link to a Web page hosted on members.multimania,co.uk. If an unsuspecting user clicks on this link, what appears to be a screensaver file with an .scr extension is downloaded to the user’s machine. The file is the virus code, however. Once the virus infects a system, it uses the Outlook address book to mail itself to addresses therein, although there is evidence that the virus also mails itself to other addresses.
Initially, the worm initially spread very rapidly, clogging Internet gateways in various parts of the world. US government agencies have been hit particularly hard. The worm has since slowed down considerably since yesterday; configuring mail servers to block messages with .scr files as attachments stops the spread of this virus.
What is particularly interesting about the VBMania virus is that mass mailing viruses have for all practical purposes disappeared over the last five years of so. We have seen ILoveYou, Anna Kourikova, and other mass-mailing viruses come and go, but lately malware of this nature has become extinct. Let’s face it–computer criminals want to make money, and you can’t make much money by releasing malware that is easily noticed and does nothing more than infect systems. So just as the Conficker worm showed us that worms are by no means dead, VBMania has shown us that mass-mailing viruses are also still very much alive and well.
What amazes me is how successful VBMania has been within US government agencies despite all the money and effort they have spent on training and awareness activity. One would think that users would hesitate to click on URLs sent in messages, but apparently this is not true. But the US government will never lead the way when it comes to security. Unbelievably, the two people charged with rewriting the Department of Energy’s cybersecurity policies do not even have a background in cybersecurity, nor do they have even have a single information security professional certification between them! And there are similar stories in other departments and agencies. So if I were a better person, I’d bet that VBMania is not the last virus that will spread profusely within the US government. The late Harvard professor George Santayana once said: “Those who do not learn from history are doomed to repeat it.” Apparently US government departments and agencies are not learning from history…

Categories: Uncategorized Tags:

Progress in Data Security Breach Notification Legislation

We’ve been seeing a trend in the U.S. in which cybersecurity legislation is being passed by states, but not by the federal government. In no area has this been more true than in the case of data security breach notification. California got the proverbial ball rolling with its now well-known State Bill 1386, which in essence required commercial entities that experienced data security breaches involving certain kinds of customer information such as credit card information and banking PINs to promptly notify affected individuals unless the information was encrypted. When this bill was passed it was revolutionary, but by today’s standards it is rather blasé. A stronger data security breach notification law has since been passed in California, and nearly every state within the US now has a law that requires organizations that leak financial and/or person information to notify those whose information has been compromised. Read more…

Categories: Uncategorized Tags:

When Cloud Services Evaporate

I’ve said it before and I’ll say it again–cloud computing just isn’t what naïve, over-optimistic cloud advocates think it is. One of the greatest risks is loss of availability of cloud services. If you don’t believe this, ask IT people who work for the state of Virginia, and specifically the Virginia Information Technologies Agency (VITA). VITA purchased storage services–“infrastructure as a service (IaaS)–“ from Northrup Grumman, but this service provider’s primary storage area network (SAN) failed mid-last week due to a faulty memory card within an EMC DMX-3 storage array. Ironically, this storage array is the provider’s flagship product. The fact that the backup SAN also failed prolonged the outage. Virginia state agency employees from 27 out of the 89 state agencies were unable to access applications and data. Earlier this week this number was down to seven, and today the number was reportedly down to three, but as Murphy’s Law would have it, some of these agencies (the Department of Motor Vehicles, Department of Taxation, and Department of Elections) provide extremely essential services.

The services that failed were, as in most cloud computing services nowadays, virtualized. Virtualization is a great thing, but when it fails, it seems to fail big. Suppose that you have a primary data center with, say, 25 physical servers, each of which runs six Virtual Machines (VMs), each of which runs a particular application. Suppose, too, that the secondary data center has the same number of physical servers and that each runs the exact VMs and applications as the primary data center physical servers–perfectly mirrored environments. In this case, rollover to the secondary data center should be a “piece of cake.” An application on VM number 3 on physical server 1 in the primary data center will also be the same application on VM number 3 on physical server 1 in the secondary data center. Where confusion starts to abound (even though in theory it should not very much) is when an application on VM number 3 on physical server 1 in the primary data center corresponds to the same application that runs on VM number 5 on physical server 23 in the secondary data center. Technology that maps VMs and applications running on disparate physical servers is available, but I have seen very few organizations use this technology.
But there is more irony. VITA’s previous CIO was fired after he withheld $15 million out of the amount due to be paid to Northrup Grumman due to alleged failure to meet some of the contractual requirements. The state of Virginia had experienced service outages, contractual delays, and cost overruns. He was replaced by the current CIO, Sam Nixon, approximately one year ago. Nixon, was told to clean up the problems with Northrup Grumman. By all appearances, he has not gotten all that far in this endeavor so far.
According to the latest status update, the primary SAN that failed is running again. The catch is that a massive data restoration effort that is going to take some time is necessary to ensure that state of Virginia agencies and the applications that they run have the correct data.

Long live cloud computing, but what happened with the Northrup Grumman SAN has provided a stellar example of what can go wrong when cloud services fail. Too many cloud fanatics neither recognize the real risk nor sufficiently plan for continuity of services in the advent of the loss of cloud service availability. And too many of them still have not really caught on to the potential impact that the fact that most cloud services are delivered between the incredibly public and infinitely attackable Internet can and will have.

Categories: Uncategorized Tags:

When Cloud Services Evaporate

I’ve said it before and I’ll say it again–cloud computing just isn’t what naïve, over-optimistic cloud advocates think it is. One of the greatest risks is loss of availability of cloud services. If you don’t believe this, ask IT people who work for the state of Virginia, and specifically the Virginia Information Technologies Agency (VITA). VITA purchased storage services–“infrastructure as a service (IaaS)–“ from Northrup Grumman, but this service provider’s primary storage area network (SAN) failed mid-last week due to a faulty memory card within an EMC DMX-3 storage array. Ironically, this storage array is the provider’s flagship product. The fact that the backup SAN also failed prolonged the outage. Virginia state agency employees from 27 out of the 89 state agencies were unable to access applications and data. Earlier this week this number was down to seven, and today the number was reportedly down to three, but as Murphy’s Law would have it, some of these agencies (the Department of Motor Vehicles, Department of Taxation, and Department of Elections) provide extremely essential services. Read more…

Categories: Uncategorized Tags: