Information Security

Photo by rawpixel on Unsplash

Are You Outsourcing Your Security With a Cloud Application?

Are You Outsourcing Your Security With a Cloud Application? 2919 1766 Jean-Philippe Rivard Lauzier

You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility. You will still have some shared responsibilities with the cloud provider. True, you will probably manage less technology controls but still many administrative ones.

As with any partnerships, you have the responsibility to perform due diligence on your future business partners. And it is definitely valid for your third-party vendors, including cloud providers. This is only an introduction on the subject when it’s time to discuss a new cloud project.

Company

It should be obvious for many people but do you even know the organization behind the cloud solution? Is it a one-person organization managed from a basement? Is it even a legal entity? Any insurances? Are you able to find a few reviews online? It is beyond the basic security scope but it definitely helps to have a big picture on the situation. It could be the best solution but it is maybe a risk that your organization is not able to accept.

Compliance

It is important to keep in mind that a cloud provider that is compliant is not necessarily secure. However, it will allow you to have a reasonable assurance on its security processes and internal controls. You should mainly look for a SOC 2 Type 2 report, PCI DSS attestation, or ISO 27001 certificate. Be careful to validate that scope includes services currently used with the provider. You should go through all conclusions and confirm that there are no major deficiencies.

For the following security domains, it is possible to validate the cloud provider responsibility with controls within a report. What about your side of the responsibility?

Physical Security

The physical security is mainly related to the data centre where your provider hosts the IT infrastructure used to support the cloud services. For example, the actual physical access to the infrastructure or the environment controls e.g. HVAC, generators, UPS, network connections, etc. 15 years ago, it was not rare to deal with a provider with servers within its offices with a room that somehow could look like a servers’ room. At the end, it was probably more a closet, but different topic. These days, all serious cloud providers will use a well-known data centre to host its infrastructure e.g. Equinix, Cologix, OVH, etc. Or, be itself on a cloud provider such as AWS, Azure, Google, etc.

A well-known external firm should audit all the physical security measures of the data centre. If you are dealing directly with a data centre, you should be able to receive a copy of this report. However, if your cloud provider is the direct client, maybe you will not be allowed to receive a copy… You will have to ask more specific questions to your cloud provider.

Human Resources

Your cloud provider should perform background checks before and during the employment for everyone with a direct or indirect access to the production environment. It is important for an organization to have a clear picture on the past of its employees. This will be the first step to trust them. Employees and consultants should also receive security awareness. This could be an annual training but even better, training in continue according to the job positions. For example, developers should receive training on best security practice in development to avoid most common vulnerabilities. However, you should do the same within your organization, even with employees not related to technology positions. There are many attacks’ vectors initiated by an unaware user that could lead to a security breach.

Access Management

There are so many organizations that manage credentials for cloud solutions as an ad hoc process. Procedures for access management should also include all access modifications to cloud applications. For example, for a cloud marketing application, someone should still be responsible for approving new access before the creation. An access review should occur at least once a year for all accounts on the cloud application. When there is a departure, the organization must confirm that they are no accounts left on cloud applications. For many organizations, previous employees are still able to log in many months later into the cloud application.

You are also responsible for configuring the cloud application with best practices. Many cloud providers will offer the possibility to activate a two-factor authentication (2FA) on the application, for all users or specific roles e.g. administrators. However, the organization must take the decision since this feature is often disabled by default. Many cloud applications targeted for enterprises also offer a single sign-on (SSO) feature, often with SAML.

Business Continuity

All cloud providers will assert they have the best redundancy and implemented backup strategies. They probably have infrastructure distributed within many data centres. Again, you are still responsible for your own data and you unfortunately can’t rely only on the provider. They will do anything to avoid downtime or lose any data. This situation would be difficult on their business. But, in the fine prints, they are often not responsible for any data or financial loss for your business. You also have to account for the situation where the provider could simply shut down their operations. In any cases, you need to prepare and backup data to a different site than your cloud provider. This will probably be a manual export with most cloud applications but better that than lose all data. For more critical applications, you should negotiate or select a provider where it’s easier to perform backup.

Log Management

The cloud providers will surely implement the required logs for the infrastructure. These logs are rarely shared with customers considering the multi-tenant environments. However, you should still have access to basic logs within your administrative interface. For example, you should be able to see the latest connections, users’ changes, configurations’ changes, etc. With some enterprise solutions, it is possible to forward logs to your own server. Even if these logs are available, they are not always monitored since this is your organization responsibility.

Photo by rawpixel on Unsplash

Keeper Security and Random Deactivation

Keeper Security and Random Deactivation 1280 720 Jean-Philippe Rivard Lauzier

We trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service. Well, I had the last situation with one provider, Keeper Security.

Context

All started in June 2017 when I subscribed to a 14-day trial period for the business edition. There is a sale representative who reached out to me toward the end of the trial period. He extended the trial period for 1 year; thus, until June 2018. It was a great offer and did enjoy the service for 11 months. In May 2018, someone from Keeper Security called me and left a message on my voicemail. He said something about the trial period that would expire soon. He was also not so sure why I got that 1-year trial period to start with. He was not able to confirm since the previous sale representative left the company. But he also confirmed that the trial period would expire only in a few weeks and to call him back.

Up to now, everything is good. I was planning to subscribe to the service and obviously to pay for it.

What happens?

Back home, a few hours later, I am ready to purchase a subscription and I login on my account… Then, I receive the error message “This account is expired”! The worst part is that it is not even possible to make a purchase or export the data when the account is not active. I had all my passwords lock in the vault without any warnings for a few hours. It was not even possible to unlock the vault through the browser extensions where I thought my passwords were saved on the local drive. The support team was at least able to quickly reactivate my account for a few days. But it was still a few hours where I thought I had to reset all my passwords.

Finally

As soon as I got access again to my account, I simply exported all my data. And, unfortunately, definitely closed my account with Keeper Security. Even if they have an interesting service, I can’t trust them anymore. This is not a situation directly targeted to this company. However, it did make me think twice about how I use some cloud services. It took me a very long time before trusting a cloud password manager…

I usually have a data export with my most important cloud services but it was not the case with this one. Back to the “old school” way. I have a local software password manager installed on my laptop with my data. KeePassXC, a fork of KeePassX from the well-known KeePass

Photo by Markus Spiske on Unsplash

Are You Really receiving a Penetration Test Report?

Are You Really receiving a Penetration Test Report? 5760 3840 Jean-Philippe Rivard Lauzier

There are more and more organizations interested in a penetration test, or simply a “pentest”, on their infrastructure. However, there is a requirement for specific skills and this expertise is not often available within most organizations. It is also a good idea to have an external opinion, someone who will be impartial and doesn’t know too much about the current configuration. Thus, it is often necessary to hire a security firm to accomplish this task. Unfortunately, there are still many security professionals who are not well qualified to provide this service. It could be intentionally or not. But many clients are easily fooled by consultants, even more when it is a question of IT security mandates. Clients need to be careful and be able to recognize what the report should look like.

Vulnerability Scan != Penetration Test

There are many phases performed during a penetration test. I will describe these phases in more details in an upcoming post. However, it is important to know that there is always an active recognition phase where the professional will use automated tools. For example, Nmap, Nessus, OpenVAS, Nexpose, etc. These tools will allow to scan one or more IP addresses for open ports and well-known vulnerabilities. There are often false positive items in these reports and the professional should validate these findings. For example, a Nessus report and Nmap output. This is an important phase to help the professional to gather information about the target.

The problem is the fact that some security consultant will sell these reports as penetration test. To run vulnerability scans can be a valid service offered by a consultant who will filter findings and rank them according to the exposed risks. However, it cannot be introduced as a penetration test report.

A complete penetration test report will include many other phases. After the previous phase, the security professional will manually look for other vulnerabilities with different methods without the use of automated tools. Finally, the main objective is to retrieve confidential information from the target that someone should not have access and to gain a remote access to the target. To achieve that, the security professional will actually try to exploit vulnerabilities previously found.

Things to look for

Duration

It is not possible to perform a well-done penetration test in only a few hours. Someone told me recently about a consulting firm who consultants will perform two or more penetration test reports during the same day. It is impossible to have great results in these conditions. Obviously, it is often a question of cost. So it is important to validate the duration of a penetration test. It should be in days but always depends also on the scope.

Scope

If there is only one target with no public service running on it, there is not so much someone can do. But probably also worthless to have a penetration test in this context. The line can be thin between a too limited scope where it will not represent what an attacker would have access, and a larger scope where an attacker will lose time on low risk targets. Should it be performed from the Internet or from the internal network? On the other side, if you receive a penetration test report from a third-party vendor, be sure to validate that the included infrastructure and applications are the one that supports the received services.

Expertise

Even a professional with an impressive background in information security is not necessarily the best pentester. I often see job positions related to “ethical hacking” where a certification like the CISSP or even the CISA would be a requirement. No, I don’t have words for that, just, no. If you are really looking for a certification, the best in this field would be the OSCP. But even then, I have it, and I would not recommend myself to perform a penetration test. Why? I did the exam and never practiced anything related to that field afterward. Someone who is passionate about this field and compete at different CTF will be the best one for this task.

Photo by frank mckenna on Unsplash

Cloud Security with Object Storage

Cloud Security with Object Storage 3981 2595 Jean-Philippe Rivard Lauzier

Many cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit FederationAustralian Broadcasting Corporation, Department of DefenseRepublican National Committee, etc. There are often new organizations to add on this list but they are the main one from the last months. These organizations were mainly using the object storage service S3 from AWS.

Object Storage

This is not a technology only provided by AWS with the S3 service. There are many services provided by other well-recognized cloud providers to store files in the cloud such as Azure, Google Cloud, DigitalOcean, IBM, etc. However, AWS S3 is definitely the object storage service that is the most used by many organizations. The service was also first released in 2006 before other services from competitors. The statistics are a little bit old but as of April 2013, AWS mentioned that S3 has more than 2 trillion objects stored with 1.1 million requests per second. In 2018, it is possible to assume these numbers are even higher.

Amazon S3 is often wrongly targeted by the media. It is simply the most popular service used by many organizations of all size. We have to keep in mind that object storage is only a way to store files, often with a cloud provider but it could also be with a private infrastructure.

IT Administrators

I often read some IT professionals and even information security professionals to have doubts on these services. Mainly doubts on the security measures available to protect the information stored. It is important to understand that security breaches related to object storage are often not related to the underlying technologies. Cloud providers such as AWS, Google and Azure are able to provide secure environment for your files. The configuration for such spaces, or buckets in S3 terms, is secure and private by default. How is it possible in this case to have public files on the Internet?

Simply ask your IT administrators. It is more a question of misconfiguration. In order to authorize a public access to the stored files, someone actually needs to perform a manual action to change the default behaviour. The approach would be different for each service but the principle is the same. It is possible to manage accesses on S3 with rules but other services could be simpler with an option to be set at “Private” or “Public”. This is often a configuration available for the space and/or per file.

Maybe it is the time to review the accesses implemented for your files stored in the cloud? From object storage services like S3 but also on services like Office 365, Dropbox, Google Drive, etc. It is so easy to forget about a file that should not be available for all on Internet.

Third-Party Vendors

Are you aware of your third-party vendors who could use object storage with your information? For example, with Verizon and Republican National Committee, in both situations, third-party vendors were involved i.e. Nice Systems and Deep Root Analytics. Organizations easily trust more and more third-party vendors and share confidential information. This data can be about the organization operations but often on clients. Nevertheless, it is important to evaluate the information sent to external vendors and to understand how this one uses the data.

Photo by frank mckenna on Unsplash

NIST and the Digital Identity Guidelines

NIST and the Digital Identity Guidelines 150 150 Jean-Philippe Rivard Lauzier

The NIST published last June the final version of the Digital Identity Guidelines also known as SP 800-63. This publication was a draft since 2016 and they even asked for comments from the community on GitHub during the summer 2016. All these comments were inputs for the final publication. Many posts on the Internet mention these changes. But I think it is still important to reiterate them since they are not necessarily well known by everyone who is not in information security.

Who is the NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency of the US Department of Commerce responsible, among other things, to publish standards for federal agencies. The Special Publications (SP) 800 series are well known to be important guidelines in the information security field for private and public organizations. Worldwide professionals value these publications and they are often used to structure their information security strategies.

New Requirements

Since the past two decades and more, we all saw the result of these requirements. A lack of user experience where most users were often able to circumvent the rules. Many studies have demonstrated these requirements were adding little value on the security side. Furthermore, users were often able to find a way around these requirements thus reducing the security goals. There are mainly 3 requirements updated:

Password complexity rules

You know the rule where you have to put at least a lowercase character, an uppercase character, a number and a special character? It’s not a requirement anymore. Studies shown that users were simply using different patterns to respect this requirement. For example, one trick was to replace some letters by numbers or even simpler, to add an exclamation point at the end. These patterns are all well known by hackers and these passwords were not more secure because of the complexity rule. Oh, all characters should also be available, even emojis!

Password Expiration

This is even something audited during common external audits. That moment at work when you receive a notification and you have to change your password. And this, often every 90 days. No more! We all know users were keeping the same password and adding a character at the end. I was the first one to do it because I always thought it was not efficient. It’s better to have one good password for the service than having a weak one changed every X days. However, it could still be possible to force a user to change a password in certain situations. For example, it should be possible to request users to reset their passwords if the service suspect a compromise. So, it is still important to keep a password history.

Password Hints and Knowledge-Based Questions

Financial services are really good with this requirement, mainly for the knowledge-based questions. This is when questions are also asked with a password to complete the authentication process. The main problem with this is the fact that most answers are now freely available online with social media. For the password hint, I never understood this one. I always saw this one as “let’s just give more clues to hackers on my password” so I never used this one.

Recommendations

The next two are interesting recommendations from the NIST:

Common passwords and usernames

With the new requirements, users are not forced to choose specific characters or to change password. However, the NIST suggests that passwords should be validated against a dictionary of well-known passwords and/or a list compromised passwords. This recommendation makes so much sense. For example, if a user is trying to use, “Test123!” would hopefully fail the validation against the dictionary. There are many dictionaries available online. The logic behind that is the fact that hackers are using these dictionaries to find passwords. The situation is also applicable to common usernames such as “admin” or “root”.

Multi-Factor Authentication (MFA) With SMS

At one point, the NIST completely removed SMS as a valid method to implement with the multi-factor authentication. But with the final release, SMS is still supported, but not necessarily recommended. It is theoretically possible to intercept an SMS. However, it is still more secure to implement MFA with SMS than having no MFA at all. The alternative would be to have an app such as Google Authenticator or a solution with push notifications such as Duo.

October 2017 : Security Breaches

October 2017 : Security Breaches 150 150 Jean-Philippe Rivard Lauzier

The data security breaches occurred/disclosed in October 2017.

Disqus

DISQUSThe popular commenting system was breached in 2012. Disqus got notified by Troy Hunt, a security expert, who obtained a copy of the data. According to the company, the data exposed are from 2007 and involve 17.5 million users. Among the user’s information stolen include email addresses, usernames, sign-up dates and last logins. However, about one third or approximately 5.8 million users, also got their passwords in the wild. At least, the passwords were not in clear text but hashed with a salt with the now weak SHA-1 algorithm. They seem to have handled the situation well with a public disclosure in 24 hours and they asked the affected users to reset their password account. They have also mentioned that they are now using the bcrypt algorithm which is now the best practice.

Far Eastern International Bank

Far Eastern International BankA malware infected this Taiwanese bank which instructed the SWIFT terminal to move $60 million into different bank accounts based in Sri Lanka, Cambodia and the United States. SWIFT is the main global banking network where it is possible for banks to exchange funds between them. It is not the first time this situation occurs and a well-know breach occurred in 2016 with a Bangladesk bank where the attempt was to steal $951 million. The Far Eastern International Bank was able to retrieve most funds. Mostly since the breach in 2016, the SWIFT organization has developed a more stringent security requirements for their customers with the Customer Security Programme (CSP) but many banks are still in the process of getting certified.

Accenture

AccentureThis is another big name in the IT consulting industries. Accenture offers consulting services for the largest organizations and often seen as a leader in cloud consulting services. UpGuard reported that AWS S3 buckets were configured for public access. In total, 4 buckets were available for everyone. These buckets contained confidential API data, customer information, private keys, 40 000 passwords mainly in clear text and even logs from a monitoring solution. One bucket contained more than 137 gigabytes of data.

Yahoo!

Remember the data breach that occurred in 2013 at Yahoo? It was first disclosed by the company that someone had access to information on one billion accounts. This number was revised by Verizon, the now parent company of Yahoo, at 3 billion accounts. It was possible to retrieve the usual information such as names, email addresses and hashed passwords. Some hash would still be with the weak MD5 algorithm.

Hyatt Hotels

It was possible to obtain the information from cards manually entered or swiped at the front desk. This situation occurred between March 18, 2017, and July 2, 2017, in 41 properties across 11 countries. As expected, it was possible to get the cardholder name, card number, expiration date and verification code. This is the second security breach for this company.

Pizza Hut

About 60 000 customers might have been impacted by a security breach that would have occurred from the morning October 1, 2017, to midday October 2, 2017. Data including customer names, billing postal code, delivery addresses, email addresses, and payment card information. Pizza Hut notified by email customers impacted only 2 weeks after the situation and they are offering a free credit monitoring service for a year.

South Africa

66 million records were obtained on South African. What, wait, the population is only about 56 million people? The obtained database also included 9 million people with a deceased status. The database was openly available on a web server owned by Jigsaw Holdings and was probably bought from a credit bureau in 2014. Information available include South African ID number, name, gender, age, location, marital status, estimated income, address, phone numbers, employers, etc.

Patient Home Monitoring Corporation

An estimated 150,000 American patient files were available through an unsecured AWS S3 bucket. It is hard to know for how long this bucket was available with public access but Kromtech Security Researchers have discovered the breach on September 29, 2017. 47.5 gigabytes of data with about 316,000 PDF files including mainly blood test results. These documents contained names, addresses, contact information, dates of birth, diagnoses and names of physicians. All this information is strictly regulated by the Health Insurance Portability and Accountability Act (HIPAA).

Microsoft

When you are a major company who is developing software and hardware, you have a central database somewhere to track and document all vulnerabilities related to your products. Of course, this database contains critical information about your products and you probably prefer to keep it secret. Well, this database at Microsoft was hacked in 2013.

iDNS: Scam Going On for More Than 15 Years

iDNS: Scam Going On for More Than 15 Years 150 150 Jean-Philippe Rivard Lauzier

iDNS renewal letterYou probably already received one of these letters if you have registered a domain name in the past few years. The company behind these letters is Brandon Gray Internet Services Inc. The worst part is the fact this is a legitimate organization registered and operating in Canada (Markham, Ontario). I thought for a long time it was only a scam here, but I recently discovered they also operate in the United States, Europe and Australia.

Operations Under Many Names

I got my first domain name in 2003 so I don’t exactly remember the first time I received one of these letters. However, I believe it was under the name, “Domain Registry of Canada”. They now seem to use more often iDNS as shown on the image. Over the years, they used many different reseller names under the parent company “Brandon Gray Internet Services” such as:

  • Namejuice
  • Domain Registry of Canada (DROC)
  • Internet Domain Name Services (iDNS)
  • Domain Registry of America (DROA)
  • Domain Renewal Group
  • Liberty Names of America
  • Domain Registry of Europe (DROE)
  • Domain Registry of Australia

Deceptive Message

The main concern is the deceptive message in these letters sent by mail. It is possible since postal addresses are freely available for each domain name with a WHOIS query. There is always the situation where the domain owner is using a privacy protection service but it is not always the case. The main objective is to trick the owner to renew the domain name with them. Nevertheless, this renewal also means the transfer of the domain to the new registrar. A situation that will definitely lead to future problems. The reseller names used can easily mislead the recipient to think they are an official government authority.

The business is totally unethical, but there is a grey zone worth mentioning. I believe the wording was updated throughout the years to be more… compliant with the law. However, it is still a deceptive message and can surely mislead a neophyte in the universe of domain names management.

Wording

In my opinion, you have all elements for a perfect scam. The message that would protect them: “This notice is not a bill, it is rather an easy means of payment should you decide to switch your domain name registration to Internet Domain Name Services” and “As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months“. A message to generate fear to the recipient: “Failure to renew your domain name by the expiration date may result in a loss of your online identity making it difficult for your customers and friends to locate you on the Web“. Finally, a possible new opportunity even if it is not true: “Privatization of Domain Registrations and Renewals now allows the consumer the choice of Registrars when initially registering and also when renewing a domain name“.

Legal

They have a long history of lawsuits and investigations following various complaints since the beginning with different regulators e.g. Competition Bureau of Canada, Advertising Standards Authority (ASA), Federal Trade Commission, ICANN and the Canadian Internet Registration Authority (CIRA). But also some lawsuits with other companies such as Tucows, Register.com and Deinternetman.

What Should You Do?

Nothing.

Their prices are even higher than the competition and you simply don’t want to write down your credit card information on a piece of paper. Be careful to the details. They are not even able to use a well-known TLD such as a .com. They are using a country code top-level domain .as (American Samoa) which is a redirection to the ccTLD .to (Tonga).

Unfortunately, this scam seems to be working since Brandon Gray Internet Services is still in operation and the scam is going on after more than 15 years. You will receive these letters a few times a year if you own more than one domain. The only solution for now is to throw it away. You have nothing to do. You could always complain to some authorities but I personally think it is not worth the time after so many years… However, be sure to still renew your domain name on time with your current registrar. In fact, you should simply activate the auto-renewal offer by most registrars.

Septembre 2017: Brèches de sécurité

Septembre 2017: Brèches de sécurité 150 150 Jean-Philippe Rivard Lauzier

This post was published when this blog was also in French. This post is available in English.

Septembre 2017 a été un mois intéressant pour plusieurs brèches importantes de sécurité. Nous avons tous appris la valeur de nos informations personnelles. À partir de maintenant, je vais publier un billet mensuel au sujet des brèches importantes de sécurité du mois précédent.

Equifax

Equifax est un des plus importants bureaux de crédits et ils ont eu un accès récurrent non autorisé à leurs systèmes du 13 mai au 30 juillet 2017. Les équipes techniques étaient même avisées de la principale vulnérabilité exploitée puisqu’une note a même été distribuée à l’interne le 9 mars afin de corriger celle-ci (Apache Structs CVE-2017-5638). L’équipe de sécurité a détecté la situation uniquement le 29 juillet. Le PDG a appris la situation le 31 juillet et les administrateurs ont obtenu les informations le 24 et 25 aout. Finalement, c’est seulement le 7 septembre que Equifax a divulgué publiquement la brèche de sécurité.

143 millions (143 000 000, oui, avec six zéros) enregistrements sur des citoyens américains ont été obtenus, incluant noms, numéros d’assurance sociale (NAS), dates de naissance, et même certains permis de conduire. Après l’investigation par une firme de sécurité, le nombre final est de 145.5 millions, et inclut maintenant des numéros de cartes de crédit pour environ 209 000 clients. Au Canada, on est un peu plus chanceux puisque le nombre initial était de 100 000 clients, mais après investigation, le nombre révisé est de “seulement” 8 000 clients.

Le PDG a pris une retraite anticipée avec plusieurs exécutifs incluant le Chief Information Officer (CIO) et le Chief Security Officer (CSO). Equifax sera également la cible de plusieurs poursuites judiciaires, autant aux États-Unis qu’au Canada. L’ancien PDG devra même témoigner devant le Congrès américain. Il y a aussi quelques interrogations des régulateurs suite à la vente des actions de certains exécutifs lors de la détection de la brèche de sécurité. Toutefois, ces transactions ont été effectuées avant la divulgation publique de la situation et ces personnes pourraient donc faire face à des accusations pour délits d’initiés.

US Securities and Exchange Commission (SEC)

Cette agence fédérale américaine est principalement responsable de faire respecter les lois sur les valeurs mobilières et de réglementer cette industrie. La Commission a découvert une vulnérabilité applicative en 2016 et a été “rapidement” corrigée. Toutefois, la SEC a divulgué un incident possible puisqu’il aurait possiblement eu un accès non autorisé avant de mettre en place le correctif. Cette fois-ci, aucun accès à des renseignements personnels, mais à des informations sensibles n’étant pas encore publiques sur des compagnies. Une déclaration officielle a été publiée le 21 septembre.

Deloitte

Une des firmes comptables parmi les “Big 4” a aussi été la cible ce mois-ci. La nouvelle a été publiée par le Guardian le 25 septembre. Deloitte est souvent la firme, parmi les “Big 4”, la plus reconnue pour ses services en cybersécurité. Les clients de la firme incluent 80% des organisations du Fortune 500. Il y a eu un accès non autorisé sur le serveur global de courriels de la firme hébergé avec le service infonuagique de Microsoft Azure. Et ce, probablement depuis octobre ou novembre 2016.

Rien de trop compliqué cette fois, les pirates informatiques ont simplement obtenu les informations de connexion concernant un compte administrateur. Par la suite, il était possible de se connecter directement au serveur de courriels ayant un accès aux courriels des 244 000 employés de Deloitte. Plusieurs courriels devaient probablement contenir plusieurs informations sensibles sur leurs clients et même des pièces jointes intéressantes. Le système n’a pas été compromis avec des connaissances techniques avancées, mais bien par des techniques d’ingénierie sociale dans le but d’obtenir les informations de connexion. De plus, sans authentification à deux facteurs (2FA), il était simple de se connecter à distance.

Sonic

Sonic est une chaine importante de restauration rapide aux États-Unis avec près de 3600 restaurants. Brian Krebs a été le premier à signaler cette brèche de sécurité le 26 septembre. En fait, le processeur de paiement pour les cartes de crédit de la chaine a informé celle-ci des activités inhabituelles en lien avec leurs transactions. Le détail de cette brèche de sécurité n’est pas encore connu. Toutefois, il a été possible de retrouver au moins 5 millions de comptes de cartes de crédit et débit en vente en ligne. Ces comptes sont fort probablement en lien avec la brèche chez Sonic.

Whole Foods Market

Whole Foods Market, qui a été acheté par Amazon, a aussi divulgué le 28 septembre que des informations sur les cartes de paiement ont été volées. L’investigation est toujours en cours et on devrait en savoir plus bientôt. Il y a un point très intéressant qui a été mentionné dans le communiqué de presse et c’est le fait que les systèmes en lien avec Amazon.com ne sont pas connectés à ceux de Whole Foods. J’espère bien pour eux, mais bon, ça valait la peine de préciser cette information.

September 2017: Security Breaches

September 2017: Security Breaches 150 150 Jean-Philippe Rivard Lauzier

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month.

Equifax

Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th. The technical teams knew about the vulnerability exploited since they even got a memo on March 9th to patch it (Apache Structs CVE-2017-5638). Even then, the security team detected the situation only on July 29th. The CEO learned about the situation on July 31st. The board of directors got the news on August 24th and 25th. It is only on September 7th that Equifax disclosed the security breach to the public.

143 million (143 000 000, yes, six zeros) records on Americans were stolen, including names, social insurance numbers (SIN), dates of birth, and even some driver licences. After the investigation, it is now 145.5 million, and now including some credit card numbers for 209 000 consumers. In Canada, we are a little luckier since it was at first announced to be 100 000 consumers impacted, but the revised number after the investigation was more 8 000 consumers.

The CEO took an early retirement with many executives including the Chief Information Officer (CIO) and Chief Security Officer (CSO). Equifax will also face many lawsuits in both Canada and the US. The then CEO will even have to testify in front of Congress. There are also some interrogations about executives selling their stock options following the detection of the security breach. Since the hack was not publicly disclosed, these people could face charges for insider trading.

US Securities and Exchange Commission (SEC)

This US federal agency is mainly responsible for enforcing securities laws and regulating the securities industry. The Commission discovered a software vulnerability in 2016 and was “promptly” patched. However, the SEC disclosed a possible incident since they believe that an unauthorized access still occurred before being able to apply the patch. No access to personally identifiable information (PII), but sensitive nonpublic information related to companies. An official statement was published on September 21st.

Deloitte

One of the “Big 4” accountancy firms was also targeted this month. The news was published by the Guardian on September 25th. Deloitte is often the firm, among the Big 4, which is the most well-known for their services in cybersecurity. The firm’s clients include 80 percent of the Fortune 500. The unauthorized access occurred on the firm’s global email server hosted on Microsoft Azure. And this, probably since October or November 2016.

Nothing too complicated this time, hackers simply got an administrative account credential. After that, it was possible to login directly on the email server accessing emails to and from Deloitte’s 244,000 staff. Many of these emails probably contain sensitive information about their clients and even, some interesting attachments. The system was not compromised in a technical manner, but simply by social engineering technique in order to obtain credentials. Furthermore, without two-factor authentication (2FA), it was easy to login remotely.

Sonic

Sonic is a major fast-food chain in the US with nearly 3 600 locations. Brian Krebs was the first one to report this security breach on September 26th. Their credit card processor informed them about unusual activity related to their transactions. It is still unclear how the security breach occurred. However, it was possible to find at least 5 million credit and debit card accounts for sale online. These are probably related to the Sonic security breach.

Whole Foods Market

Whole Foods Market, which is owned by Amazon, also disclosed on September 28th that some payment card information had been stolen. The investigation is still ongoing, and we should have more information soon. An interesting point mentioned in the press release is the fact that Amazon.com systems are not connected to the ones at Whole Foods.

CISSP: Réussi, et une autre étape complétée

CISSP: Réussi, et une autre étape complétée 150 150 Jean-Philippe Rivard Lauzier

This post was published when this blog was also in French. This post is available in English.

CISSP By (ISC)² [Public domain], via Wikimedia Commons

Terminé. Cet examen de 6 heures avec ses 250 questions est enfin du passé. Eh oui, je parle bien du légendaire CISSP ou l’examen pour le “Certified Information Systems Security Professional” de ISC2. C’est probablement la certification que la plupart des professionnels en sécurité de l’information souhaitent obtenir à un moment donné dans leur carrière. Pourquoi? Pour plusieurs recruteurs et compagnies à la recherche d’un professionnel en sécurité de l’information, le CISSP est depuis longtemps la certification de référence pour un emploi dans ce domaine.

Préparation

J’ai commencé le processus en 2015. En fait, j’avais décidé de poursuivre le SSCP ou le “System Security Certified Practitioner” de la même organisation. C’est un examen plus court qui est théoriquement un peu plus technique, mais pas très technique non plus en comparaison à d’autres certifications. Toutefois, c’est un examen qui m’a aidé à avoir une première expérience avec un examen de l’ISC2 avant de poursuivre le CISSP. Les deux examens partagent des domaines similaires, mais pas nécessairement au même niveau.

Pour me préparer à l’examen, j’ai seulement acheté le guide d’étude officiel, le CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (en anglais); celui-ci est vraiment bien écrit pour un livre officiel en provenance de l’organisation de certification. Aucunement besoin d’acheter plusieurs livres et de lire de nouveau le livre plusieurs fois. Il est surtout important de se pratiquer et de comprendre les types de questions et réponses de l’ISC2. Je sais pertinemment que je performe toujours mieux avec la pratique, donc j’ai utilisé le livre officiel avec les questions de pratique, le CISSP Official (ISC)2 Practice Tests (en anglais) et même l’application mobile (en anglais); celle-ci est vraiment un outil pratique à utiliser lors du transport quotidien.

L’examen est comme tout autre examen, juste plus long et probablement plus dispendieux. Il faut prendre les questions une à la fois et prendre son temps pour bien évaluer les réponses. Qu’en est-il de la durée? Environ 4 heures. J’ai été en mesure de répondre aux questions et d’en réviser quelques-unes.

Critique

Il y a certaines critiques à l’égard de cette certification parmi les professionnels de la sécurité de l’information. Il semble y avoir une mauvaise compréhension au sujet des connaissances et expériences acquises suite à l’obtention de cette certification. Il faut dire que dans ces temps-ci, une organisation demandera tout d’abord un candidat avec un CISSP pour tout rôle en lien avec l’univers de la sécurité de l’information. De l’analyste en sécurité de l’information jusqu’aux rôles plus techniques tels que les “penetration testers”, les architectes de sécurité, les spécialistes en chiffrement, les spécialistes en sécurité infonuagique, etc. C’est la plus grande erreur.

À mon avis, le CISSP est une certification concernant la gestion de la sécurité de l’information permettant d’avoir une meilleure maitrise des politiques et standards de sécurité. Le CISSP pourra certainement guider et gérer les objectifs de la sécurité de l’information d’une organisation. Toutefois, cette personne avec ce rôle sera supportée par des personnes avec de meilleures compétences techniques. Ce n’est certainement pas une certification technique. Évidemment, ça dépend toujours de l’expérience professionnelle de la personne puisqu’il est tout à fait possible de rencontrer un détenteur du CISSP avec des connaissances avancées des concepts techniques.

Certification

Bon, c’est de nouveau la période d’attente. Je devrais obtenir la certification CISSP au courant de 2019 après avoir accumulé l’expérience professionnelle requise. Chaque détenteur doit avoir entre 4 à 5 ans d’expérience directement reliée à la sécurité de l’information dans au moins 2 des 8 domaines. Par contre, je dois admettre que c’est un des avantages de cette certification. Il est possible d’obtenir un an de moins selon les études et autres certifications. J’ai aussi eu une situation similaire avec le CISA où il y a une exigence de 2 à 5 ans d’expérience professionnelle.

Quelle est la prochaine étape après le CISSP?

Je suis encore indécis au sujet de la prochaine étape. Je crois avoir complété la majorité des certifications les plus pertinentes pour mes intérêts. D’un autre côté, je suis toujours curieux au sujet des questions sur la vie privée et je voudrais certainement en apprendre plus à ce sujet. Il y a d’ailleurs une certification qui a attiré ma curiosité de l’ International Association of Privacy Professionals , mais ça sera pour une autre publication…