With continuous security, Sec DevOps deconstructs CI/CD

Archive for the ‘News’ Category

With continuous security, Sec DevOps deconstructs CI/CD

Posted by

Excerpt from: With continuous security, SecDevOps deconstructs CI/CD

“All of the DevOps teams I work with have some integration between cybersecurity and development,” said J. Wolfgang Goerlich, cybersecurity strategist at Creative Breakthroughs Inc., a Detroit-based IT security consultancy. Some organizations have embedded security architects in the DevOps teams. Others have security champions within DevOps who work directly with the cybersecurity team. “In both cases, the partnership is a means to introduce security concepts while maintaining DevOps velocity,” he said.

Goerlich said roughly one in four DevOps teams integrate and automate some level of security controls. “This integration is generally performing scans and checks against the static code, the application, and the underlying environment composition,” he said.

But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. “That’s not effective when DevOps is changing the code on a daily or even hourly basis,” Goerlich said.

Effective SecDevOps teams secure without slowing, and they add continuous security without exceeding the team’s capacity to change, he said. “It’s paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly.”

Success comes from balancing protection for the DevOps product while protecting the DevOps productivity.

Read more here:



Hybrid cloud security: 8 key considerations

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.


1. Ensure you have complete visibility.

Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

2. Every asset needs an owner.

If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.

“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”

Read the full article:

Hybrid cloud security: 8 key considerations

Don’t want the public to see your newsroom’s gossip?

Posted by

Last year, instant messages from Gawker staffers were cited as evidence in the defamation lawsuit filed by professional wrestler Hulk Hogan.

What they revealed wasn’t pretty: tasteless jokes about the former pro-wrestler’s sexual trysts and his genitals, snide remarks that weren’t meant for publication.

The transcripts quickly became a cautionary tale for journalists who might exchange sensitive information via instant message (and the companies that host them).

Newsroom instant messaging apps have only gained momentum since then, with Slack among the vanguard thanks to its ease of use and its cool-kid factor.

Journalists should exercise more caution when it comes to digital tools like Slack, said Wolfgang Goerlich, director of cyber security strategy at CBI, a risk management firm that provides security solutions for companies.

“As no chat system is immune to being misconfigured or misused, my advise is to limit any information over such channels,” Goerlich said. “Meeting in person for conversations remains the gold standard for the highest level of privacy.”

Read the full article:

Don’t want the public to see your newsroom’s gossip? Don’t put it on Slack.



Prevent ransomware threats to cloud apps with backup, security tools

Posted by

Ransomware — a form of cyberattack that interrupts access to an organization’s data until that organization pays a ransom fee — has grown from a rare occurrence in IT to a substantial and growing threat for enterprises. Ransomware encrypts files with a key only the attacker has, making it impossible for target organizations to crack it.

Ransomware has blossomed to the point where it now represents about one-third of the incidents handled by Creative Breakthrough Inc. (CBI), a managed services provider focused on IT security and risk assessments, based in Detroit.

“This is a reflection of the criminalization of hackers that we have seen over the past several years,” said J. Wolfgang Goerlich, director of security strategy at the company, adding that, just because your workloads are in the cloud, “doesn’t mean you are in the clear.”

Read the rest here: http://searchcloudcomputing.techtarget.com/tip/Prevent-ransomware-threats-to-cloud-apps-with-backup-security-tools

Drowning in a sea of cybersecurity tools

Posted by

Posted on TechTarget SearchSecurity: Drowning in a sea of cybersecurity tools?

How can CISOs get the information and benchmarks they need to evaluate the enterprise effectiveness of promising technology and find the best security tools beyond point solutions?

“There is too much for any one leader to take in; therefore, the first step is in focusing on key areas,” says J. Wolfgang Goerlich, a cybersecurity strategist at Creative Breakthrough Inc. (CBI) in Ferndale, Mich. A former information systems and security manager at Munder Capital Management, Goerlich recommends networking with CISOs in other organizations to gain insight into the best security tools and industry-specific trends. “Building a strong peer network within the organizations gives visibility into the line-of-business technologies,” he explains.

Enterprises should leverage the resources and interactions available through clearinghouses like the Information Sharing and Analysis Centers (ISACs) for financial services, healthcare and other industries to focus on emerging threats. “Taking into account these areas, a CISO can then pare down the list to essential technologies and get deep in the areas that directly affect their organization,” Goerlich says.

Read the full article at: http://searchsecurity.techtarget.com/feature/Drowning-in-a-sea-of-cybersecurity-tools

Appetites for more government actions

Posted by

SC Magazine: Appetites for more government actions

J Wolfgang Goerlich, cybersecurity strategist with CBI, a Troy, Mich.-based firm that manages IT security risk to help ensure data is secure, compliant and available, explains that InfraGard, a partnership between the FBI and organizations deemed to be critical infrastructure (such as those in energy, finance and transportation), has been sharing criminal information between the public-private sectors since 1996. Similarly, these organizations have been handicapped over the years due to limitations on their information-sharing abilities and those same concerns for potential liability. Information Sharing and Analysis Centers (ISACs) have been sharing sector-specific information on attacks and threats since 1999. Eighteen different ISACs currently serve sectors ranging from health care to financial services. “An open question is how the proposed ISAOs will complement and coordinate with the existing ISACs,” notes Goerlich.

Yet another initiative, a NIST Cybersecurity Framework, was previously launched after President Obama’s 2013 executive order. It provides guidance on the controls and practices that organizations can implement to improve their security posture. “The functions of the framework include ‘Identify’ and ‘Detect,’ which will both be bolstered by better information sharing of threat indicators and criminal tactics proposed by this year’s executive order,” says Goerlich.

Read the rest at: www.scmagazine.com/appetites-for-more-government-actions/article/438193/

Developers find themselves in hackers’ crosshairs

Posted by

CSO: Developers find themselves in hackers’ crosshairs

Attackers have long targeted application vulnerabilities in order to breach systems and steal data, but recently they’ve been skipping a step and going directly after the tools developers use to actually build those applications.

Strategist with IT risk management firm CBI, J. Wolfgang Goerlich, explains why the recent spate of attacks on Apple’s development tools are notable. “The number of OS X computers continues to raise in the enterprise environment. Few organizations are considering Macs from a security perspective as the numbers have long been small and most security controls are Windows-based,” he says.

“These types of attacks – infecting the compiler – used to be considered a potential threat by high security governmental organizations. You would be considered paranoid to present such a scenario as something that could impact the general public. And yet here we are,” says Yossi Naar, co-founder of Cybereason, a provider of breach detection software.

If these types of two-stage attacks are no longer threats only to the paranoid, and enterprise development environments are targeted, what does this mean for enterprises trying to ensure they are developing and deploying secure applications.

“From a development perspective, the best practices in continuous integration and deployment would have prevented the attack against Apple’s App Store,” says Goerlich.

Read the rest at http://www.csoonline.com/article/2987237/application-security/developers-find-themselves-in-hackers-crosshairs.html

BSides: Broadening the Horizons of Information Security

Posted by

Posted on TripWire: BSides: Broadening the Horizons of Information Security

With access to further reaches of the security community, new ideas and research are never far behind.

“The folks who attend these conferences tend to be geared towards learning something new,” reflects Irfahn Khimji, senior information security engineer at Tripwire. “As a result, they always ask great questions.”

J Wolfgang Goerlich, strategist with CBI and an organizer of BSides Detroit, shares Irfahn’s thoughts on BSides’ learning potential: “The movement has become a staple of the security industry. It has made it easier than ever for the local communities to come together, share and commiserate, and learn what is working and what is coming next. BSides also provides a platform for new speakers and new content, filling a vital role in developing talent.”

Mentorships, new people, and new ideas–that is just some of what BSides has to offer.

Read the full article at http://www.tripwire.com/state-of-security/featured/bsides-broadening-the-horizons-of-information-security/


Starbucks gift card fraud

Posted by

Starbucks is in the news as criminals abuse its online services through fraudulent gift card purchases. On the surface, the issue appears to be about consumers’ passwords and the poor practices around their use. There is more to the story, however, and I would argue two deeper concerns are the real issue. The first is in how emerging payment systems are monitored and secured. The second is in how online services are developed and maintained.

The Starbucks security hole is simple enough. The criminal breaks into the coffee-loving victim’s account by guessing their password or using the password reset features. They then load a Starbucks gift card using the victim’s stored payment information, and transfer that card to themselves. This is usually automated so that several gift cards can be filled and stolen in a short period of time. The attack normally ends only when the victim receives notices on the gift cards and resets their Starbucks password.

Starbucks reportedly processed $2 billion in mobile payments last year. That’s a serious amount of business that requires a re-adjustment of their risk appetite to reflect the target their business has become. Moreover, as retailers and emerging payment systems develop bank-like functionality (funds transfer, cards), they need to start thinking more like banks. Anti-fraud techniques such as behavior monitoring for unusual activity is a prime example. Another is offering consumer protections such as reimbursements (at this point, Starbucks defers consumers to work with PayPal or their credit card company.) When transactions are into the billions, it’s time for mobile payments to offer credit card equivalent security for consumers.

The other aspect of consumer protection is the online service itself. In , threat modeling is one of the first steps. The goal is to look at the functionality being developed and to identify ways it could be abused. With this in mind, security and privacy requirements can be defined. After Starbucks built their services, they could have performed scenario-based penetration tests to ensure the controls met the requirements, and the requirements prevent the threat. Given that gift card fraud is well known and that the controls in place are lacking, it’s clear that Starbucks did not complete these steps as part of their development program.

In summary, yes, consumers need to watch their password hygiene and monitor their accounts. But there’s more to the story. As companies build online services that handle billions in payments, they must mature their processes in handling fraud and building applications. We need credit card equivalent security for transactions. Developers need a secure development lifecycle for preventing their services from being abused. Starbucks is today’s example of organizations falling short on both areas, and leaving the consumers with the tab.

Cross posted from: http://content.cbihome.com/blog/starbucks_giftcard_fraud