+ All Categories
Home > Technology > Security kaizen cloud security

Security kaizen cloud security

Date post: 22-Jan-2015
Upload: vinoth-sivasubramanan
View: 2,463 times
Download: 2 times
Share this document with a friend
Embed Size (px)
Popular Tags:
of 23 /23
  • 1. for 2011 Information Security ConferencesConference DateHacker Halted, Cairo December 2010TakeDowncon, DallasMay 2011HITB, AmsterdamMay 2011MENA ISC, Jordan September 2011Cairo Security CampOctober 2011HITB, KualalumpurOctober 2011RSA, LondonOctober 2011Hacker Halted, Miami October 2011 Register Now onwww.bluekaizen.org and have the oppurtunity to win free tickets to our sponsored Conferences

2. Editors NoteI t has been 6 months since our first issue. Looking back, I can see how the magazine has evolved throughout these months, and how the community is growing. The firstissue was downloaded 900 times in 7 days and the second July September 2011 . 3rd Issueissue was downloaded 2700 times in only 3 days. I knowI was surprised at how many of the people at the CairoICTChairman & Editor-in-ChiefMoataz Salahevent knew about our magazine; it was great to talk inperson to so many of our readers.Editors Business Continuity Amidst the RecentMahmoud TawfikWe were able to media-sponsor some renowned 4 Moataz Salah conferences, such as TakeDownCon Dallas and HITBMiddle East TurmoilOmar Sherin Amsterdam. Sponsoring helps us to step up our presenceVinoth Sivasubramaniannot just in Egypt and the Middle East but to take Security Mohamed Mohieldeen Kaizen magazine outside the MENA region and get more Mohammed Farragreaders from the USA and Europe. Also, that gave us A Visit to HITB11 Web Site Designthe opportunity to interview the chief security officer ofMariam Samy Facebook, Joe Sullivan. ArabBSD: The New Evolution for Arab 14Operating System DevelopersArabic Translator Representatives from Mozilla, Google, Microsoft, and Mai Alaa El-Dien SaudAdobe are now aware of Security Kaizen Magazine. We Recent Hacking Incidents in Egypt & 16started to catch the eye of the security community in the Middle EastGraphic Designwhole world. And I have all my readers and dedicated teamMohamed Fadly to thank for that.InterviewsIn our 3rd issue we will try to make it more special byfocusing on one topic. The recent events in Egypt and Interview with Joe Sullivan, CSO ofSecurity kaizen is issued20every 3 monthsthe Middle East have been quite dramatic and unusual, Facebook.compresenting unprecedented challenges to business Interview with Al Berman, CEO of DRII.org26Reproduction in whole or part operations and especially IT systems. One major lesson-without written permissionlearned from this situation is the need to have resilient plans Best Practiceis strictly prohibitedfor Business Continuity and Disaster Recovery, so thisAll copyrights are preserved to theme is the focus for the new issue. Could the cloud save your business 32www.bluekaizen.orgfrom a disaster?And to make the 3rd issue more special, I am happilyannouncing that this is to be the first printed issue of theFuturistic Approach to Ensuring Data 35magazine, so as promised and as we are always tryingSecurity in Cloudsto kaizen we were able to improve in every issue. Thefirst issue was released in January 2011 and despite theconditions in Egypt during this period, we were able toFor Advertisement inrelease the second issue in April with two versions, anSecurity Kaizen magazine andEnglish one and an Arabic one, and finally our special third www.bluekaizen.org website:issue is to be printed allowing you, our devoted readers, toMail: [email protected] read it at your convenience. Phone: 010 267 5570 Photos of cover by: Mohamed Fadly 23 3. the impact on diversified businesses whatsoever across the entire country.is clearly visible and is not sector- What was once deemed technicallyBusiness Continuity specific.How Business was impossible was proven to be technically possible. In such authoritarian countries, much of the physicalAmidst the Recent ImpactedAfter days of continuous anti- telecommunications infrastructure is under the direct ownership and control of the government.Middle East Turmoil government demonstrations that used We saw firsthand the catastrophicthe Internet and social networks such as impact of the governments impulsiveFacebook and Twitter as coordination decision. Imagine a country or aBy Omar Sherinplatforms, the former administration modern business deprived overnight v.sdecided to cut the Internet minutes of emails, VoIP services, e-commerce,before midnight on January 27th with online conferencing, browsing thethe hope of preventing protesters from web, running a corporate website orusing their communication tools. even seeking or providing remote online support. This unprecedentedMinutes later, it was confirmed that situation lasted for 5 consecutivethere was no Internet connectivity business days.In the past few weeks, the MiddleIt is worth analyzing businessEast has been the scene of un-continuity strategy in Egypt becauseprecedented and rapid political the country witnessed probably the fi-and social changes that took even rst international incident ever recordedthe most mature businesses and in-for a government actually using thedustries by surprise, and left them internet kill switch[1] as well as thevirtually paralyzed.ripple effect of consequences result-ing from the decision. Additionally,Not even the most sophisticated and as Egypt is the second strongestknowledgeable secret intelligence economy in the African continentagencies predicted the massive scale(following South Africa), it has the most Figure 1 - Internet Cut Off on January 27thsocial uprisings that are emergingdiversified economy in the region bythroughout the region.United Nations standards; therefore, 45July September 2011 www.bluekaizen.org 4. Due to a provision in the mobile locked, the CMT started the Crisisregulatory license agreements signedImmediate Impact One particular and major mobilewith all the mobile operators, comp- Communication Plan (CCP). A key operator is a good example of a requirement of the CCP was to deliveranies had to comply. This decision relevant status update messages toCompanies working in the IT out- company that survived the disruptionsproved to have significantly costly andinternational media and foreign stocksourcing industry were amongst the due to a solid and comprehensivenegative corporate image implicationsmarkets where the company is listed.first to be affected. Recently released Business Continuity Plan.because the general public perceivedofficial OECD statistics 4 estimatedthis action from the telecommunication On the IT side of the disruption, thethat the direct loss in revenue in those On January 27 , the BCP was triggered thoperators as a gesture of aiding DRP of this company was designed tofive days ranged from $90 million USD by the government cutting off thethe previous authoritarian regimemitigate the risk of total and completeto $120 million USD which does not Internet. Then the Crisis Managementand taking sides against their own loss in connectivity by developing ainclude lost business opportunities and Team (CMT) got together and act-customers. In the last few weeks there replica of its web services hosted inpossible SLA violations and lawsuits. ivated the Disaster Recovery Plan (DRP) to safely shut down the localhas been several customer and civilEurope as well as by signing with arights activists grouping people and prominent cloud-based managedAnother example is the banking sector. IT services and focus on securingSeveral national and multinational the physical assets, data centers,banks announced key services such key cellular towers, power generationas international money transfer and stations, from sabotage and perhapsonline banking were unavailable or looting due to riots and clashes in theunreliable. With the national ATM streets.network shutdown and the standalone Initially, the customer call center wasATM machines vandalized, millions of bombarded with complaints aboutbank customers resorted to standing difficulties using communication ser-in long queues in front of their local vices like mobile Internet, Blackberriesbank branches. Unfortunately up until and even international calls. Althoughnow there arent any formal studies the customer service representativeson the implications of the shortage of tried to explain the situation to callers, they later realized it was a nationalcalling for a national day boycottingservices provider to manage thecash flow on small businesses. problem. the mobile service for 30 minutes as security and availability of thewell as filing tens of law suits against corporate emails for its 5,000 users.How Business On January 28th, the governmentthe operators, This managed service had a provisionContinuity Plans Wereannounced a national state of that allowed them to save drafts of emergency and a curfew was enforced. At this stage the Crisis Managementundelivered emails in the cloud forExercisedFurthermore, all the mobile operatorsTeam ordered the shutdown of the up to seven days. Once the former in the country received orders fromcustomer call center and landlines,president and his administrationVery few companies appeared to the government to shut down allactivated the internal call tree and announced his resignation, the Internetbe resilient and unaffected. Somemobile communications includingordered all staff to remain at homewas back online and the employeescompanies survived due to exercising voice and SMS services as a last until further notice.mailboxes were flooded with week-solid Business Continuity Plansattempt to cripple the demonstratorsAfter receiving confirmation that allold emails, a situation certainly better(BCPs) yet others were sustained justcommunications.headquarters and branch officesthan getting an empty mailbox and abecause of pure luck. countrywide had been evacuated and handful of angry customers. 67 July September 2011www.bluekaizen.org 5. On the other hand, entities such as the of the traditional risk assessment as it sounds as most companies faced functions to the Cloud. As in theEgyptian Stock Exchange (egyptSE. methods available or practiced in most problems, especially when it comes diagram below (Figure 2)com) and some banks which appearedof the companies in Egypt would haveto be online and reachable throughout predicted such a risk of major politicalthe Internet blackout proved to be on a overhauling and social uprising.single and fairly small ISP in terms ofmarket share (about 8%) called Noor Interestingly this is a world premiereGroup5. Noor Group was clearly theof a government using the Internetexception. It is unclear whether thekill switch coupled with nationwideISP survived the former governmentsmobile communication blackout. Anddecision by coincidence or perhapsthat simply caught everyone off guard.due to its strategic list of customersincluding the likes of the Stock Corporate risk experts should haveExchange.learned from their previous experience in 2008, when there was a majorBased on available information, nearly Internet services disruption caused by80% of the businesses in Egypt did not an undersea Internet cable cut[3]. Figure 2 - Cloud based managed email systemlist the scenario of a national Internetblackout as a strong possibility and Failing to anticipate and include thisto developing a feedback system toThe system safely and securelyaccordingly were unprepared. major incident in the corporate riskensure that the organization continuesarchives external emails in the cloud. matrix is impermissible.to review, incorporate and learn from Thus in case the corporate in-houseThe remaining 20% of companies wereexperience dealing with new and email server becomes unavailable aseither well prepared with alternative Perhaps the only companies which emerging threats that were unthinkablein the case of internet blackout, theand varied means of international continued operation throughout the or unprecedented two years ago. cloud-based managed email servicecommunication such as satellite January 2011 events until announcingOne key observation is that companies would act on the companys behalf andconnectivity VSAT or companies that the state of emergency and general that used Cloud Computing werecontinue to receive and queue emailsdo not exclusively rely on the Internet curfew were the ones with rigorous, noticeably more resilient and capable addressed to the company (whilefor business.dynamic and active risk assessmentto work around this disruption becauseactually offline), all this is transparent practices that learned from the of the flexibility and availability offered to the sender, for example international 2008 events and used or translatedby the Cloud Computing architecture.customers. This ensures that yourWho Survived?those lessons into viable disastercorporate image remains intact with scenarios. Apparently its not as easyno business opportunities lost.As most advanced secret intelligence Cloud-Based Availabilityagencies in the world such as the CIAdid not anticipate this revolution as The cloud-based high availability Traditional BC/DRfar as we know, the United States architecture allows companies to Practices ShortcomingsSecretary of State Hillary Clinton outsource the management anddescribed[1] the Egyptian government maintenance of their critical systems Many small to mid-sized businessesas stable even after three days of like email for example and move the with traditional BC and DR plans founddramatic events. Interestingly, none email archiving and high availability that their plans had many shortcomings8 9 July September 2011 www.bluekaizen.org 6. dealing with this particular situationas there was a dependency on activating the DRP due to the complete and prolonged loss in connectivity and new & NEWSmodern technology. Ironically, manythe inability to seek technical support A Visit to HITBcompanies could not activate their from partners or vendors, includingcall trees as mobiles and SMS were industry blue chip companies.unavailable, and disseminating amessage to the branch offices acrossThe recent events emphasized howthe country was nearly impossible.modern businesses really dependon technology and particularly theEven companies with expensive Internet along with the unfortunatedisaster recovery sites (located reminder that we take these modernover 100 miles away) had problems technologies for granted.By Moataz Salah About the author: Omar Sherin I am a certified CBCP,For those who dont know aboutHack in the Box (HITB), here is an introduction. HITB is CRISC and ISO27001LAa well-known IT security organization that conducts and in my spare time anthree major conferences each year, in Malaysia, the active blogger in (ciip.wordpress.com).Netherlands, and this year, India instead of the UAE. A s part of our ongoing purpose of sharing their knowledgeReferences:mission to bring the latest and expertise.1 Internet Kill Switch in information security(http://www.infowars.com/egypts-internet-kill-switch-coming-to-america/) events to the attention From the organizing perspective,2 Hillary Clinton comment on the events on the 28thof our readers, SecurityAmsterdam is a great choice as a(http://af.reuters.com/article/topNews/idAFJOE70O0KF20110125)Kaizen served as a media sponsorvenue for the conference. Amsterdam3 Undersea cable cut for the HITB Amsterdam event. Our is one of the most popular destinations(http://news.bbc.co.uk/2/hi/7792688.stm) team attended the two day conferencein Europe, as it is one of those places4 OECD statistics on cost of internet shut downand took advantage of the opportunity that offer a variety of attractions and(http://www.pcmag.com/article2/0,2817,2379324,00.asp)to interview experts and transfer the activities to do in your free time.5 Why is Noor Online?picture as much as we can for those(http://www.huffingtonpost.com/2011/01/31/egypt-internet-noor- who couldnt attend.The choice of the hotel was spot-on.group_n_816214.html) It is located in the heart of Amsterdam It was a good experience to be at on the very famous Dam Square, so itFigures: an international conference where was hard to get lost trying to find the1 Internet Kill Switch Source: Arbor Networkssecurity professionals from all overhotel, and being in the center of Dam2 Cloud based managed emailthe world are gathered with the soleSquare allowed attendees to easily 10 11July September 2011 www.bluekaizen.org 7. showed how to extract the malicious especially given the alternative and code. The instructor provided all the more lucrative black market for attendees with a DVD containing a vulnerabilities. In the absence of a VM machine, tools, documents andpositive rewards system, it is difficult exercises, even more than the onesto blame vulnerability researchers for done in the lab, to be tested at home.turning to the black market and getting I have to admit that this session was substantially more for their efforts than the most beneficial for me at HITBeven the competition programs such Amsterdam.as Googles provide. The discussion was fun and it showed clearly the fact that the black market for vulnerabilities really exists, and the most important thing is that it is really profitable. At the end, HITB Amsterdam was a good experience, and you could feel the warmth, the love and the effort of all the HITB crew. Also I have to The second day started with a panel thank Dhilon (founder of HITB) fortake short tours around the city after each covering a different topic, anddiscussion on The Economics of all his effort, and the great crew hethe sessions.you had to choose one from the three. Vulnerabilities featuring represent- built. What a lot of people dont know To be honest, I didnt like that idea atives from Google, Microsoft, Mozilla, is that the HITB crew members areThe conference started with a speech because I wanted to attend differentAdobe and Blackberry. It was aall volunteers, motivated by sharingfrom Joe Sullivan, the Chief Security sessions that conflicted with theirvery lively discussion between theinformation and knowledge-spreadingOfficer of Facebook.com. He focused timings. Also the number of attendeesaudience and the speakers, as someconcepts.on the security threats that Facebook was not that big, so after dividing them of the audience could not understandhandles every day, and described how into three rooms, some sessions might why vendors are not rewarding Wish you all luck in attending the nextFacebooks employees have recently have only 10-15 people, which didntfreelance researchers who discover HITB in Malaysia!launched a number of unique security look so good. the vulnerabilities in their products,features that leverage the social About the author:graph. He also mentioned the blocking A good example of a presentationof Facebook access during the recent was Malicious PDF Analysis; the Moataz Salahevents in Tunisia, Egypt and Syria. session was presented by DidierI am the founder ofI wont get into the details here, as Steven (Security Consultant Europe Security Kaizen Magazine;you can have a look at the exclusive NV). It was a 2 hour lab session full Building knowledge is myinterview that Joe did with Security of practical activities to explain how to targetKaizen Magazine in this issue. analyze a malicious PDF using a step-BlueKaizen by-step process starting from ExerciseMail: [email protected] this session, the conference was 1on how to extract a hidden messagedivided into 3 different tracks, in a PDF file up to Exercise 12 which To get HITB material: http://conference.hitb.org/hitbsecconf2011ams/materials/new & NEWS12 13 July September 2011 www.bluekaizen.org 8. ArabBSD and OSF/1 systems in the 1990s (bothBerkeley Software Distribution (BSD, of which incorporated BSD code), in sometimes called Berkeley Unix) isrecent years modified open source the UNIX derivative distributed byversions of the codebase (mostlyThe New Evolution forthe University of California, Berkeley, derived from 4.4BSD-Lite) have seen starting in the 1970s. The name isincreasing use and development. Arab Operating System Developersalso used collectively for the modern FreeBSD is classified as one of theBy Mohammed Farrag most reliable and secured operating systems according to http://news. netcraft.com. Also, the availability of ArabBSD is a project which aims toFreeBSD core team members and their full cooperation lead us to consider itincrease the awareness of operating system as the development environment. Idevelopment and help Arab operating system didnt forget to mention that CISCOdevelopers in BSD environment starting fromand Yahoo servers are FreeBSDthe analysis of FreeBSD operating system Machines. descendants of these distributions.infrastructure, formulating block diagram and BSD was widely identified withRegarding the current progress,calling for research groups in each track. the versions of UNIX available forsome work in tutorial translation field workstation-class systems. This can has achieved and we are workingT he need for working in stableKernel APIs will affect higher layer be attributed to the ease with which it hard for better. Finally, anyone who track has become a desireapplication to be either not running could be licensed and the familiarity is interested in operating systems for many programmers. Theor running incorrectly. In Operating it found among the founders of many and their news can join us on ourcomprehension of the OperatingSystem, you can select the technology companies during the website https://sites.google.com/site/System programming pays best suitable environment1980s. This familiarity often came from arabbsd/ , our facebook group or ourprogrammersattentionfor your code, i.e. cloud, using similar systemsnotably DECs Google mailing list. Members will keepand leads them to highlyfilesystems,embedded,Ultrix and Suns SunOSduring their up with operating systems issues forclassify it.security, DataBase and oreducation. While BSD itself was largely both administration and developmentAlso, OS programmingnetwork programming. superseded by the System V Release 4including mastering all types ofrequires intelligence for The work in ArabBSDprogramming.applying constraints fromis accomplished in twosoftware onhardware parallel directions. The firstAbout the author:and providing compatibility is the translation of FreeBSD Mohammed Farragbetween different peripherals and documentation and its learningArabBSD Project Manager,processor and this make a competition tutorials into Arabic beside the websiteFreeBSD Contributor,for those who like challenges.translation. The second is offering freeGoogle Technology UserSimply, Operating System acts assummer training for starting work onFreeBSD development. But Why BSDGroup Administrator, GTUGintermediate layer between softwareand hardware. Any change to the Systems?! Magazine Project Manager. new & NEWS14 15 July September 2011 www.bluekaizen.org 9. Friday, 4th of February 2011, AlJazeera.netRecent HackingWebsite was Hacked AlJazeera and other news agencies have been working so hard during the last few months to cover the Egyptian and Tunisian Incidents revolutions. However, some people didnt like the way that AlJazeera handled this coverage to the limit that it was blocked from the NileSat. Thats why an anonymous hacker hacked Aljazeera.net website and wrote the following message Togetherin Egypt & to bring Egypt down. Wednesday, 30th of March 2011, ON TV Website was hacked Middle East The ON TV website has been hacked by an anonymous hacker called A-Alexand. The message left at the website says:The marriage of power and money produces corruption, no for money exploitation to control power and politics... Yes for Egypt free fromIn this article, we have collected a few of the cyber attacks that corruption. He also sent out a warning to Naguib Sawiris, thehappened in Egypt or Middle East on Governments, Banks and Media inowner of the channel, to stop launching a campaign against Islam.the last few months. We would like to thank Osama Kamal for his effortsin helping us collect all this data. The content of this article does not reflect Security July September 2011 Kaizens opinion on the matters. We are simply stating some of the reported incidents.This page was h@cked Media Sector Sunday, 5th of June 2011, Akhbar el yom website was hacked The Akhbar Al Youm newspaper website was hacked because of a Government Sector cartoon by Mustafa Hussein and Ahmed Ragab about a Salafi trend in Egypt. The hacker claims that he is not a Salafi but a Muslim June 2011, Login Passwords for Government Websites in Bahrain, and he does not accept mocking other Muslims and ladies wearingEgypt, Jordan, and Morocco Were Published Online Neqab. He even said that no one dares to mock the Christians in this way wondering how the newspaper calls forA list of Egyptian government agency e-mails including Ministry of dialogue, tolerance and freedom of expression whileCommunication and Information Technology, NTRA, IDSC and others they mock Muslims. He is angry and is wonderinghave been breached. This incident was reported by Security Kaizen to why the women wearing Neqab were mockedEGCERT and they proceeded with their investigations. The same was despite it is their personal freedom.done in Bahrain, Jordan and Morocco. new & NEWS 16189919 July September 2011 ERROR_678www.bluekaizen.org 10. April 2011, Abu Dhabi Islamic bankJune 2011, Bahrain Governments Websites AttackedA Phishing mail was sent from [email protected] withHackers have launched a series of attacks on government websitesthe subject: SECURITY NOTICE asking the user to follow aafter the country was granted the right to stage the Gulf Air Bahrain certain link to use the new upgraded SSL database of the bankGrand Prix. instead of the old one.The Northern Governorate website, the official government tourismwebsite and others have been hacked. Pictures of wounded anti-government protesters were visible if users clicked on categories onthe main page of either website. Dubai First Bank April 2011, Website of Municipal Council A Phishing mail was sent from [email protected] with subject: of Elections in Saudi Arabia was HackedYour Online Banking Has Been Blocked with a link attached to The attacker was successfully able to change the main home pagereactivate your account. As with all Phishing attacks, the attached of the website and add a message to King Abdallah ben Abdelazizlinks guide you to the attackers website not the real bank website. asking for help from the injustice of the traffic system in the attackers city, stating that he suffered a lot from it and is nearly bankrupt!References:http://egyptianchronicles.blogspot.com/2011/06/akhbar-al-youm-website-is-hacked.htmlhttp://egyptianchronicles.blogspot.com/2011/03/ontv-website-is-hacked.htmlFinancial Sector: http://www.aljazeera.net/NR/exeres/07E58207-E080-414F-9C52-5C7D57CB6205.htmlhttp://www.tradearabia.com/news/IT_200063.html May 2011, HSBC Egypt Bank Phishing Attackhttp://pastebin.com/n98jDJMqhttp://www.tech-beat.com/719/ A Phishing mail was sent from [email protected] with thehttp://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_ subject: Update Your Account. The message requested that the userno=239311&mode=alert click on the link attached in the mail to receive an urgent message, http://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_ otherwise the users online banking would be blocked.no=239214&mode=alerthttp://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_no=239048&mode=alertThis page was h@ckednew & NEWS 0019 July September 2011 www.bluekaizen.org 11. Interviews Today, FacebookInterview withJoe Sullivan, is one of the most popular websites in the whole world, especially in the MiddleCSO of Facebook.comEast. It is one of the best- known examples of the By Moataz Salah new phenomenon of social networks, where users voluntarily share information and their personal histories, with stories and regular updates on their daily lives, along with photos of family and friends, their connections, and more. With so much personal information shared in social networks, and so many data breaches in the news, the privacy ofFacebook has become a real concern.Facebook.com is also credited with playing a main role in the Arabic Revolutions in the last few months. The increased use and impact of Facebookamongst the general population has promptedentities such as the Egyptian Army and other government agencies to create official pages onFacebook.Thats why it was mandatory for the Security Kaizen team to conduct this interview with the Chief Security Officer ofFacebook.com, Mr. Joe Sullivan, and try to learn more details about Facebook security. Moataz Salah, Security Kaizen Editor, met with Joe and asked him the following questions.21 July September 2011 www.bluekaizen.org 12. Can you please introduce yourself to Security Kaizenreaders? What is the most challenging incident you have faced recently?Im Joe Sullivan, the Chief Security Officer at Facebook. I manage a fewof the teams at Facebook focused on making sure that people who useOur biggest challenges come when we have to disprove negatives. ThereFacebook have a safe and positive experience.are so many security experts writing about Facebook we are constantly responding to claimed vulnerabilities that turn out to be theoretical at best.Prior to joining Facebook in 2008, I spent 6 years working in a number ofJust in the last month there were two stories that received global mediadifferent security and legal roles at PayPal and eBay. Before that I workedcoverage where if you had read the headlines you would assume that majorfor the US Department of Justice for 8 years. I was very lucky to have the security breaches had happened. In fact, in neither case had a securitychance to be the first federal prosecutor in a US Attorneys office dedicatedvulnerability lead to harm to a single person.full-time to fighting high-tech crime. I was privileged to work on many high-We also deal with really unique challenges that require speed and creativity.profile Internet cases, ranging from the digital evidence aspects of the 9/11The situation in Tunisia (when ISPs started inserting code into our login page)investigation to child predator, computer intrusion, and economic espionagestands out in my mind, because it was something we had not seen before butcases. I was also a founding member of the Computer Hacking andwere able to roll out a complete incident response plan (including launchingIntellectual Property Unit, a special unit based in Silicon Valley dedicated coding changes on our site) in under five days.exclusively to high-tech crime prosecution. Do different governments including the US governmentCan you give us an overview of the Security Teams in ask for your help in certain Cyber Crime cases?Facebook, the role of every team and the average Examples?number of employees per team? Someone on my team talks to a government official from somewhere inWe have over 30 people on the Security Team, but that really understates the world almost every day of the weekand that should be no surprise.the number of people working on Security at the company. Facebook hasThese interactions range from the typical sharing of cyber crime trends,engineering, risk, compliance and operations teams outside of Security to participation on investigations, to dialogue about content standards, tothat are also 100% dedicated to security and safety. Together there areresponding to requests for user records. We try to foster positive dialoguehundreds of us focused on the area. Within the Security Team, we divide up so that we understand government concerns while always maintaining ourinto functional groups such as product security, investigations, information commitment to respecting the privacy and security rights of our users.security practices, and law enforcement relations. What was your action plan during the recent situationsWhat kind of daily activities do you handle? in the Middle East when some countries blocked Facebook?Facebook Security has a wide range of duties ranging from keeping ourphysical environment and electronic data safe to helping maintain theOur primary focus throughout this time was on maintaining account securityintegrity of the site. We work internally to develop and promote high productand integrity. We cannot counter a decision to shut down internet accesssecurity standards, partner externally to promote safe internet practices, and altogether or block access to our site but we can focus on preventingcoordinate internal investigations with outside law enforcement agencies unauthorized access to accounts.to help bring consequences to those responsible for spam, fraud and otherabuse. Interviews22 23July September 2011www.bluekaizen.org 13. To avoid future similar incidents,what kind of updates did you haveto your contingency plan? Why y ouWe continue to focus on measures to giveshouldpeople more control over the security of theirattendaccount. We launched opt-in HTTPS andCairo S ehope to make HTTPS by default soon. WeCamp curityExcelle 2011?now offer Login Notification, Login Approvals(a form of two-factor authentication),nt Sp Securit eakersSocial Verification, One-Time PasswordsCairowill brin y Camand Remote Session Control to give allg you p 2011best Ssomeour users the tools to safeguard theirecof the in Egy urity Expertaccounts. To complement these user-pt speakPresen and MENA ersfacing tools, we constantly iterate on tations area.discus a sions o nd panelour technical systems which consistrecentn the m seosof multiple proprietary programs thatheld fo curity topic tr two d s will bclassify malicious actions, roadblock ays. ecompromised accounts, scan URLs andmaintain the integrity of the site.Did you notice attacks to specific protestersprofiles or specific groups during this period eitherfrom the old Egyptian government or the Tunisiangovernment?One silver lining on all of this has been that the same tools we rolled outyears ago to prevent Phishing and other types of account takeovers workequally well in combating other types of attempts to compromise accounts.But out of respect for the privacy of each user, we have not publicly discussedspecific cases.Do you think governments have the right to cut theInternet connections and what do you think the responseof US citizens would be in such a case?Through our growth as a service used by hundreds of millions of peoplein every country in the world, we have shown the power of the Internetas an indispensable tool for communication. To the extent we believecommunication and access to information are fundamental to a just society,we should always be concerned when access is denied.Interviews 24 14. Does DRI International play a role in supportingInterview withconferences covering Business Continuity andAl Berman,Disaster Recovery (BC/DR)?DRI has been involved in conferences all around the world. In fact, Irecently returned from a conference in Brazil, of which one day (DRIDAY) CEO of DRII.orgwas dedicated to DRI certified professionals discussing their roles in theirorganizations. And at the end of June, I am attending a conference inBrussels. DRI has spoken at conferences in Spain, Mexico, Singapore, theUnited States, and Malaysia in 2011 alone. And in 2012, DRI International By Moataz Salah & Omar Sherinwill be having its own conference in May in New Orleans.Can you introduce yourselfto Security Kaizen readers?I have been the Executive Directorfor DRI International for the last fiveyears. Prior to that, I was the BusinessContinuity Management Global Headfor Marsh and prior to that I was theOperational Resilience Director for PwC.Additionally, I am the former CIO of amajor bank, as well as a former CEO.Can you please introduceCan you give us an update as well as your insightDRI International as an organization and theonto the recent activities centered around BCrole the DRI members play in the variousregulations and standards worldwide?industries/professions?Weve seen a number of new standards and regulations around the world inDRI International is a non-profit organization, which for the last 23 business continuity, and most of them turn out to be a reaction to an event.years has been dedicated to preparedness around the world. We are 9/11 was a big impetus in the United Stated, but were seeing it all over thethe largest certifier and educator of people in Business Continuity. We world. Every central bank has a business continuity requirement. Thereserve on committees all around the world. We teach in 45 countries, are British standards (BS 25999), U.S. standards (NFPA 1600), and therein eight languages, and we have some 8,500 certified professionalsare other standards as well. The new evolving standard, ISO 22301 will bein more than 100 countries and in every industry and profession.another attempt at creating an ISO standard to replace BS25999. Interviews 26 27July September 2011 www.bluekaizen.org 15. doing. Standards, on their own, do not do that. They only serve as a basis ofBut we are starting to see more regulations, and they come out of major comparison, from best practices to how you are doing at your organization.events. If you look at the events in the United States recently, the Dodd-FrankBill which is to deal with the economic crisis has business continuity inAfter the recent conditions in the Middle East andit. FINRA, which is the financial regulatory body in the United Stated, justpassed regulation 4370, which also covers business continuity.also the huge earthquake disaster in Japan, do youBut what were seeing is the real understanding that businesses have to think that organizations that use the Cloud conceptbe prepared for emergencies, and they have to go through the planning will be a step ahead?process so they can maintain the viability of not only their business but alsoeverybody elses. And recent incidents in March in Japan, for example,I think what the Cloud concept does is distance you from a particular incident.showed how incidents affect supply chains around the world. What we saw, in Japan in particular, was the ability for financial systemto continue to operate even in those areas that were devastated by theDo you think the new and emerging BC/DR tsunamis. So, I think the answer to that is yes.standards will also focus more about the recoveryHowever, in the Middle East, one of the big problems when we looked at theof the technology environment as most standards recent disruptions in Egypt was closing down the Internet. Closing down thehavent been historically?Internet would not have helped you continue to work even if you had Cloudtechnology. So, as long as communications are available, Cloud technologyI think there are a lot of standards about technology; ISO 27001 is totally certainly is a better way of doing things, especially in a crisis.focused on technology. But I think, to some extent, youre right. The newISO standard 22301 will replace BS 25999. As you probably know, BS 25999In the wake of the recent ME events, how woulddoes not contain IT recovery. So, I think there is significant understandingthat technology is an instrumental part of recovering all operations. you prioritize the biggest concerns for organizationsthat are in the region now?In your opinion what will the new ISO 22301 tryObviously, we have great concerns about people, but I think technology is ato improve and stress compared to the current BS- very big component of what is needed. We need to make sure technology25999?is available so that you can communicate within the country and without thecountry. I think we need to understand that there have to be plans in placeI think the obvious one is technology recovery, which is missing from BSand there have to be resources that you can utilize outside of the affected25999. I also think that it is more broad-based, being an international area. So, I think what were really saying is that we do need a great deal ofstandard, as opposed to being a strictly British one. It provides a broader planning, and more importantly, we need to be able to test those plans.framework in which to work. I think its certainly an improvement over BS25999.Many organizations reported a rise in fraudulentBut as most people know, standards themselves are not as strong astransactions following the events, especiallyregulations. And I think were going to see more regulations. When youactivities that fall under money laundering. Whatlook at regulations, they are prescriptive so they tell you what to do. And are some of the associated risks that organizationsthey are performance-based, so they you how to measure what you are need to consider in a time of disaster?Interviews 2829July September 2011 www.bluekaizen.org 16. In a time of disaster, we tend to go use facilities Why ythat are not as case-hardened and not as ouprotected as those that are in our normal day- shouldaCairo S ttendto-day operations. So, one of the things weneed to make sure of is that the security ofeCamp curitythose facilities, including Cloud technology, isequal to if not better than our own security.And we have to have some oversight. One 2011?First O rgaof the things we often miss is not having Arab C nized by aaudit/compliance teams available to ountnSecurit ry Cairounderstand whats going on. In a crisis, annuay Caml even pwe can expect that people will try to Inform t targe is an at ting thcommit fraudulent acts, and we have to Comm ion Securitye unity obe prepared for those things. Middle f the East anAfrica(MENA d North IT prof RegionIn your opinion what cansecurit essionals an). y prac dbe the ideal driver forthrougtitPage number 33 hout t ioners fromadopting a culture of BC/ invited he to atte region areSecurit nDR in a region like the y Cam d. Cairo Inform p ation S is the firstME where there are no Confeerence curityregulations or laws?an Araorganb Cou ized bntry.yWell, one thing is that we are startingto see some of that come about. I think that if youlook at the central bank of any Middle Eastern country, youwill see that BC/DR is included. But I think the driver isgoing to be what it has always been, and that is business outside corporations considering doing business inthe Middle East and using Middle East suppliers. Thosesuppliers are going to have to reach a level that is at leastequal to what people are seeing domestically. I think thedriver will be business, but I think corporations have shownthat they will comply with regulations no matter where theyare. And what weve found is if you want to continue togrow your business, youre going to have to have businesscontinuity. Interviews 30 17. The Cloud infrastructure represents a paradigm shift for BC/DR. Businesses are looking for cost-effective solutions Why y for reliability, and a well-designed Cloud oushouldCould the Computing architecture with multiple a redundant sites makes it suitable Cairo S ttend for utilization in a comprehensive eCamp curitycloud save your Business Continuity and Disaster Recovery strategy.Educta 2011?ion &business from In October of 2010 Aberdeen groupKnowl Sharinedge surveyed over 100 organizations with g Infor knowlema formal Disaster Recovery programs todge tr tion andthe ma ana disaster? learn whether they used public Cloud in targ sfer is Securite storage and if so, what benefits were y Cam t of Cairo Cairo p 2011 realized in their performance. Aber- Securitwill incyC deen discovered that organizations lude tw amp 2011keyno o day te adds that had moved at least part of their presen resses, of tations data storage to the Cloud recovered discus , sions a panel from downtime events almost 4an exp nd moBy Mahmoud Tawfik audienectedcomb tore,C times faster than those with no cine weather-related disruptions, not just formal Cloud storage program. 500 pa e of more th dloudComputing has rtan One d icipantsbecome a significant rare, catastrophic disasters. SecurityIn addition, users of Cloud aytechnic will cover ttechnology trend and and risk professionals should takestorage met their Recovery Timeal top ics and ehother Objectives (RTO) more often da tmany experts expectadvantage of this increased visibilitythe ma y will cover hethat cloud computing willas the economic recovery slowly than those storing their data in-nager ial top house. icsreshape information technology (IT). thaws IT budgets to improve the BC/ DRs organizational and processAccording to Forresters recent survey maturity for the long term. A Cloud-based BC/DR solution is aof 2,803 IT decision-makers, improving The report Business Continuity and good fit for any business with a low Computing are security and privacyBusiness Continuity and Disaster Disaster Recovery Are Top IT Priorities tolerance for downtime and data loss issues, which have been furtherRecovery (BC/DR) capabilities is the for 2010 and 2011 indicated that 32but this does not guarantee that there categorized to include sensitiveNo. 1 priority for SMBs and the second % of enterprises and 36 % of SMBs are no service outages. For example, data access, data segregation, bughighest priority for enterprises for the plan to increase spending on business a rare and major outage of Amazonsexploitation, recovery, accountability,next 12 months.continuity by at least five percent. Only Cloud-based Web service in April malicious insiders,management 11 % of enterprises and 8 % of SMBs took down a plethora of other online console security, account control, andThe scope of BC/DR programs is plan to decrease their spending.sites, including Reddit, HootSuite,multi-tenancy.growing also: mature programsFoursquare and Quora.Solutions to various Cloud securityaddress all sources of downtime Thesestatisticsindicatethat issues include greater use ofincluding mundane power outages and businesses are looking for reliability.Themain concerns ofCloud cryptography, particularly public key 3233July September 2011www.bluekaizen.org 18. best-practices for providing security Futuristicinfrastructure (PKI), use of multipleCloud providers, standardization ofassurance within Cloud Computing,APIs, improving virtual machines and to provide education on the usessupport and legal support. of Cloud Computing to help secure all other forms of computing. The Cloud Approach toThe Egypt Cloud Forum organizedSecurity Alliance is led by a broadEgypt Cloud Day to increase thecoalition of industry practitioners,awareness of Cloud Computing and corporations, associations and other key stakeholders.Ensuring Datarelated security issues. The EgyptCloud Forum is the official affiliateto the Cloud Security Alliance, EgyptChapter, with the focus area on CloudSecurity in CloudsVulnerabilitiesIdentificationandVirtualization Security.The Cloud Security Alliance (CSA)By Vinoth Sivasubramanian & Mohamed MohieldeenCLOUD FORUMIis a not-for-profit organization witha mission to promote the use ofnformation Technology has come the traditional triadic way but must be a long way ever since computersviewed in a different way. This paper wereinvented.Similarly will discuss ways on how data security Information Security has comeparadigms can change in the neara long way. Trends such as Cloudfuture and ways to address the new.Computing have been helping Small Traditionally Information Security hasAbout the author: and Medium Investors and Innovators been governed by the CIA triad,Mahmoud Tawfik(SMIs) by reducing the initial cost ofnamely Confidentiality, Integrity andI am the CEO of Fixed Solutions and deployment and maintenance. ThisAvailability, but this is bound to changePenetration testing Director at Cloud will definitely pave a new path ahead in the future especially with data beingSecurity Alliance - Egypt Chapter.for many people. With emergingspread across the globe. This model MSTawfik trends such as these data securitywill ensure a considerably high level ofEmail : [email protected] in the Clouds must not be viewed in data security and authenticity:ConfidentialityConfidentialityIntegritySources :http://money.cnn.com/2011/04/21/technology/amazon_server_outage/index.htmhttp://www.forrester.com/rb/Research/business_continuity_and_disaster_recovery_Governance Availabilityare_top/q/id/57818/t/2http://www.cloudsecurityalliance.orghttp://www.egyptcloudforum.com/?q=node/42http://www.aberdeen.com/aberdeen-library/6827/RA-disaster-recovery-cloud.aspx Integrity AvailabilityAccountability Visibilityhttp://www.aberdeen.com/aberdeen-library/6827/RA-disaster-recovery-cloud.aspx 3435 July September 2011 www.bluekaizen.org 19. Since there are enough materials1.1 Availability:and resources available already tomeet the metrics that are deemed fit This will ensure that your data is takenaddress the first three parametersDraft SLAs which will clearly enlistby the organization; outcomes couldcare of properly, as organizations thatsuch as Confidentiality, Integrity andthe minimum time that the organiza- range from cancellation of contracts tohave these certifications get auditedAvailability we will focus on the other tion can hold on disruptions. This is fines imposed due to legal obligations.by an independent body. If this is notthree parameters namely Visibility, because certain applications in an or- feasible, get them to follow at the leastAccountability and Governance. We ganization will not be critical as com- 1.4 People Employment: good Incident Management, Changewill focus this article from a Processpared to their front-line applications.Management, Release Management,and Governance perspective. This way the customer ends up get-Clearly enlist the kind of people whoProblem Management and SecurityA clear well-defined Service Levelting better quality of service for theirmust be employed to manage yourManagement procedures as perAgreement (SLA) is the first step inmost critical applications. A sampledata and infrastructure, the kind of ITIL or any other leading standards.ensuring the security of our data. Here template is given below which can bechecks that must be done on thoseThis will ensure confidence amongstwe provide some fresh approachesused as a cue:people, the credentials (degrees and stakeholders as well as management.to drafting ancertifications) that they must hold.Name of Application Availability Required Mean Down TimeSLA that will2. Visibility:Internet Banking 100Nildeliver a win-win 1.5 Good Governance Practices:HRMS Application991 Hoursituation.Ensure that an organization such asOne of the biggest challenges of Cloudan Internet Service Provider (ISP) willComputing is gaining visibility into the1. Accountability:1.2 Rewards Management :practice good governance principlesinfrastructure of the service provider.in reference to management, whichMost organizations will provide someAccountability is a concept in Ethics and This is something new, draft sort of certification such as ISO 27001is basically corporate governanceGovernance with several meanings. agreements that clearly state thebut does that ensure that everythingthat extends beyond IT governance.It is often used synonymously withrewards that you will share with is taken care of? Unfortunately it doesConducts of good governance guidesconcepts such as responsibility the provider if the ultimate goal of not. So how should an organizationare available in the OCEG Red book.and answerability. From a modernproviding secure and reliable data tackle visibility? Here are certain stepsOrganizations that practice goodmanagement perspective it can bequality is met; make them understand to do so:governance are more sustainable incoined in two words Stupendous the metrics that you require for sharingthe long term. To cite an example, inleadership , this can be looked at incentives. Also provide certificate-of- 2.1 Have a dedicated team in-house:the case of an Internet Service Providerfrom either a people perspective or excellence rewards to the people whogoing in for a merger or acquisition thefrom an organizational perspectivemaintain your infrastructure and helpHave a small but dedicated in-houseISP should ensure that customers are,wherein both the people and theachieve business excellence. team of system admins, networkproperly informed and have visibilityorganization go beyond the call of theiron what is happening to their data.admins, or security personnel who canduty to create sustaining and winning 1.3 Loss of business:mark the nature of data as to whether itrelationships. Here are some factors1.6 Good IT practices: is critical/semi-critical/normal and alsothat can be woven into the Service Clearly state the legal and other risks monitor the movement of data. Thethat the vendor will incur if they do notLevel Agreement:Make them accountable to follow good KRA of this team should be to reportIT practices such as ITIL, SAS70, etc. violations and Log anomalies.36 37 July September 2011www.bluekaizen.org 20. 2.5 Implement Logging Server:2.2 Implement CCTV Monitoring:Implement a logging server wherein 3.3 Internal Audit:Through CCTV monitoring theall transactions carried on yourthe results with the top managementcustomer can have a ground viewinfrastructure and data will be logged toHave a year-end audit conducted by anof service providers. Identify concernson the physical security of the placethis server. Provide no service providerinternal team and a similar audit done by and areas for improvements and havein which the data resides. Record theaccess to this server; access to this external auditors, who are specialists. them addressed through variousfindings, review them every month, server must rest with a specific groupHave the audits collated, and discuss compensating mechanisms.note observations, circulate the of people from within the organization,observations and archive them on ansuch as the CISO or CIO only. Ensureexternal storage. These findings will be that the log files are read-only.particularly useful when dealing with Conclusion: Cloud Computing is here to stay and will changelegal issues arising out of operationsthe way data is being managed, stored and processed. By following theoccurring across the globe.3. Governance: procedures laid out above the CISO/CIO can ensure that a high level ofdata security can be achieved. The above process requires well-planned2.3 Identity Management andThis pillar is based on the paradigm strategy, budget and resources but going by the Return-On-InvestmentAccess Control: (ROI) that Cloud Computing provides management will hardly say NO. trust-but-verify. In spite of getting all the above factors correct the CISO Ensure that the service provider gives or CIO must adopt an audit-basedyou the power to enforce Identity approach. We present a multi-prongedManagement and Access Control governance approach here.privileges as per your requirements; for About the authors:critical systems implement dual identity 3.1 Risk Management:Vinoth Sivasubramanianauthentication wherein changes onProfessional security expertrequire the acknowledgement of two Have a quarterly risk assessmentfocussing to reach pinnacle ofpeople. Implement Authentication, conducted by your internal security excellence in areas of IT security ,Authorization, and Audit (AAA) for team in line with international governance , Ethics and Leadership.these systems and have them logged standards such as NIST or COBIT.on a sys-log server. Record the observations and have them circulated.2.4 Backup: 3.2 Vulnerability Analysis andMohamed MohieldeenBusiness Continuity and Disaster Penetration Testing:I am the Vice President Service DeliveryRecovery are critical components and Strategy of Intrendz Consultingof availability but the CIO needs to Have a VA/PT done by your internalMail : [email protected] that they have first-hand facts team every half year and a yearlyon the back-up data, as to where it is VA/PT done by a team of externallocated, who has access to it, and how specialists; this will help uncoverthe data is being managed. surprise items and mitigate risks.Reference: www.wikipedia.org 3839 July September 2011 www.bluekaizen.org