Security kaizen cloud security

2,622 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,622
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security kaizen cloud security

  1. 1. for 2011 Information Security Conferences Conference Date Hacker Halted, Cairo December 2010 TakeDowncon, Dallas May 2011 HITB, Amsterdam May 2011 MENA ISC, Jordan September 2011 Cairo Security Camp October 2011 HITB, Kualalumpur October 2011 RSA, London October 2011 Hacker Halted, Miami October 2011 Register Now onwww.bluekaizen.org and have the oppurtunity to win free tickets to our sponsored Conferences
  2. 2. Editor’s Note I t has been 6 months since our first issue. Looking back, I can see how the magazine has evolved throughout these months, and how the community is growing. The first issue was downloaded 900 times in 7 days and the second July September 2011 . 3rd Issue issue was downloaded 2700 times in only 3 days. I know I was surprised at how many of the people at the CairoICTChairman & Editor-in-Chief Moataz Salah event knew about our magazine; it was great to talk in person to so many of our readers. Editors Business Continuity Amidst the Recent Mahmoud Tawfik We were able to media-sponsor some renowned 4 Moataz Salah conferences, such as TakeDownCon Dallas and HITB Middle East Turmoil Omar Sherin Amsterdam. Sponsoring helps us to step up our presence Vinoth Sivasubramanian not just in Egypt and the Middle East but to take Security Mohamed Mohieldeen Kaizen magazine outside the MENA region and get more Mohammed Farrag readers from the USA and Europe. Also, that gave us A Visit to HITB 11 Web Site Design the opportunity to interview the chief security officer of Mariam Samy Facebook, Joe Sullivan. ArabBSD: The New Evolution for Arab 14 Operating System Developers Arabic Translator Representatives from Mozilla, Google, Microsoft, and Mai Alaa El-Dien Saud Adobe are now aware of Security Kaizen Magazine. We Recent Hacking Incidents in Egypt & 16 started to catch the eye of the security community in the Middle East Graphic Design whole world. And I have all my readers and dedicated team Mohamed Fadly to thank for that. Interviews In our 3rd issue we will try to make it more special by focusing on one topic. The recent events in Egypt and Interview with Joe Sullivan, CSO of Security kaizen is issued 20 every 3 months the Middle East have been quite dramatic and unusual, Facebook.com presenting unprecedented challenges to business Interview with Al Berman, CEO of DRII.org 26Reproduction in whole or part operations and especially IT systems. One major lesson- without written permission learned from this situation is the need to have resilient plans Best Practice is strictly prohibited for Business Continuity and Disaster Recovery, so thisAll copyrights are preserved to theme is the focus for the new issue. Could the cloud save your business 32 www.bluekaizen.org from a disaster? And to make the 3rd issue more special, I am happily announcing that this is to be the first printed issue of the Futuristic Approach to Ensuring Data 35 magazine, so as promised and as we are always trying Security in Clouds to kaizen we were able to improve in every issue. The first issue was released in January 2011 and despite the conditions in Egypt during this period, we were able to For Advertisement in release the second issue in April with two versions, anSecurity Kaizen magazine and English one and an Arabic one, and finally our special third www.bluekaizen.org website: issue is to be printed allowing you, our devoted readers, to Mail: Info@bluekiazen.org read it at your convenience. Phone: 010 267 5570 Photos of cover by: Mohamed Fadly 2 3
  3. 3. the impact on diversified businesses whatsoever across the entire country. is clearly visible and is not sector- What was once deemed technicallyBusiness Continuity specific. How Business was impossible was proven to be technically possible. In such authoritarian countries, much of the physicalAmidst the Recent Impacted After days of continuous anti- telecommunications infrastructure is under the direct ownership and control of the government.Middle East Turmoil government demonstrations that used We saw firsthand the catastrophic the Internet and social networks such as impact of the government’s impulsive Facebook and Twitter as coordination decision. Imagine a country or a By Omar Sherin platforms, the former administration modern business deprived “overnight” v.s decided to cut the Internet minutes of emails, VoIP services, e-commerce, before midnight on January 27th with online conferencing, browsing the the hope of preventing protesters from web, running a corporate website or using their communication tools. even seeking or providing remote online support. This unprecedented Minutes later, it was confirmed that situation lasted for 5 consecutive there was no Internet connectivity business days.I n the past few weeks, the Middle It is worth analyzing business East has been the scene of un- continuity strategy in Egypt because precedented and rapid political the country witnessed probably the fi- and social changes that took even rst international incident ever recordedthe most mature businesses and in- for a government actually using thedustries by surprise, and left them internet “kill switch”[1] as well as thevirtually paralyzed. ripple effect of consequences result- ing from the decision. Additionally,Not even the most sophisticated and as Egypt is the second strongestknowledgeable secret intelligence economy in the African continentagencies predicted the massive scale (following South Africa), it has the most Figure 1 - Internet Cut Off on January 27thsocial uprisings that are emerging diversified economy in the region bythroughout the region. United Nations standards; therefore, 4 5 July September 2011 www.bluekaizen.org
  4. 4. Due to a provision in the mobile locked, the CMT started the Crisis regulatory license agreements signedImmediate Impact One particular and major mobile with all the mobile operators, comp- Communication Plan (CCP). A key operator is a good example of a requirement of the CCP was to deliver anies had to comply. This decision relevant status update messages toCompanies working in the IT out- company that survived the disruptions proved to have significantly costly and international media and foreign stocksourcing industry were amongst the due to a solid and comprehensive negative corporate image implications markets where the company is listed.first to be affected. Recently released Business Continuity Plan. because the general public perceivedofficial OECD statistics 4 estimated this action from the telecommunication On the IT side of the disruption, thethat the direct loss in revenue in those On January 27 , the BCP was triggered th operators as a gesture of aiding DRP of this company was designed tofive days ranged from $90 million USD by the government cutting off the the previous authoritarian regime mitigate the risk of total and completeto $120 million USD which does not Internet. Then the Crisis Management and taking sides against their own loss in connectivity by developing ainclude lost business opportunities and Team (CMT) got together and act- customers. In the last few weeks there replica of its web services hosted inpossible SLA violations and lawsuits. ivated the Disaster Recovery Plan (DRP) to safely shut down the local has been several customer and civil Europe as well as by signing with a rights activists grouping people and prominent cloud-based managedAnother example is the banking sector. IT services and focus on securingSeveral national and multinational the physical assets, data centers,banks announced key services such key cellular towers, power generationas international money transfer and stations, from sabotage and perhapsonline banking were unavailable or looting due to riots and clashes in theunreliable. With the national ATM streets.network shutdown and the standalone Initially, the customer call center wasATM machines vandalized, millions of bombarded with complaints aboutbank customers resorted to standing difficulties using communication ser-in long queues in front of their local vices like mobile Internet, Blackberriesbank branches. Unfortunately up until and even international calls. Althoughnow there aren’t any formal studies the customer service representativeson the implications of the shortage of tried to explain the situation to callers, they later realized it was a national calling for a national day boycotting services provider to manage thecash flow on small businesses. problem. the mobile service for 30 minutes as security and availability of the well as filing tens of law suits against corporate emails for its 5,000 users.How Business On January 28th, the government the operators, This managed service had a provisionContinuity Plans Were announced a national state of that allowed them to save drafts of emergency and a curfew was enforced. At this stage the Crisis Management undelivered emails “in the cloud” forExercised Furthermore, all the mobile operators Team ordered the shutdown of the up to seven days. Once the former in the country received orders from customer call center and landlines, president and his administrationVery few companies appeared to the government to shut down all activated the internal call tree and announced his resignation, the Internetbe resilient and unaffected. Some mobile communications including ordered all staff to remain at home was back online and the employees’companies survived due to exercising voice and SMS services as a last until further notice. mailboxes were flooded with week-solid Business Continuity Plans attempt to cripple the demonstrators’ After receiving confirmation that all old emails, a situation certainly better(BCPs) yet others were sustained just communications. headquarters and branch offices than getting an empty mailbox and abecause of pure luck. countrywide had been evacuated and handful of angry customers. 6 7 July September 2011 www.bluekaizen.org
  5. 5. On the other hand, entities such as the of the traditional risk assessment as it sounds as most companies faced functions to the Cloud. As in theEgyptian Stock Exchange (egyptSE. methods available or practiced in most problems, especially when it comes diagram below (Figure 2)com) and some banks which appeared of the companies in Egypt would haveto be online and reachable throughout predicted such a risk of major politicalthe Internet blackout proved to be on a overhauling and social uprising.single and fairly small ISP in terms ofmarket share (about 8%) called Noor Interestingly this is a world premiereGroup5. Noor Group was clearly the of a government using the Internetexception. It is unclear whether the “kill switch” coupled with nationwideISP survived the former government’s mobile communication blackout. Anddecision by coincidence or perhaps that simply caught everyone off guard.due to its strategic list of customersincluding the likes of the Stock Corporate risk experts should haveExchange. learned from their previous experience in 2008, when there was a majorBased on available information, nearly Internet services disruption caused by80% of the businesses in Egypt did not an undersea Internet cable cut[3]. Figure 2 - Cloud based managed email systemlist the scenario of a national Internetblackout as a strong possibility and Failing to anticipate and include this to developing a feedback system to The system safely and securelyaccordingly were unprepared. major incident in the corporate risk ensure that the organization continues archives external emails in the cloud. matrix is impermissible. to review, incorporate and learn from Thus in case the corporate in-houseThe remaining 20% of companies were experience dealing with new and email server becomes unavailable aseither well prepared with alternative Perhaps the only companies which emerging threats that were unthinkable in the case of internet blackout, theand varied means of international continued operation throughout the or unprecedented two years ago. cloud-based managed email servicecommunication such as satellite January 2011 events “until announcing One key observation is that companies would act on the company’s behalf andconnectivity “VSAT” or companies that the state of emergency and general that used Cloud Computing were continue to receive and queue emailsdo not exclusively rely on the Internet curfew” were the ones with rigorous, noticeably more resilient and capable addressed to the company (whilefor business. dynamic and active risk assessment to work around this disruption because actually offline), all this is transparent practices that learned from the of the flexibility and availability offered to the sender, for example international 2008 events and used or translated by the Cloud Computing architecture. customers. This ensures that yourWho Survived? those lessons into viable disaster corporate image remains intact with scenarios. Apparently it’s not as easy no business opportunities lost.As most advanced secret intelligence Cloud-Based Availabilityagencies in the world such as the CIAdid not anticipate this revolution “as The cloud-based high availability Traditional BC/DRfar as we know”, the United States architecture allows companies to Practices ShortcomingsSecretary of State Hillary Clinton outsource the management anddescribed[1] the Egyptian government maintenance of their critical systems Many small to mid-sized businessesas “stable” even after three days of like email for example and move the with traditional BC and DR plans founddramatic events. Interestingly, none email archiving and high availability that their plans had many shortcomings 8 9 July September 2011 www.bluekaizen.org
  6. 6. dealing with this particular situationas there was a dependency on activating the DRP due to the complete and prolonged loss in connectivity and new & NEWSmodern technology. Ironically, many the inability to seek technical support A Visit to HITBcompanies could not activate their from partners or vendors, includingcall trees as mobiles and SMS were industry blue chip companies.unavailable, and disseminating amessage to the branch offices across The recent events emphasized howthe country was nearly impossible.modern businesses really depend on technology and particularly theEven companies with expensive Internet along with the unfortunatedisaster recovery sites (located reminder that we take these modernover 100 miles away) had problems technologies for granted. By Moataz Salah About the author: Omar Sherin I am a certified CBCP, For those who don’t know about Hack in the Box (HITB), here is an introduction. HITB is CRISC and ISO27001LA a well-known IT security organization that conducts and in my spare time an three major conferences each year, in Malaysia, the active blogger in (ciip.wordpress.com). Netherlands, and this year, India instead of the UAE. A s part of our ongoing purpose of sharing their knowledgeReferences: mission to bring the latest and expertise.1 Internet Kill Switch in information security(http://www.infowars.com/egypts-internet-kill-switch-coming-to-america/) events to the attention From the organizing perspective,2 Hillary Clinton comment on the events on the 28th of our readers, Security Amsterdam is a great choice as a(http://af.reuters.com/article/topNews/idAFJOE70O0KF20110125) Kaizen served as a media sponsor venue for the conference. Amsterdam3 Undersea cable cut for the HITB Amsterdam event. Our is one of the most popular destinations(http://news.bbc.co.uk/2/hi/7792688.stm) team attended the two day conference in Europe, as it is one of those places4 OECD statistics on cost of internet shut down and took advantage of the opportunity that offer a variety of attractions and(http://www.pcmag.com/article2/0,2817,2379324,00.asp) to interview experts and transfer the activities to do in your free time.5 Why is Noor Online? picture as much as we can for those(http://www.huffingtonpost.com/2011/01/31/egypt-internet-noor- who couldn’t attend. The choice of the hotel was spot-on.group_n_816214.html) It is located in the heart of Amsterdam It was a good experience to be at on the very famous Dam Square, so itFigures: an international conference where was hard to get lost trying to find the1 Internet Kill Switch – Source: Arbor Networks security professionals from all over hotel, and being in the center of Dam2 Cloud based managed email the world are gathered with the sole Square allowed attendees to easily 10 11 July September 2011 www.bluekaizen.org
  7. 7. showed how to extract the malicious especially given the alternative and code. The instructor provided all the more lucrative black market for attendees with a DVD containing a vulnerabilities. In the absence of a VM machine, tools, documents and positive rewards system, it is difficult exercises, even more than the ones to blame vulnerability researchers for done in the lab, to be tested at home. turning to the black market and getting I have to admit that this session was substantially more for their efforts than the most beneficial for me at HITB even the competition programs such Amsterdam. as Google’s provide. The discussion was fun and it showed clearly the fact that the black market for vulnerabilities really exists, and the most important thing is that it is really profitable. At the end, HITB Amsterdam was a good experience, and you could feel the warmth, the love and the effort of all the HITB crew. Also I have to The second day started with a panel thank Dhilon (founder of HITB) fortake short tours around the city after each covering a different topic, and discussion on “The Economics of all his effort, and the great crew hethe sessions. you had to choose one from the three. Vulnerabilities” featuring represent- built. What a lot of people don’t know To be honest, I didn’t like that idea atives from Google, Microsoft, Mozilla, is that the HITB crew members areThe conference started with a speech because I wanted to attend different Adobe and Blackberry. It was a all volunteers, motivated by sharingfrom Joe Sullivan, the Chief Security sessions that conflicted with their very lively discussion between the information and knowledge-spreadingOfficer of Facebook.com. He focused timings. Also the number of attendees audience and the speakers, as some concepts.on the security threats that Facebook was not that big, so after dividing them of the audience could not understandhandles every day, and described how into three rooms, some sessions might why vendors are not rewarding Wish you all luck in attending the nextFacebook’s employees have recently have only 10-15 people, which didn’t freelance researchers who discover HITB in Malaysia!launched a number of unique security look so good. the vulnerabilities in their products,features that leverage the social About the author:graph. He also mentioned the blocking A good example of a presentationof Facebook access during the recent was “Malicious PDF Analysis”; the Moataz Salahevents in Tunisia, Egypt and Syria. session was presented by Didier I am the founder ofI won’t get into the details here, as Steven (Security Consultant Europe Security Kaizen Magazine;you can have a look at the exclusive NV). It was a 2 hour lab session full Building knowledge is myinterview that Joe did with Security of practical activities to explain how to targetKaizen Magazine in this issue. analyze a malicious PDF using a step- BlueKaizen by-step process starting from Exercise Mail: info@bluekaizen.orgAfter this session, the conference was 1on how to extract a hidden messagedivided into 3 different tracks, in a PDF file up to Exercise 12 which To get HITB material: http://conference.hitb.org/hitbsecconf2011ams/materials/ new & NEWS 12 13 July September 2011 www.bluekaizen.org
  8. 8. ArabBSD and OSF/1 systems in the 1990s (both Berkeley Software Distribution (BSD, of which incorporated BSD code), in sometimes called Berkeley Unix) is recent years modified open source the UNIX derivative distributed by versions of the codebase (mostly The New Evolution for the University of California, Berkeley, derived from 4.4BSD-Lite) have seen starting in the 1970s. The name is increasing use and development. Arab Operating System Developers also used collectively for the modern FreeBSD is classified as one of the By Mohammed Farrag most reliable and secured operating systems according to http://news. netcraft.com. Also, the availability of ArabBSD is a project which aims to FreeBSD core team members and their full cooperation lead us to consider it increase the awareness of operating system as the development environment. I development and help Arab operating system didn’t forget to mention that CISCO developers in BSD environment starting from and Yahoo servers are “FreeBSD the analysis of FreeBSD operating system Machines”. descendants of these distributions. infrastructure, formulating block diagram and     BSD was widely identified with Regarding the current progress, calling for research groups in each track. the versions of UNIX available for some work in tutorial translation field workstation-class systems. This can has achieved and we are workingT he need for working in stable Kernel APIs will affect higher layer be attributed to the ease with which it hard for better. Finally, anyone who track has become a desire application to be either not running could be licensed and the familiarity is interested in operating systems for many programmers. The or running incorrectly. In Operating it found among the founders of many and their news can join us on ourcomprehension of the Operating System, you can select the technology companies during the website https://sites.google.com/site/System programming pays best suitable environment 1980s. This familiarity often came from arabbsd/ , our facebook group or ourprogrammers attention for your code, i.e. cloud, using similar systems—notably DEC’s Google mailing list. Members will keepand leads them to highly filesystems, embedded, Ultrix and Sun’s SunOS—during their up with operating systems issues forclassify it. security, DataBase and or education. While BSD itself was largely both administration and development Also, OS programming network programming. superseded by the System V Release 4 including mastering all types ofrequires intelligence for The work in ArabBSD programming.applying constraints from is accomplished in twosoftware on hardware parallel directions. The first About the author:and providing compatibility is the translation of FreeBSD Mohammed Farragbetween different peripherals and documentation and its learning ArabBSD Project Manager,processor and this make a competition tutorials into Arabic beside the website FreeBSD Contributor,for those who like challenges. translation. The second is offering free Google Technology UserSimply, Operating System acts as summer training for starting work on FreeBSD development. But Why BSD Group Administrator, GTUGintermediate layer between softwareand hardware. Any change to the Systems?! Magazine Project Manager. new & NEWS 14 15 July September 2011 www.bluekaizen.org
  9. 9. Friday, 4th of February 2011, AlJazeera.netRecent Hacking Website was Hacked AlJazeera and other news agencies have been working so hard during the last few months to cover the Egyptian and Tunisian Incidents revolutions. However, some people didn’t like the way that AlJazeera handled this coverage to the limit that it was blocked from the NileSat. That’s why an anonymous hacker hacked Aljazeera.net website and wrote the following message “Together in Egypt & to bring Egypt down”. Wednesday, 30th of March 2011, ON TV Website was hacked Middle East The ON TV website has been hacked by an anonymous hacker called A-Alexand. The message left at the website says:”The marriage of power and money produces corruption, no for money exploitation to control power and politics... Yes for Egypt free fromIn this article, we have collected a few of the cyber attacks that corruption”. He also sent out a warning to Naguib Sawiris, thehappened in Egypt or Middle East on Governments, Banks and Media in owner of the channel, to stop launching a campaign against Islam.the last few months. We would like to thank Osama Kamal for his effortsin helping us collect all this data. The content of this article does not reflect Security July September 2011 Kaizen‘s opinion on the matters. We are simply stating some of the reported incidents.This page was h@cked Media Sector Sunday, 5th of June 2011, Akhbar el yom website was hacked The Akhbar Al Youm newspaper website was hacked because of a Government Sector cartoon by Mustafa Hussein and Ahmed Ragab about a Salafi trend in Egypt. The hacker claims that he is not a Salafi but a Muslim June 2011, Login Passwords for Government Websites in Bahrain, and he does not accept mocking other Muslims and ladies wearing Egypt, Jordan, and Morocco Were Published Online Neqab. He even said that no one dares to mock the Christians in this way wondering how the newspaper calls for A list of Egyptian government agency e-mails including Ministry of dialogue, tolerance and freedom of expression while Communication and Information Technology, NTRA, IDSC and others they mock Muslims. He is angry and is wondering have been breached. This incident was reported by Security Kaizen to why the women wearing Neqab were mocked EGCERT and they proceeded with their investigations. The same was despite it is their personal freedom. done in Bahrain, Jordan and Morocco. new & NEWS 16 18 99 19 July September 2011 ERROR_678 www.bluekaizen.org
  10. 10. April 2011, Abu Dhabi Islamic bank June 2011, Bahrain Governments’ Websites Attacked A Phishing mail was sent from customerservice@adib.ae withHackers have launched a series of attacks on government websites the subject: SECURITY NOTICE asking the user to follow aafter the country was granted the right to stage the Gulf Air Bahrain certain link to use the new upgraded SSL database of the bankGrand Prix. instead of the old one.The Northern Governorate website, the official government tourismwebsite and others have been hacked. Pictures of wounded anti-government protesters were visible if users clicked on categories onthe main page of either website. Dubai First Bank April 2011, Website of Municipal Council A Phishing mail was sent from service@dubaifirst.com with subject: of Elections in Saudi Arabia was Hacked Your Online Banking Has Been Blocked with a link attached to The attacker was successfully able to change the main home page reactivate your account. As with all Phishing attacks, the attached of the website and add a message to King Abdallah ben Abdelaziz links guide you to the attacker’s website not the real bank website. asking for help from the injustice of the traffic system in the attacker’s city, stating that he suffered a lot from it and is nearly bankrupt! References: http://egyptianchronicles.blogspot.com/2011/06/akhbar-al-youm-website-is- hacked.html http://egyptianchronicles.blogspot.com/2011/03/ontv-website-is-hacked.htmlFinancial Sector: http://www.aljazeera.net/NR/exeres/07E58207-E080-414F-9C52- 5C7D57CB6205.html http://www.tradearabia.com/news/IT_200063.html May 2011, HSBC Egypt Bank Phishing Attack http://pastebin.com/n98jDJMq http://www.tech-beat.com/719/ A Phishing mail was sent from customer_service@hsbc.eg with the http://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_ subject: Update Your Account. The message requested that the user no=239311&mode=alert click on the link attached in the mail to receive an urgent message, http://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_ otherwise the user’s online banking would be blocked. no=239214&mode=alert http://www.fraudwatchinternational.com/phishing/individual_alert.php?fa_ no=239048&mode=alert This page was h@cked new & NEWS 00 19 July September 2011 www.bluekaizen.org
  11. 11. Interviews Today, Facebook Interview withJoe Sullivan, is one of the most popular websites in the whole world, especially in the MiddleCSO of Facebook.com East. It is one of the best- known examples of the By Moataz Salah new phenomenon of “social networks”, where users voluntarily share information and their personal histories, with stories and regular updates on their daily lives, along with photos of family and friends, their connections, and more. With so much personal information shared in social networks, and so many data breaches in the news, the privacy of Facebook has become a real concern. Facebook.com is also credited with playing a main role in the Arabic Revolutions in the last few months. The increased use and impact of Facebook amongst the general population has prompted entities such as the Egyptian Army and other government agencies to create official pages on Facebook. That’s why it was mandatory for the Security Kaizen team to conduct this interview with the Chief Security Officer of Facebook.com, Mr. Joe Sullivan, and try to learn more details about Facebook security. Moataz Salah, Security Kaizen Editor, met with Joe and asked him the following questions. 21 July September 2011 www.bluekaizen.org
  12. 12. Can you please introduce yourself to Security Kaizenreaders? What is the most challenging incident you have faced recently?I’m Joe Sullivan, the Chief Security Officer at Facebook. I manage a fewof the teams at Facebook focused on making sure that people who use Our biggest challenges come when we have to disprove negatives. ThereFacebook have a safe and positive experience. are so many security “experts” writing about Facebook we are constantly responding to claimed vulnerabilities that turn out to be theoretical at best.Prior to joining Facebook in 2008, I spent 6 years working in a number of Just in the last month there were two stories that received global mediadifferent security and legal roles at PayPal and eBay. Before that I worked coverage where if you had read the headlines you would assume that majorfor the US Department of Justice for 8 years. I was very lucky to have the security breaches had happened. In fact, in neither case had a securitychance to be the first federal prosecutor in a US Attorney’s office dedicated vulnerability lead to harm to a single person.full-time to fighting high-tech crime. I was privileged to work on many high- We also deal with really unique challenges that require speed and creativity.profile Internet cases, ranging from the digital evidence aspects of the 9/11 The situation in Tunisia (when ISPs started inserting code into our login page)investigation to child predator, computer intrusion, and economic espionage stands out in my mind, because it was something we had not seen before butcases. I was also a founding member of the Computer Hacking and were able to roll out a complete incident response plan (including launchingIntellectual Property Unit, a special unit based in Silicon Valley dedicated coding changes on our site) in under five days.exclusively to high-tech crime prosecution. Do different governments including the US governmentCan you give us an overview of the Security Teams in ask for your help in certain Cyber Crime cases?Facebook, the role of every team and the average Examples?number of employees per team? Someone on my team talks to a government official from somewhere inWe have over 30 people on the Security Team, but that really understates the world almost every day of the week—and that should be no surprise.the number of people working on Security at the company. Facebook has These interactions range from the typical sharing of cyber crime trends,engineering, risk, compliance and operations teams outside of Security to participation on investigations, to dialogue about content standards, tothat are also 100% dedicated to security and safety. Together there are responding to requests for user records. We try to foster positive dialoguehundreds of us focused on the area. Within the Security Team, we divide up so that we understand government concerns while always maintaining ourinto functional groups such as product security, investigations, information commitment to respecting the privacy and security rights of our users.security practices, and law enforcement relations. What was your action plan during the recent situationsWhat kind of daily activities do you handle? in the Middle East when some countries blocked Facebook?Facebook Security has a wide range of duties ranging from keeping ourphysical environment and electronic data safe to helping maintain the Our primary focus throughout this time was on maintaining account securityintegrity of the site. We work internally to develop and promote high product and integrity. We cannot counter a decision to shut down internet accesssecurity standards, partner externally to promote safe internet practices, and altogether or block access to our site but we can focus on preventingcoordinate internal investigations with outside law enforcement agencies unauthorized access to accounts.to help bring consequences to those responsible for spam, fraud and otherabuse. Interviews 22 23 July September 2011 www.bluekaizen.org
  13. 13. To avoid future similar incidents,what kind of updates did you haveto your contingency plan? Why y ouWe continue to focus on measures to give shouldpeople more control over the security of their attendaccount. We launched opt-in HTTPS and Cairo S ehope to make HTTPS by default soon. We Camp curity Excelle 2011?now offer Login Notification, Login Approvals(a form of two-factor authentication), nt Sp Securit eakersSocial Verification, One-Time Passwords Cairo will brin y Camand Remote Session Control to give all g you p 2011 best S someour users the tools to safeguard their ec of the in Egy urity Expertaccounts. To complement these user- pt speak Presen and MENA ersfacing tools, we constantly iterate on tations area. discus a sions o nd panelour technical systems which consist recent n the m se osof multiple proprietary programs that held fo curity topic t r two d s will bclassify malicious actions, roadblock ays. ecompromised accounts, scan URLs andmaintain the integrity of the site.Did you notice attacks to specific protesters’profiles or specific groups during this period eitherfrom the old Egyptian government or the Tunisiangovernment?One silver lining on all of this has been that the same tools we rolled outyears ago to prevent Phishing and other types of account takeovers workequally well in combating other types of attempts to compromise accounts.But out of respect for the privacy of each user, we have not publicly discussedspecific cases.Do you think governments have the right to cut theInternet connections and what do you think the responseof US citizens would be in such a case?Through our growth as a service used by hundreds of millions of peoplein every country in the world, we have shown the power of the Internetas an indispensable tool for communication. To the extent we believecommunication and access to information are fundamental to a just society,we should always be concerned when access is denied. Interviews 24
  14. 14. Does DRI International play a role in supporting Interview with conferences covering Business Continuity andAl Berman, Disaster Recovery (BC/DR)? DRI has been involved in conferences all around the world. In fact, I recently returned from a conference in Brazil, of which one day (DRIDAY) CEO of DRII.org was dedicated to DRI certified professionals discussing their roles in their organizations. And at the end of June, I am attending a conference in Brussels. DRI has spoken at conferences in Spain, Mexico, Singapore, the United States, and Malaysia in 2011 alone. And in 2012, DRI International By Moataz Salah & Omar Sherin will be having its own conference in May in New Orleans.Can you introduce yourselfto Security Kaizen readers?I have been the Executive Directorfor DRI International for the last fiveyears. Prior to that, I was the BusinessContinuity Management Global Headfor Marsh and prior to that I was theOperational Resilience Director for PwC.Additionally, I am the former CIO of amajor bank, as well as a former CEO.Can you please introduce Can you give us an update as well as your insightDRI International as an organization and the onto the recent activities centered around BCrole the DRI members play in the various regulations and standards worldwide?industries/professions? We’ve seen a number of new standards and regulations around the world inDRI International is a non-profit organization, which for the last 23 business continuity, and most of them turn out to be a reaction to an event.years has been dedicated to preparedness around the world. We are 9/11 was a big impetus in the United Stated, but we’re seeing it all over thethe largest certifier and educator of people in Business Continuity. We world. Every central bank has a business continuity requirement. Thereserve on committees all around the world. We teach in 45 countries, are British standards (BS 25999), U.S. standards (NFPA 1600), and therein eight languages, and we have some 8,500 certified professionals are other standards as well. The new evolving standard, ISO 22301 will bein more than 100 countries and in every industry and profession. another attempt at creating an ISO standard to replace BS25999. Interviews 26 27 July September 2011 www.bluekaizen.org
  15. 15. doing. Standards, on their own, do not do that. They only serve as a basis ofBut we are starting to see more regulations, and they come out of major comparison, from best practices to how you are doing at your organization.events. If you look at the events in the United States recently, the Dodd-FrankBill – which is to deal with the economic crisis – has business continuity in After the recent conditions in the Middle East andit. FINRA, which is the financial regulatory body in the United Stated, justpassed regulation 4370, which also covers business continuity. also the huge earthquake disaster in Japan, do youBut what we’re seeing is the real understanding that businesses have to think that organizations that use the Cloud conceptbe prepared for emergencies, and they have to go through the planning will be a step ahead?process so they can maintain the viability of not only their business but alsoeverybody else’s. And recent incidents in March in Japan, for example, I think what the Cloud concept does is distance you from a particular incident.showed how incidents affect supply chains around the world. What we saw, in Japan in particular, was the ability for financial system to continue to operate even in those areas that were devastated by theDo you think the new and emerging BC/DR tsunamis. So, I think the answer to that is yes.standards will also focus more about the recovery However, in the Middle East, one of the big problems when we looked at theof the technology environment as most standards recent disruptions in Egypt was closing down the Internet. Closing down thehaven’t been historically? Internet would not have helped you continue to work even if you had Cloud technology. So, as long as communications are available, Cloud technologyI think there are a lot of standards about technology; ISO 27001 is totally certainly is a better way of doing things, especially in a crisis.focused on technology. But I think, to some extent, you’re right. The newISO standard 22301 will replace BS 25999. As you probably know, BS 25999 In the wake of the recent ME events, how woulddoes not contain IT recovery. So, I think there is significant understandingthat technology is an instrumental part of recovering all operations. you prioritize the biggest concerns for organizations that are in the region now?In your opinion what will the new ISO 22301 try Obviously, we have great concerns about people, but I think technology is ato improve and stress compared to the current BS- very big component of what is needed. We need to make sure technology25999? is available so that you can communicate within the country and without the country. I think we need to understand that there have to be plans in placeI think the obvious one is technology recovery, which is missing from BS and there have to be resources that you can utilize outside of the affected25999. I also think that it is more broad-based, being an international area. So, I think what we’re really saying is that we do need a great deal ofstandard, as opposed to being a strictly British one. It provides a broader planning, and more importantly, we need to be able to test those plans.framework in which to work. I think it’s certainly an improvement over BS25999. Many organizations reported a rise in fraudulentBut as most people know, standards themselves are not as strong as transactions following the events, especiallyregulations. And I think we’re going to see more regulations. When you activities that fall under money laundering. Whatlook at regulations, they are prescriptive so they tell you what to do. And are some of the associated risks that organizationsthey are performance-based, so they you how to measure what you are need to consider in a time of disaster? Interviews 28 29 July September 2011 www.bluekaizen.org
  16. 16. In a time of disaster, we tend to go use facilities Why ythat are not as case-hardened and not as ouprotected as those that are in our normal day- should a Cairo S ttendto-day operations. So, one of the things weneed to make sure of is that the security of e Camp curitythose facilities, including Cloud technology, isequal to if not better than our own security.And we have to have some oversight. One 2011? First O rgaof the things we often miss is not having Arab C nized by aaudit/compliance teams available to ount n Securit ry Cairounderstand what’s going on. In a crisis, annua y Cam l even pwe can expect that people will try to Inform t targe is an at ting thcommit fraudulent acts, and we have to Comm ion Security e unity obe prepared for those things. Middle f the Ea st an Africa (MENA d North IT prof RegionIn your opinion what can securit ession als an ). y prac dbe the ideal driver for throug tit Page number 33 hout t ioners fromadopting a culture of BC/ invited he to atte region are Securit nDR in a region like the y Cam d. Cairo Inform p ation S is the firstME where there are no Confe e rence curityregulations or laws? an Ara organ b Cou ized b ntry. yWell, one thing is that we are startingto see some of that come about. I think that if youlook at the central bank of any Middle Eastern country, youwill see that BC/DR is included. But I think the driver isgoing to be what it has always been, and that is business– outside corporations considering doing business inthe Middle East and using Middle East suppliers. Thosesuppliers are going to have to reach a level that is at leastequal to what people are seeing domestically. I think thedriver will be business, but I think corporations have shownthat they will comply with regulations no matter where theyare. And what we’ve found is if you want to continue togrow your business, you’re going to have to have businesscontinuity. Interviews 30
  17. 17. The Cloud infrastructure represents a paradigm shift for BC/DR. Businesses are looking for cost-effective solutions Why y for reliability, and a well-designed Cloud ou shouldCould the Computing architecture with multiple a redundant sites makes it suitable Cairo S ttend for utilization in a comprehensive e Camp curitycloud save your Business Continuity and Disaster Recovery strategy. Educta 2011? ion &business from In October of 2010 Aberdeen group Knowl Sharin edge surveyed over 100 organizations with g Infor knowle ma formal Disaster Recovery programs to dge tr tion and the ma ana disaster? learn whether they used public Cloud in targ sfer is Securit e storage and if so, what benefits were y Cam t of Cairo Cairo p 2011 realized in their performance. Aber- Securit will inc yC deen discovered that organizations lude tw amp 2011 keyno o day te add s that had moved at least part of their presen resses, of tations data storage to the Cloud recovered discus , sions a panel from downtime events almost 4 an exp nd mo By Mahmoud Tawfik audien ected comb to re,C times faster than those with no c ine weather-related disruptions, not just formal Cloud storage program. 500 pa e of more th d loud Computing has rt an One d icipants become a significant rare, catastrophic disasters. Security In addition, users of Cloud ay technic will cover t technology trend and and risk professionals should take storage met their Recovery Time al top ics and e h other Objectives (RTO) more often da t many experts expect advantage of this increased visibility the ma y will cover he that cloud computing will as the economic recovery slowly than those storing their data in- nager ial top house. icsreshape information technology (IT). thaws IT budgets to improve the BC/ DR’s organizational and processAccording to Forrester’s recent survey maturity for the long term. A Cloud-based BC/DR solution is aof 2,803 IT decision-makers, improving The report “Business Continuity and good fit for any business with a low Computing are security and privacyBusiness Continuity and Disaster Disaster Recovery Are Top IT Priorities tolerance for downtime and data loss issues, which have been furtherRecovery (BC/DR) capabilities is the for 2010 and 2011” indicated that 32 but this does not guarantee that there categorized to include sensitiveNo. 1 priority for SMBs and the second % of enterprises and 36 % of SMBs are no service outages. For example, data access, data segregation, bughighest priority for enterprises for the plan to increase spending on business a rare and major outage of Amazon’s exploitation, recovery, accountability,next 12 months. continuity by at least five percent. Only Cloud-based Web service in April malicious insiders, management 11 % of enterprises and 8 % of SMBs took down a plethora of other online console security, account control, andThe scope of BC/DR programs is plan to decrease their spending. sites, including Reddit, HootSuite, multi-tenancy.growing also: mature programs Foursquare and Quora. Solutions to various Cloud securityaddress all sources of downtime — These statistics indicate that issues include greater use ofincluding mundane power outages and businesses are looking for reliability. The main concerns of Cloud cryptography, particularly public key 32 33 July September 2011 www.bluekaizen.org
  18. 18. best-practices for providing security Futuristicinfrastructure (PKI), use of multipleCloud providers, standardization of assurance within Cloud Computing,APIs, improving virtual machines and to provide education on the usessupport and legal support. of Cloud Computing to help secure all other forms of computing. The Cloud Approach toThe Egypt Cloud Forum organized Security Alliance is led by a broadEgypt Cloud Day to increase the coalition of industry practitioners,awareness of Cloud Computing and corporations, associations and other key stakeholders. Ensuring Datarelated security issues. The EgyptCloud Forum is the official affiliateto the Cloud Security Alliance, EgyptChapter, with the focus area on “Cloud Security in CloudsVulnerabilities Identification andVirtualization Security”.The Cloud Security Alliance (CSA) By Vinoth Sivasubramanian & Mohamed Mohieldeen CLOUD FORUM Iis a not-for-profit organization witha mission to promote the use of nformation Technology has come the traditional triadic way but must be a long way ever since computers viewed in a different way. This paper were invented. Similarly will discuss ways on how data security Information Security has come paradigms can change in the near a long way. Trends such as Cloud future and ways to address the new. Computing have been helping Small Traditionally Information Security has About the author: and Medium Investors and Innovators been governed by the “CIA” triad, Mahmoud Tawfik (SMIs) by reducing the initial cost of namely Confidentiality, Integrity and I am the CEO of Fixed Solutions and deployment and maintenance. This Availability, but this is bound to change Penetration testing Director at Cloud will definitely pave a new path ahead in the future especially with data being Security Alliance - Egypt Chapter. for many people. With emerging spread across the globe. This model MSTawfik trends such as these data security will ensure a considerably high level of Email : m.tawfik@fixed-solutions.comg in the Clouds must not be viewed in data security and authenticity: Confidentiality Confidentiality IntegritySources :http://money.cnn.com/2011/04/21/technology/amazon_server_outage/index.htmhttp://www.forrester.com/rb/Research/business_continuity_and_disaster_recovery_ Governance Availabilityare_top/q/id/57818/t/2http://www.cloudsecurityalliance.orghttp://www.egyptcloudforum.com/?q=node/42http://www.aberdeen.com/aberdeen-library/6827/RA-disaster-recovery-cloud.aspx Integrity Availability Accountability Visibilityhttp://www.aberdeen.com/aberdeen-library/6827/RA-disaster-recovery-cloud.aspx 34 35 July September 2011 www.bluekaizen.org
  19. 19. Since there are enough materials 1.1 Availability:and resources available already to meet the metrics that are deemed fit This will ensure that your data is takenaddress the first three parameters Draft SLAs which will clearly enlist by the organization; outcomes could care of properly, as organizations thatsuch as Confidentiality, Integrity and the minimum time that the organiza- range from cancellation of contracts to have these certifications get auditedAvailability we will focus on the other tion can hold on disruptions. This is fines imposed due to legal obligations. by an independent body. If this is notthree parameters namely Visibility, because certain applications in an or- feasible, get them to follow at the leastAccountability and Governance. We ganization will not be critical as com- 1.4 People Employment: good Incident Management, Changewill focus this article from a Process pared to their front-line applications. Management, Release Management,and Governance perspective. This way the customer ends up get- Clearly enlist the kind of people who Problem Management and SecurityA clear well-defined Service Level ting better quality of service for their must be employed to manage your Management procedures as perAgreement (SLA) is the first step in most critical applications. A sample data and infrastructure, the kind of ITIL or any other leading standards.ensuring the security of our data. Here template is given below which can be checks that must be done on those This will ensure confidence amongstwe provide some fresh approaches used as a cue: people, the credentials (degrees and stakeholders as well as management.to drafting an certifications) that they must hold. Name of Application Availability Required Mean Down TimeSLA that will 2. Visibility: Internet Banking 100 Nildeliver a win-win 1.5 Good Governance Practices: HRMS Application 99 1 Hoursituation. Ensure that an organization such as One of the biggest challenges of Cloud an Internet Service Provider (ISP) will Computing is gaining visibility into the1. Accountability: 1.2 Rewards Management : practice good governance principles infrastructure of the service provider. in reference to management, which Most organizations will provide someAccountability is a concept in Ethics and This is something new, draft sort of certification such as ISO 27001 is basically corporate governanceGovernance with several meanings. agreements that clearly state the but does that ensure that everything that extends beyond IT governance.It is often used synonymously with rewards that you will share with is taken care of? Unfortunately it does Conducts of good governance guidesconcepts such as responsibility the provider if the ultimate goal of not. So how should an organization are available in the OCEG Red book.and answerability. From a modern providing secure and reliable data tackle visibility? Here are certain steps Organizations that practice goodmanagement perspective it can be quality is met; make them understand to do so: governance are more sustainable incoined in two words “Stupendous the metrics that you require for sharing the long term. To cite an example, inleadership” , this can be looked at incentives. Also provide certificate-of- 2.1 Have a dedicated team in-house: the case of an Internet Service Providerfrom either a people perspective or excellence rewards to the people who going in for a merger or acquisition thefrom an organizational perspective maintain your infrastructure and help Have a small but dedicated in-house ISP should ensure that customers are,wherein both the people and the achieve business excellence. team of system admins, network properly informed and have visibilityorganization go beyond the call of their on what is happening to their data. admins, or security personnel who canduty to create sustaining and winning 1.3 Loss of business: mark the nature of data as to whether itrelationships. Here are some factors 1.6 Good IT practices: is critical/semi-critical/normal and alsothat can be woven into the Service Clearly state the legal and other risks monitor the movement of data. The that the vendor will incur if they do notLevel Agreement: Make them accountable to follow good KRA of this team should be to report IT practices such as ITIL, SAS70, etc. violations and Log anomalies. 36 37 July September 2011 www.bluekaizen.org

×