Cloud, Security and Technology

Hello everyone. Today my team released an update to the response Cloud Security Alliance's (CSA) Cloud Control Matrix (CCM) version 3.01 framework. It's quite phenomenal  level of work in getting such a massive document lifted revised, and posted.  Interested in the work, read the paper which is over 36 pages long and covers 130 controls. Here's what we announcement -  Microsoft Azure is proud to release our response to the Cloud Security Alliance's (CSA) Cloud Control Matrix (CCM) version 3.01 framework. The response document provides customers a straightforward process for evaluating Azure’s security, privacy and compliance capabilities and its commitments to trust and transparency using industry-accepted standards and practices. In addition, the CCM—and its entry into the CSA Security, Trust, and Assurance Registry (STAR)—provides a “one stop shop” offering a comprehensive guide addressing standard requests for information that cloud adopters need in orde

Today I have finished publishing my latest great work of security and compliance content. Check it out!. A Practical Guide to Designing Secure Health Solutions Using Microsoft Azure whitepaper providers readers considerations guidance for using cloud technology, includes risk management, shared responsibility considerations, establishing an information security management system, understanding industry and local regulations, and establishing standard operating procedures. It outlines, and provides recommendations to 13 security principles that are both aligned to a standard information security management standard, such as ISO 27001, and standard development processes, such as Microsoft’s Security Development Lifecycle (SDL). The paper also gives readers a direct view of the key principles by applying them to a ‘lift and shift’ health based case study. Whitepaper Table of Content Compliance and security methodology   Standard operating procedures Incorporating regul

While doing a bit of reading recently I ran across this interesting story about Teamghostshell an active hacking group that has come back to life on June 29th after a couple of years of silence. The groups recent exploited an extensive list of sites, which they disclosed on pastbin .  If you read the hacker team's extensively long diatribe you will get an impression that their motives are pure and for the benefits of society, but like all disclosures the only people that suffer are the victims found in the data drop. You can also distill from the dialog that they probably used several COTS exploit kits, and it seems that these involved extensive use of cross site scripting attacks. What interested me in particular is that in 2012 when the team supposed 'peace treaty' and extensive hiatus they included a data dump of a host that they compromised.  The host information was listed as -    Server Type: Apache/2.2.3 (Red Hat) What is noteworthy to me is that t

Last week the discovery of the new and revised Duqu has stirred interest around the similarities between this new malware and it's similarities to Stuxnet. A bit of history about both Duqu and Stuxnet; Stuxnet Stuxnet made its glory by attacking the Iran nuclear facilities in 2012. This worm was designed to attack the industrial programmable logic controllers (PLC) in a nuclear system. Turns out it worked great, and put several Iranian centrifuges out of commission.  Shortly after, the underlying vulnerabilities MS15-020 that Stuxnet exploited was discovered and used en mass by the underground community. However the actual code behind Stuxnet remained a mystery. Duqu Duqu has been making it's rounds for a while, primarily used to collect key strokes and general exfiltration of systems. This Trojan made it's fame with the kernel exploit in MS11-087 . And has been used by the bad guys to spy on users and even remote format hard drivers. Duqu 2.0 Now

Who says that the hypervisor is 100% secure. Looks like thanks to the security flaw in a virtual floppy disk  VENOM, CVE-2015-3456 has become a reality and can in fact be used to possibly escape from a virtual client into adjacent VM systems. At the time of this release the QEMU Virtual floppy disk controller (FDC) affects Xen but does not affect VMware, or Hyper-V.  This vuln is a doozy, and especially for organizations that rely heavily on Xen. This March I read a great article that had described that if a vulnerability was to be discovered in Xen that Amazon's  Steve Schmidt would 'gets busy' , which I would take is today!. Of course this lead's the the next question on my mind. Has Venom been used to successfully exploit Amazon, and would we know about it? If you're running any of these - consider the posted workaround asap! A list of affected Linux distros RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x CentOS Linux version

Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets