Cybercrime is already a global scourge...Do you really think you are protected?

Wednesday, December 23, 2015

Nowadays, the exponential development experienced within the ICT field has led to a new scenario where the organizations are capable of exchanging information more effectively, stablishing new business models, and in general, decreasing operational costs while increasing their levels of efficiency and profitability.

Nevertheless, the technology has evolved for everyone, enabling cybercriminals to take advantage of these new and more sophisticated techniques, even perpetrating coordinated and complex attacks against organizations or their supply chain within a few minutes. Subsequently, this fact has driven to a new generation of threats and cybercrime which imply greater risks and a bigger impact for companies.

In fact, the latest figures indicate that the cybercrime cost already represents 0.8% of the global economy, even exceeding the drug and arms trade. The fact is that any organization can be attacked. The cybercriminals do not discriminate on the basis of the company location, size, industry or ethics anymore. Actually, recent studies show that the 97% of the organizations have been hacked or breached to a greater or lesser extent, and the 69% of the detected threats have been discovered by external agents, which means that the internal traditional means are not sufficient anymore.

Another clear example which shows the organizations are not prepared for this new scenario is that, according to the new figures resulting from the latest global reports, these ones take over eight months on average to notice and fully recover from an attack, fact which, in some cases, can result in a critical impact for the organization, and even becoming a threat to their own survival.

Therefore, it is clear that the traditional approach (castle security) is no longer sufficient to face the risks the organizations are exposed nowadays, but a focus beyond the own organization environment becomes necessary, focused on the security risks which impact on their business, included their supply chain. In this sense, the implantation of a new risk management model which adequately coordinates the capacities of prevention, detection, analysis, mitigation, response and recovery becomes essential.

For the purpose of addressing this new scenario, ElevenPaths counts on CyberThreats, whose holistic risk management model focused on cyberintelligence, help prevent, detect and respond continuously which against cyberthreats which might represent a high impact on the organization´s business model. Below the main modules on which CyberThreats is structured, is shown:

Overall, thanks to our expert team specialized in Threat Detection and Incident Response, along with the orchestration of our own proprietary technology and processes combined with the market´s best practices and strategic alliances, the organizations can benefit from a continuous advanced support through the entire threat lifecycle, which facilitates the decision-making process and corporate risk management. The next graph summarizes the CyberThreats' performance model, from the multiple-source scouting to the value delivery to customers:

For further information, please visit the CyberThreats webpage or contact us:

You might also be interested in:


Manuel Muñiz Somoza
manuel.muniz@11paths.com

Metashield for Exchange soon to be available. How does it work?

Wednesday, December 16, 2015

Metashield for Exchange stacks up to our currently offered server-side metadata cleaning solutions and broadens the flexibility and customization options that we offer companies to get rid of sensitive information and metadata leaks.

A plugin for Outlook is already offered but depending on the needs and architecture of an organization’s servers it may opt for a centralized Exchange-specific solution. In this case, it will be easier for the end user because the cleaning process is completely transparent and occurs asynchronously on the server.

So where exactly does Metashield For Exchange fit in the Exchange message pipeline? There are several roles that run in Exchange servers such as Mailbox, Client access and Edge Transport server roles. Metashield For Exchange is installed to Mailbox servers as a plugin-like "Routing Agent" and resides more specifically in the "Transport" service.

Once configured, instances of Metashield For Exchange are then spawn according to outgoing messages. These instances bind to the "OnSubmittedMessage" event of the message delivery pipeline and perform the cleaning process of the document asynchronously using the "Metashield Engine" service. As soon as the document is clean it’s sent forth to the pipeline until its destination.

This way we ensure that every single outgoing document is metadata-free when reaching our organization mailserver’s outer boundaries.

Source: https://msdn.microsoft.com/en-us/library/office/dd877035(v=exchg.150).aspx

However there are cases that a certain email attachment should not be cleaned and metadata should be maintained. For this purpose the administrator can define advanced rules to skip those messages and leave them "unclean".

Configuring Metashield whitelist
As for customizable options, a caching layer is available and configurable as memory or file based. Considering the case of forwarded message chains containing attachments, the use of a cache may result in significant performance boost. We reccomend its use.

Using cache in Metashield for Exchange

Of course, the profile and template based cleaning system known from other "Metashield" products is maintained. For the sake of example, let’s see a real world configuration where documents should include information about a company but all other metadata is cleaned:

A step by step example
 
First of all a new template with the desired actions needs to be created. This one will be a simple one for demonstration purposes.


Creating a new template

After that, the newly created template should be assigned to the desired extensions or extension families.

Add the template to a profile
Upon applying the configuration "Metashield" will start cleaning all the newly configured extesions and will include the company information that we’ve configured in the template. That simple. 

Overall we hope that Metashield For Exchange contains everything that a System administrator concerned about security needs to prevent metadata leakage in corporate emails, while maintaining usability and good performance.

Plugin for EmetRules: Now, easier to use

Sunday, December 13, 2015

EmetRules is a simple tool we created two years ago. Not meant to change the world, it was a first incursion in certificate pinning universe, and intended to ease one of the harder-to-use-features of EMET: pinning. We have developed now an easy plugin for Internet Explorer that uses EmetRules, so pinning with EMET is easier than ever. Let’s see how it works.

Internet Explorer is one the only (main) browser not supporting HPKP yet. In fact, is the browser with fewer options to pin certificates in general. EMET included a few versions ago a feature for pinning, but it was indeed complicated and tricky to use. So we created a simple tool called EmetRules to pin lots of domains at once.

EmetRules counts with some fans. So we have created a very simple plugin for calling EmetRules from the browser itself, so it is even easier to pin a domain. Just visit it, and click a button. The domain will go to EMET configuration and will be pinned there

EmetRules itself has been updated to support being called directly from Internet Explorer, just adding a new option. To better explain it, a few screenshots of how it works:
  • Visit the domain you want to pin with Internet Explorer.

Visit the domain you want to pin
  • Click on the icon in the bar, or right click somewhere on the webpage and "Pin with EmetRules"
Use the icon or the entry in the right click menu
  • The first time you use it, a warning signal will appear. It is ok as long as the program is signed by us. This means the operative system is telling you an external program is being called from somewhere inside a web and wants to go out from the protected mode (is going to be launched in medium integrity level instead of low).
Warning about executing a file from the browser
Now it on depends on the "traditional" EmetRules. A command window will be launched, it will fetch the certificate for you, build an XML file and feed EMET.
  • If you are an "admin and not an admin" (you are using UAC), an UAC dialog will prompt, since inserting domains in EMET needs administrator privileges.
  • If everything is ok, the domain will appear in EMET pinning panel.
The domain is finally pinned in EMET

If you want to modify default settings, just modify the html file (JavaScript) in the installation directory.

 Hope you enjoy it. The new version may be downloaded from here.


IoT - The new security headache for the enterprise IT department?

Wednesday, December 9, 2015


2015 could prove to be the year that enterprise adoption of BYOD takes a step further, and evolves into BYOIoT. Several reports (i) have already predicted the rise, spurred on by the popularity and proliferation of wearable devices in the workplace. What’s essential is that IT departments are aware of how to manage the resulting security and ecosystem challenges this will bring.

The great benefit of IoT is that connected devices are able to interpret and interact seamlessly with the networked environment around them – proving seamless usability and convenience for the end user. The issue for the IT department is that any connected device can theoretically collect and access sensitive information purely because they’re located on the company’s premises. Similarly, since they are usually connected to the corporate network, they can not only exchange data with internal systems but also with external servers. In many cases internal data must be protected, and IT departments will want to control what sensitive information is accessed beyond its network. There is no doubt that connected devices allow employees to be more efficient in their daily operations but are companies fully aware about the security risks that their use also involves?

The potential for security breaches increases with the uptake of IoT polices in the workplace. What is disconcerting is that IT departments often have little or no control over new devices connecting to the network. This has been backed up by a recent study (ii) published by OpenDNS which found that IT professionals are often completely unaware of the presence and prevalence of IoT devices on their corporate networks.

This apparent lack of control contrasts with a 2013 Forrester (iii) study which stated that security concerns are the main reason businesses are slowing down the incorporation of workplace IoT technologies. This surely begs the question, if security is considered such an important element, why aren’t special measures being put into place? Perhaps the answer lies in the ambiguity in defining what an IoT device is.



To get a hand on the solution IT departments must first identify the risks, which are as follows:
  • IoT devices are a new remote attack vector for security exploits. Devices are not designed in line with individual business security requirements and cannot be updated easily to conform with corporate network policies.
  • They often use external clouds beyond the control of IT departments. Without the implementation of traffic control measures, internal data risks being compromised.
  • Users tend to consider these devices as toys and are not aware of the security implications that their use has on a corporate network.

The solution for IT departments can be neatly surmised in one word… visibility.

The infiltration of IoT devices in the enterprise is clearly underway, as such companies should review their current policies to mitigate potential risks, and once identified put new policies into action where necessary. Most security experts surveyed in the OpenDNS report rely on measures relating to network design and deployment to contain threats, but is it enough? In our point of view, these measures are simply necessary but not wholly sufficient.

We propose two approaches.

Firstly, we consider focusing on the terminal absolutely necessary. This approach not only identifies all the devices that are within the company premise, but also catalogues and monitors them in order to meet corporate security guidelines. It’s a similar approach to that already undertaken in Mobile Device Management solutions and BYOD policies.

It is no coincidence that MDM vendors consider IoT as the next big challenge for their organisations (iv). MDM platforms have grown from a core set of rules associated to the use of smart phones at work to the complete management of any device, including tablets, laptops and even electronic ink readers. With the introduction of IoT and wearable devices, the next logical step is to implement new functionalities to manage all these devices remotely. There is no doubt that a promotion of industry standards will make the collaboration among different device providers easier to manage. In addition, it is important that these assets are included within the scope of security audits performed internally by company’s IT department.

Secondly, the approach from the network side should relate to traffic behavior and subsequent analysis. Think of like this, when facing an unknown illness, the best way for a doctor to work out a medication is to identify the symptoms. Everything that is outside normal patterns is likely to be harmful and should be investigated. By examining network traffic using big data matching tools it becomes possible for the IT department to construct behavior models capable of discerning anomalous situations. In this way they can identify new devices, connections to unknown IP addresses, suspicious traffic or strange commands.

IoT is already within the enterprise environment, and the only option for companies is to evolve and adapt their security practices accordingly. Ignoring the threat will not make it go away, and IT departments need to be on the front foot when it comes to identifying and mitigating against risk. After all, what is not known cannot be secured.

i 'Bring Your Own Internet of Things' coming to businesses in 2015
ii The 2015 Internet of Things in the Enterprise Report
iii 'Mapping The Connected World' by Christopher Mines
iv IoT in the E: How the Internet of Things Will Transform the Enterprise

v Also it can interest you:
BANDS: Detección proactiva de amenazas en infraestructuras críticas
Qué hemos presentado en el Security Day 2015 (III): un combinado de Tacyt y Sinfonier


Inside Mobile Connect (I)

Monday, December 7, 2015

This is the first of a series of technical articles about the Mobile Connect architecture and the different components that make it up. But, hold on a second… what is Mobile Connect about?

Mobile Connect is a mobile centric solution that aims for MNOs (Mobile Network Operator) to become a trusted identity service provider to third party providers. However, Mobile Connect is not only a new way to authenticate users in the mobile network. Moreover, it provides a way to link the digital and real identity of a person and protect their data, giving them back the control for sharing this information when, where and who with.

MobileConnect takes advantage of the MNO assets such as the mobile device and the SIM card. Thanks to these assets the MNO can almost always reach the user and send a challenge to authenticate them. In that way, the user’s device turns into a kind of addressable support that keeps the user identity that in turn can be validated by means of different authenticators or different ways to authenticate the user.

These different ways to authenticate users provide different validation security levels. This is the so called Level of Assurance (LoA) that describes the degree of confidence in the authentication process. In short they provide certain assurance that the user who is being authenticated is who they claim to be.

Mobile Connect Logical Architecture (Telefonica Implementation)

Note that Mobile Connect is an interoperable solution. Therefore it must work with any MSISDN from all the MNOs onboard in the Mobile Connect ecosystem. This is accomplished using a discovery process that occurs in a previous phase to the authentication process. The aim of the discovery process is to find the Identity Provider the MNO user belongs to, and redirect them to the MNO Mobile Connect implementation.

The figure above shows a very high level architecture of the Telefónica Mobile Connect system, but it does not give us too much information. It seems that there are a set of boxes that you can combine and voilá! you have an implementation of Mobile Connect, well... It is a no brainer that it cannot be so easy, right? 

Don’t worry, in the next section we are going to try to explain the main functionality of each component in the architecture and its role in the mobile connect authentication process flow.

Telefónica Mobile Connect Architecture


Our Mobile Connect implementation is based on a set of microservices that in turn make up larger components or subsystems which each have a specific role (see figure above).

You can distinguish three main functionalities in Mobile Connect: 
  • The Identity Gateway, the brain of Mobile Connect, offers the interface for the Service Providers to be integrated in Mobile Connect.
  • The Authenticators, provide user validation.
  • The Data Gateway gives the user’s attributes.

Mobile Connect interface to Service Providers follows the Authorization Code Flow of the OpenID Connect protocol, where Service Providers act as the RP-Relay parties in the OIDC protocol.


Abstract of the OpenID Connect protocol steps


Identity Gateway (ID)

The Identity Gateway (aka ID-GW) server is a component that can be broken down into a set of individual components. These components meet the functionality of Identity and Access Management along with the functionality to control and protect the resources that show the attributes that can be shared.

OIDC AuthServer

It is the core component that implements the OpenID Connect protocol as per the OIDC Mobile Connect Profile. It shows the Authorization and Token endpoints. It receives the authentication request, checks if the client (service’s app) is allowed to request the claimed scopes and, in such event it sends the request to the authenticator selector. In addition, in the case of successful authentication, it generates the authorisation_code and the access_token, along with the id_token server.
Authenticators Routing Subsystem

This component is called by the OIDC server during the authentication process. It selects the right authenticator based on the context in the request (e.g. LoA), routing policies, etc. and prompts the user to provide their credentials where appropriate.
Token Manager

This component creates the id_token, access_token and the authorisation_code in the auth_code flow. It also offers an API to query the information associated to an access_token.

Access Gateway

The Access Gateway shows the UserInfo endpoint. It aims to protect access to the real UserInfo resource showed by the back-end. The Access Gateway acts as a proxy that receives the request from the service provider, checks the access_token against the Token Manager to determine the client granted scopes. If the client has the necessary scopes to access the requested resource and the request upper limit has not been reached (traffic throttling), the Access Gateway routes the request toward the Data GW providing the granted scopes.

Provision

This component offers an API to provide any data that the ID-GW needs to carry out the different tasks for which it is intended to: the scopes, products (set of scopes for different grant types), devs, apps and APIs.

Users

This component shows an HTTP REST API to manage the provision of the Mobile Connect users. It will be used to register, update users, etc.

Authenticators

These components represent an abstraction layer that allows the ID Gateway subsystem to talk to the different authenticators in the MNO. All the Mobile Connect authenticators are Mobile Centric authenticators, that is to say, all of them authenticate the end users interacting with their Mobile phone.

Authentications using Mobile Connect SMS+URL

 In the next few paragraphs we describe some of the most common authenticators used in Mobile Connect, taking into account that a big list of them can be integrated in the solution.

SMS based authenticator

SBA sends a SMS to a mobile phone number. This SMS should have a code (OTP), a link or both in order to authenticate the user.

  • OTP: sends an One Time Password in the SMS that must be validated in the form entry.
  • URL: sends a URL in the SMS that must be clicked by the user to be authenticated.
  • OTP+URL: sends an OTP together with a URL. The user can submit the OTP in the form entry or click the URL to be authenticated.
MSSP (Mobile Signature Service Provider)

This component is the server side of the SIM Applet based authenticator. It can deal with both LoA2 and LoA3 authentications, by sending a challenge using a "class 2" binary 3.48 SMS to the end user’s SIM. This message reaches the SIM directly without any possibility to be intercepted by any application in the mobile phone.

Then the SIM wakes up an applet asking the user for consent using "click-ok" or by a PIN/Personal Code. Once user verification is done, the applet returns an authenticated response back to the MSSP. The MSSP validates the response and gives back success or error. It is worth it to point out that all messages between the MSSP and the SIM are end-to-end encrypted.

FIDO Authenticator

This component implements a FIDO Server authenticator which will send a challenge to authenticate the user by a biometric authenticator in their mobile phone.

Remark: these are some of the authenticators that can be used to authenticate user in Mobile Connect. However, as one of the key requirements of Mobile Connect is to be able to authenticate the end user irrespective of the underpinned authenticator, it needs to have a flexible way to integrate the ID-GW with the different kind of authenticators that show different APIs in turn. To achieve this objective, an adaptor (based on redirections) has been built per every authenticator to communicate it with the ID-GW.

Data GW (Data Gateway)

This component will be connected to the different sources in the MNO or to potential 3rd parties. It gathers all the attributes that will be showed in the UserInfo endpoint and probably other future info endpoints with extra information.

Mobile Connect makes headway with launch of cross-border pilot

Friday, December 4, 2015

European trial makes Mobile Connect the first private-sector cross-border public service authentication solution compatible with European Union eIdentification and Trust Services (eIDAS) Regulation.

Throughout the next few weeks, Mobile Connect will be trialled in two EU Member States, establishing proof-of-concept for cross-border authentication to e-Government services. The pilot, launched on November 16, will demonstrate how Mobile Connect can be used to identify an EU-citizen of one Member State in order to gain access to a public service of another. Mobile Connect offers a simple way of achieving pan-European federation of cross-border services for the EU governments compatible with the eIDAS regulation, whilst enabling growth in digital public services nationally.

The trial is taking place between Spain Catalunia and Finland, and will enable customers of participating Spanish operators, to log-in to a Finnish eGovernment service, and on the Catalunia side the log-in through a digital identity validator granting access to a complete public services portfolio. The customer experience is the same in both countries: After the customer presses the Mobile Connect button and enters their mobile number on the discover page, a PIN request appears on their mobile phone. By entering the correct PIN, the user’s identity is confirmed and the customer is logged-in to the eGovernment online service.

The pilot is the result of collaboration between organisations seeking to accelerate the uptake of trusted and secure digital authentication in response to the eIDAS Regulation. The Regulation aims to enhance trust in electronic transactions in the EU internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of online services in the EU. The GSMA with major operators, Orange Spain, Telefonica, TeliaSonera, and Vodafone Spain are supporting the trial, as well as Gemalto, Mobile World Capital, the Catalonia Regional Government, the Finnish Ministry of Finance and Finnish Population Registration Centre.

Hear from the participants in the trial on their experience with Mobile Connect:

“Finally with Mobile Connect we can create international eID services that are based on real identities, and for those identities we can create a new breed of trust services for a global market.” Joni Rapanen, TeliaSonera.

“We in the Ministry of Finance are very satisfied with this successful project. Our role was limited compared with the participants who planned the actual trial, but the results are very important to us when we are building a national trusted network for e-identification.“ Mr Olli-Pekka Rissanen, Special Adviser, Ministry of Finance.

“Orange Mobile Connect solution meets the needs of our customers for a secured journey and also paves the way for a rapid take-off of eIDAS services” Alicia Calvo, Innovation Director, Orange Spain.

“Mobile Connect is a key component of Telefonica’s security services. It has greatly expanded the identity and privacy solutions we offer to our customers José Luis Gilpérez, Defense and Security Director, Telefónica.

“For Vodafone, it is important to provide to our Customers confidence and simplicity when using digital services. Mobile Connect will be a key enabler of the Customers Digital Journey” Ibo Sanz, mCommerce Director, Vodafone Spain.

“The identification and trust services for electronic transactions in the internal market aligned with eIDAS regulation, is a milestone for a Government of Catalonia to provide a confident environment to enable secure and seamless electronic interactions or transactions between European businesses, citizens and public authorities. In this regard, this experience, is focused on this European government’s spirit of collaboration” – Jordi Puigneró – General Director for Telecommunications and ICT at Government of Catalonia.

Oscar Pallarols, Smart Living Director at Mobile World Capital Barcelona. .

The trial occurs just weeks after the EU’s recent adoption of the implementation rules of the eIDAS Regulation, which makes the EU the first and only region in the world to have a legal framework for safe cross-border access to services and online interactions between businesses, citizens and public authorities.

The Regulation is part of the European Commission’s push towards the Digital Single Market, and is designed to enable citizens to carry out secure cross-border electronic transactions. For example, enrolment in a foreign university, filing of multiple tax returns, access to electronic medical records or authorisation of a doctor to access these on one’s behalf. It will also enable citizens moving or relocating to another member state to manage registration and other administration online with the same legal certainty as they currently have with traditional paper-based processes.

Mobile Connect’s technical architecture follows secure user authentication requirements provisioned by the eIDAS Regulation, and its technical specifications of implementation – and is the first private-sector cross-border public service authentication solution to be compatible with it. As such, the pilot will test how eIDAS cross border authentication works and reveal any practical challenges in implementing the solution.

The solution is ideally placed to address both service providers’ needs acting as a primary log-in for websites, apps, and other online services and consumers’ demands for straightforward and secure authentication and identification. Mobile Connect can help government agencies and other service providers increase usage of their online services, improving efficiency, enriching the end-user experience and increasing engagement. With the demand for secure and convenient authentication for digital services at an all-time high, this pilot further illustrates the market readiness of Mobile Connect. To find out more email the team at mobileconnect@gsma.com

Source: GSMA

Original post Mobile Connect makes headway with launch of cross-border pilot by GSMA.