28 May 2015

Operation

Posts relating to the category tag "operation" are listed below.

28 May 2015

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.

Chapter header '5. Data security' in the FCA guidance 'Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime'

Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document provides guidance regarding financial crime systems and controls, money laundering and terrorist financing, fraud, data security, bribery and corruption, and sanctions and asset freezes. Some of these are clearly sector-specific but there is generally applicable advice too.

Chapter 5 on data security draws on, and extends, guidance originally published in the former FSA's document Data Security, published in 2008.

Part 2 of the documents contains summaries of, and links to, thematic reviews of various financial crime risks. It includes the consolidated examples of good and poor practice that were included with the recent reviews' findings.

The guidance took effect on 27 April 2015.

Posted on: 28 May 2015 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 May 2015

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.

One of the charts from the SANS report '2015 State of Application Security: Closing the
Gap' showing the popularity of language and perceived security risk

In a change to last year's report the authors of 2015 State of Application Security: Closing the Gap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.

Jim Bird, Eric Johnson and Frank Kim analysed data from 435 respondents, a quarter of which came from financial services/banking. two-thirds of respondents worked in organisations with 1,000 or more people.

The report is full of useful information, that reflects the languages, frameworks and development practices utilised by the survey participants.The top challenges for builders and defenders are identified, drivers, practices, and also which standards, guidance, lifecycle models and other guidance are referenced by the organisations' own application security programmes.

A breakdown of the proportion of the overall IT budget spent on application security is also presented.

The report is free to access and download.

Posted on: 18 May 2015 at 09:09 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 May 2015

The Bad and the Good of Ecommerce Fraud Detection

Vendor ThreatMetrix has published a short document about how online fraud detection systems often mistreat customers like they are criminals, leading to increased costs and decreased income.

Photograph of customers in a high street shop paying for their purchases at checkouts

Problems with common systems of customer authentication are discussed in "Are You Treating Your Customers Like Criminals?", including failure to recognise existing customers, time-consuming or awkward re-authentication and the poor user experience of payment verification processes like 3DSecure (e.g. Verified By Visa, MasterCard SecureCode, American Express SafeKey).

These lead to basket abandonment, payment failures and brand damage. The document describes other problems created such as making it difficult to enter new markets, increasing the customer support overhead, wasting marketing spend, and rising fraud levels during peak trading periods when barriers are lowered, leading to elevated chargeback rates.

It is suggested that retails need to simplify authentication, improve the identification of real customers, and mitigate the business impact of fraudulent activity. Recommendations for activities to undertake in real-time are provided. These measures can be implemented directly in code, as well as using vendor products and services. Also remember a post in March, User Interface Modifications to Combat Buyer Fraud.

The document can be downloaded free of charge after providing contact details including a valid email address. ThreatMetrix also publishes a quarterly cybercrime attack report.

Posted on: 15 May 2015 at 11:20 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2015

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.

Partial screen capture from the OWASP wiki showing part of the extensive project inventory

With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organised social events, it looks like this year's event is shaping up very well.

As well as the project summit, some projects are being discussed in some of the main conference presentations.

When the call for papers was announced last year, I proposed having some sessions that gave the opportunity for a larger number of project leaders to explain their work, the target users, the benefits, and what materials are available. I am pleased to say the conference team liked the idea and allocated two 45-minute slots. These are being used to showcase innovation in OWASP projects to the main conference audience.

Both lightning talk sessions occur on Thursday 21st May. Each talk is 10 minutes long. The speakers and their projects are listed below.

14:30 - 15:15 hrs

  • Spyros GASTERATOS
    Hackademic Challenges, implementing realistic scenarios with known vulnerabilities in a safe, controllable environment.
  • Andrew VAN DER STOCK and Daniel CUTHBERT
    Application Security Verification Standard, providing a basis for assessing web application technical security controls, to establish a level of confidence in the security of web applications.
  • Jonathan CARTER
    Reverse Engineering and Code Modification Prevention, educating security architects, risks analysts, software engineers, and pen testers around binary risks from code integrity violation and reverse engineering.
  • Matteo MEUCCI
    Testing Guide, version 4 the de facto standard for performing web application penetration testing.

15:45 - 16:30 hrs

  • Jim MANICO
    Top 10 Proactive Controls, describing the most important control and control categories that every architect and developer should include in every project, and Cheat Sheet Series, providing a concise collection of high value information on specific web application security topics.
  • Tao SAUVAGE and Marios KOURTESIS
    Offensive Web Testing Framework (OWTF), making security assessments as efficient as possible by automating the manual uncreative part of pen testing, and providing out-of-box support for the OWASP Testing Guide, and NIST and PTES standards.
  • Ann RACUYA-ROBBINS and Luis ENRIQUEZ
    Knowledge Based Authentication Performance Metrics, establishing standard performance metrics for knowledge based authentication (KBA) in alignment the NSTIC guiding principles - at the intersection of security, identity and privacy.
  • Sebastien DELEERSNYDER
    Software Assurance Maturity Model (OpenSAMM), an open framework to help organizations measure, improve and manage their software security practice that is tailored to the specific risks facing the organization.

I will introduce each session, the speakers and keep time. I hope you can join me to hear about these contributions to application security directly from the leaders themselves. We will have time after the sessions for further discussion and questions.

Posted on: 08 May 2015 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 May 2015

Android Security 2014

Google announced early last month the release of a report analysing security in the Android ecosystem.

One of the charts from Google's report 'Android Security 2014 Year in Review'

Android Security 2014 Year in Review describes varies measures of security including occurrence of potentially harmful mobile applications, platform API abuse and network level abuse.

Information is provided on Google's 4-tier severity rating systems for vulnerabilities.

Security enhancements during 2014 are also discussed, together with newer changes such as the enhanced Google Play review process to help protect users.

Posted on: 06 May 2015 at 11:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 April 2015

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.

Cover of the 'AppSensor CISO Briefing'

The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developers and operators.

The document's content was partially taken from the introductory sections of the AppSensor Guide and the AppSensor Microsite. This was then edited and changed by myself, John Melton and Louis Nadeau.

I incorporated several quotations from industry analysts, reports and standards to help set the context in the current security environment. The quotations are all publicly available but are mostly not OWASP AppSensor specific — instead they illustrate current trends and concerns about attack visibility, real-time detection, the need for automation, runtime application self-protection (RASP), and active defences.

The 12 pages comprise the following:

  • Defending Software Applications
  • Detect and Respond to Attacks From Within the Application
  • Benefits For Organizations and Users
    • Lower information security risk
    • Improved compliance
    • Reduced impact of attacks and breaches
    • Increased system survivability
  • Enterprise Ready
    • Extremely low false positives
    • Intelligence driven security
    • Low system resource overhead
    • Machine-speed response
  • Next Steps
  • Additional AppSensor Resources
  • About OWASP.

The CISO Briefing can be downloaded free of charge as a PDF, or purchased at cost in hardcopy from Lulu.com. There will also be some copies available during the CISO track at the AppSec EU conference in May.

Posted on: 24 April 2015 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 April 2015

Data Breach Investigations Report 2015

The Verizon annual Data Breach Investigations Report was published last week.

Partial view of Figure 43 from the Verizon 'Data Breach Investigation Report' showing the SANS critical security controls mapped to incident event chains

The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.

A breakdown by industry sector is provided. The 2015 DBIR incident and breach information collection processes have no substantial changes from the 2014 DBIR, focusing on security events resulting in confirmed data disclosure, as well as other security incidents such as denial-of-service attacks, and compromises of systems without data loss. The report re-iterates that it only represents a sample of events — the results are only representative of the sources of information contributed.

An analysis of the threat actions illustrates that the proportion of actions involving RAM scraping is growing, spyware/keylogger is falling and both credentials and phishing are broadly similar.

There is plenty of interesting data on breach discovery, phishing, patching, malware, industry profiles and impacts. The discussions on the problems with threat intelligence and the limited impact of mobile device compromise are insightful.

Nine common incident classification patterns are used to summarise the findings, including "web application attacks", accounting for 9.4% of incidents. Almost all the attacks in this category were opportunistic in nature, with information, financial services, and public entities being particularly affected. Use of stolen credentials are the most common action involved.

The last figure in the report (illustrated above) is a mapping from the recommended SANS Critical Security Controls to incident event chains. Although this only relates to Verizon's own source data, and not any of the other contributors, it illustrates that many basic security measures can help protect against the most common attacks. These include two-factor authentication, patching web services, verifying the need for internet-facing devices, proxying outbound traffic and web application testing.

Posted on: 21 April 2015 at 10:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 April 2015

Security of Public Communications Network and Service Providers

The European Union Agency for Network and Information Security (ENISA) has published guidance on what nations should take into account when evaluating the security compliance of public communications network and service providers.

Bars on a chart from the ENISA document 'Technical Guideline on Security Measures for Article 4 and Article 13a'

The requirements relate to Article 13a of the Framework Directive (2009/140/EC) and Article 4 of the e-Privacy Directive (2002/58/EC).

At first glance, many organisations might assume they do not fall within the remit of this "network and services" legislation, but Technical Guideline on Security Measures for Article 4 and Article 13a describes the "assets in scope" as "all assets of the provider which, when breached and/or failing, can have a negative impact on the security of networks, services and/or the processing of personal data".

The guidance provides a non-exhaustive list of networks and services, and related systems "which are often supporting, directly or indirectly, the provision of networks and services or the personal data processing". Whilst many in scope systems are communication and network related, including wires and fibre, network devices and DNS, other components mentioned are PCs, removable media, power supply systems, backup power supply and cooling systems. Many companies may be providers of services like these to organisations that are affected by the legislation.

The document goes on to describe "additional services" in scope that include "Provider web sites for customers, billing portals, et cetera, if they contain personal data which was collected and processed in connection with the provision of networks or services", "Customer premises equipment (CPE), if under the control of the operator (such as VOIP boxes)" and "Other systems used for storing or processing of personal data collected in connection with the provision of networks or services. This could involve procedures involving paperwork like paper-printed letters, contracts or bills". As the document states "Third party assets are in scope just as if they were assets of the provider".

The guidance defines a "security incident" as "a single or a series of unwanted or unexpected events which could have an impact on the security of networks, services and/or the processing of personal data". It goes on to provide examples of various scales of incident and whether they are reportable.

The technical guidance is divided into 26 security objectives, each with three levels of sophistication that demonstrates what level of controls are in place. The objectives and measures might be useful for other organisations to assess their own maturity, regardless of legislative applicability.

Posted on: 15 April 2015 at 18:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 April 2015

Remote Banking Fraud Up, Card Fraud Up

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.

e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent rise

In a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving customers rather than attacking the payments technology and systems directly. It warns about the increasing numbers of scams which aim to trick people into disclosing financial details or transferring their money directly to fraudsters.

As a result of these trends there is now a new Joint Declaration by UK Banks, Card Issuers and Building Societies is a combined effort to combat phone-initiated fraud.

Online banking fraud increased from £40.9m to£60.4m in 2014, a 48 per cent rise.

Card fraud losses were driven by criminals using UK cards fraudulently abroad, where the security features can be circumvented in some locations.

Posted on: 14 April 2015 at 07:37 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 April 2015

Digital Advertising Fraud

Over the last couple of months I have been doing some background reading for a new project.

One of the charts from the ANA report 'The Bot Baseline: Fraud in Digital Advertising'

One area I was interested in discovering more about was advertising click fraud. In my research I came across a report The Bot Baseline: Fraud in Digital Advertising, published by the US Association of National Advertisers (ANA) and White Ops at the end of last year. It includes information gathered from 36 ANA member companies spanning 181 advertising campaigns with 5.5 billion digital advert impressions.

The report discusses:

  • Cost of bot fraud
  • The effect of reach
  • Differences with video campaigns
  • Sourcing traffic
  • Premium buys
  • Digital advertising supply chain
  • Adware attack severity
  • Bot source locations
  • Engagement and viewability metrics
  • Evasion
  • Tracking
  • Ad injection
  • Countermeasures.

The Interactive Advertising Bureau (IAB) has also published a document describing Anti-Fraud Principles and Proposed Taxonomy. There are also some related terminology definitions and discussion of fraud in the IAB Europe whitepaper Viewable Impressions, February 2015.

Posted on: 10 April 2015 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Operation : Application Security and Privacy
https://www.clerkendweller.uk/operation
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/operation
Requested by 54.145.181.138 on Tuesday, 2 June 2015 at 14:22 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk