We are excited to offer you early access to this new functionality. As part of this Preview Beta, we are enabling you to programmatically add Users to your AWS Account, set groups and permissions for these Users, and enable your Users to call AWS Service APIs.

In the near future, we plan on adding support for your Users to login to the AWS Management Console. We also plan to extend the AWS Management Console to support IAM, providing a web-based interface to manage your Users, groups, and permissions.

Learn more about AWS Identity and Access Management Preview Beta at: http://aws.amazon.com/iam

Source

We have come a long way when it comes to DMZs (demilitarized zones). It’s no longer a question of if your organization needs a DMZ, but rather, it’s now a question of how you should design one.

In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger, untrusted network—usually the Internet. The original DMZ designs included a simple network separated from the internal network, where everything that needed access to the Internet was placed.

Today, there are as many DMZ designs as there are vehicles on the road. You have industrial trucks designed to simply transport goods as cheaply as possible. You have economy cars designed to save money. And you have exquisite Italian sports cars that are sure to make your friends jealous (and fast enough that you always arrive with plenty of extra time for a nice cup of espresso). DMZ designs are a lot like cars: there are many varieties which go by a lot of different names but they all serve the same purpose.

There are hundreds of names that we use for networks today but, essentially, there are internal networks, external networks and DMZs. They may be called partner nets, vendor zones, internal DMZs or security zones. But the reality is that they are all DMZs with a mix of ownership devices, connectivity and risk levels.

Goals of DMZ design

If you ask ten network architects about how to design a DMZ, they’ll come back with ten different answers. While variety is the spice of life, as an industry we should have some generally accepted practices of DMZ design.

One of the core tenets of DMZ design is to segregate devices, systems, services and applications based on risk. The goal is to isolate risk, so if something goes bad and the Web server is hacked, it is essential to know what other devices the hacker would have easy access to. Beyond segregation by risk, four other common design approaches are separation by operating system, data classification schemes, trust levels or business unit.

If you look at recent audit and compliance requirements, you’ll see that they include a growing number of specific technical design requirements. In some of the new requirements, we find the mandate to keep the Web and application tier separated from databases—a very good idea. We also see the move back to single purpose servers; for example, your Web server cannot also be your DNS server.

Four levels of DMZ design

Let’s break DMZ design into four levels, with Level 1 being the simplest design and subsequent levels providing more segmented security.

When we want to build a basic DMZ, we start with a single segment of the firewall. Let’s call this Level 1 in our DMZ design book. This design is fine if you have a few servers that need Internet access. But if you do any e-commerce transactions, you have already outgrown this design.

Many people make the mistake of keeping this design, placing the Web and application servers in the DMZ and the databases on the internal network. This is no longer acceptable. As database attacks become more targeted, the risk of having the database on the internal network requires a more sophisticated design.

Level 2 DMZ designs

A Level 2 DMZ would consist of multiple DMZ networks off of the firewall. This design is a substantial improvement over a Level 1 design. It allows traffic rules to be written between each DMZ for control and segregation. A good start is having separate DMZs for Web and application servers, databases, authentication services, VPNs, partner connections, e-mail and mobile services. This is very feasible today; most firewalls can easily handle tens of interfaces and multiple VLANs on each interface.

Level 3 DMZ designs

One problem often seen in Level 2 DMZ designs is that overly permissive firewall rules can lead to devices getting Internet access that should never have it. One way to rectify that is to use two firewalls. This design, which we’ll call Level 3, is built with an external firewall and an internal firewall. The DMZ is placed between the firewalls based on access restrictions. Inbound Internet access is allowed into the external DMZ via the external firewall—never directly routed to devices placed in the internal DMZ on the internal firewall. The internal network can talk to the internal DMZ but not the external DMZ.

This Level 3 DMZ design effectively separates Internet-connected devices and the services they require using just two firewalls with their own policies. Most security teams quickly understand the rule base design between externally accessible and internally accessible DMZs. The temptation is to create rules allowing inbound access from the DMZs to the internal network. This should never be allowed. All the services that are needed should be moved into DMZs so that internal networks are never exposed.

This restriction is often violated. A lack of coordination or communication between IT groups, the rush to deploy new applications, network complexity and other factors result in organizations building critical services on their internal networks.

Level 4 DMZ designs

Level 4 DMZ designs are where things start getting more complicated. A Level 4 scenario would most likely include deploying multiple firewall pairs in parallel along your border rail, and spreading your DMZs out among them, segregated by your choice of metrics. Most people choose to separate the firewalls into business or functional groups, while others like to separate them by trust levels.

Best practices dictate building separate firewall stacks based on Service Level Agreements (SLAs) and data classification. This creates a situation where there is an entirely separate firewall stack for PCI, separate firewalls for user services (such as Web browsing, FTP, e-mail, patching, etc.) and separate firewall stacks for business services. Consider business services placed in DMZs by SLA: 90 percent, 98 percent and 99.9 percent make for three good goals. Designing DMZs by SLA can streamline DMZ management and reduce business disruptions.

Conclusion

In closing, it’s imperative to place as much rigor as possible into the planning and design process. Assume that once the DMZ is live, it may not be so easy to fix major flaws in the design. Internal due diligence can be used as a way to establish strong lines of communication with other stakeholders—whether they are other IT folks, business owners, partners or managers. It can raise your profile within your company as a thoughtful risk manager and strategic thinker. And, perhaps most important, it will invite feedback outside your frame of reference. If one conversation with one person has a significant impact on DMZ design, wouldn’t you want to have that conversation before you design it?

Source

While the agency – as per their official policy – does not confirm or deny that such an investigation is underway, the college’s media relations director refused to divulge any details but confirmed an internal investigation, while also mentioning that as far as they can tell, no student data has been compromised.

Unofficial sources say that the cyber thieves managed to compromise a computer belonging to the university’s comptroller by infecting it with a data-stealing “virus”, which then forwarded them the online banking credentials for the accounts in question, reports Brian Krebs.

Once they were able to access the account, they initiated a single wire transfer that transferred $996,000 to an account opened at the Agricultural Bank of China.

Source

Effective September 1, 2010, we’ve reduced the On-Demand and Reserved Instance prices on the m2.2xlarge (High-Memory Double Extra Large) and the m2.4xlarge (High-Memory Quadruple Extra Large) by up to 19%. If you have existing Reserved Instances your hourly usage rate will automatically be lowered to the new usage rate and your estimated bill will reflect these changes later this month. As an example, the hourly cost for an m2.4xlarge instance running Linux/Unix in the us-east Region from $2.40 to $2.00. This price reduction means you can now run database, memcached, and other memory-intensive workloads at substantial savings. Here’s the full EC2 price list.

As a reminder, there are many different ways to optimize your costs. When compared to On-Demand instances, Reserved Instances enable you to reduce your overall instance costs by up to 56%. You pay a low, one-time fee to reserve an instance for a one or three year period. You can then run that instance whenever you want, at a greatly reduced hourly rate.

For background processing and other jobs where you have flexibility in when they run, you can also use Spot Instances by placing a bid for unused capacity. You job will run as long as your bid is higher than the current spot price.

Source

Under the Cyber Insider Threat (CINDER) Program, DARPA will explore new approaches for improving the speed and accuracy of insider threat detection. The agency last week sought proposals for ways to identity hostile insider activity by monitoring specific user and network behaviors.

In the initial stage of the project, the goal is not necessarily to develop new ways of detecting individual malicious insiders themselves. Instead, DARPA hopes to figure out the tell-tale signs and network activities that organizations should monitor to accurately detect malicious activity.

“If we were looking for the insider actor himself, we might not detect someone who performs a single, isolated task and we run the risk of being inundated with false positives from events being triggered without context of a mission,” DARPA said. “To this end, CINDER starts with the premise that most systems and networks have already been compromised by various types and classes of adversaries. These adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions.”

In the next two phases of the three-part CINDER effort, DARPA will develop systems that can monitor networks and user activity and spot malicious activity more quickly.

The CINDER initiative comes just a few weeks after whistleblower Web site Wikileaks posted more than 70,000 documents containing sensitive details on American military operations in Afghanistan. The documents were allegedly leaked to the site by Bradley Manning, a relatively junior Army intelligence analyst who is also accused of supplying Wikileaks with a controversial video allegedly showing a deadly U.S Apache helicopter attack in Iraq.

Manning’s alleged actions have prompted widespread criticism from those who believe the data has put critical U.S. intelligence and military assets in Afghanistan in harm’s way. The leaks have also highlighted the risks associated with the information-sharing that has been going on within the military for some time.

Networks such as the U.S. Department of Defense’s Secret Internet Protocol Router Network or SIPRNet, which Manning is alleged to have accessed, are designed to pass along important information as quickly and efficiently as possible.

Detecting malicious insider activity is difficult. “What sets the insider threat apart from other adversaries is the use of normal tactics to accomplish abnormal and malicious missions,” DARPA said.

The same issue has dogged enterprises for years and is considered by many analysts to pose an even greater threat to corporate data and networks than external hackers.

Source

The industry’s first user certification program for secure cloud computing, the CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.

“Critical services are being provided via the cloud, creating an urgent need for cloud security skills among IT professionals,” said Jim Reavis, CSA executive director. “The CCSK is a low cost certification that establishes a robust baseline of cloud security knowledge. Combined with existing professional certifications, it helps provide necessary assurance of user competency in this important area of growth.”

The CSA’s CCSK already has broad industry support from numerous organizations that plan to certify employees, including eBay, ING, Lockheed Martin, Sallie Mae, Zynga, CA, CaseCentral, HCL Technologies, Hubspan, LogLogic, Fiberlink, McAfee, Novell, Ping Identity, Qualys, Solutionary, Symantec, Trend Micro, Veracode, VeriSign, Vordel, WhiteHat Security and Zscaler.

“We have already been leveraging the CSA’s ‘Security Guidance for Critical Areas in Cloud Computing’ as a best practices manual for our information security staff,” said Dave Cullinane, CISO and VP for eBay. “We plan to make this certification a requirement for our staff, to ensure they have a solid baseline of understanding of the best practices for securing data and applications in the cloud.”

Discounted pricing of $195 for the CCSK exam is available through Dec 31st; regular pricing at $295 begins January 1st.

Source

SecureCloud allows you to maintain control over the encryption key used to secure data stored in the Amazon EC2, Eucalyptus or VMware vCloud cloud infrastructures. Other cloud-computing variants could be added in the future.

“IT operations may be firing up [a remote virtual machine] image but we have security validating the integrity, and it’s encrypted until it hits the cloud, and it’s encrypting data at rest,” according to Todd Thiemann, senior director of data center security and marketing at Trend Micro.

He notes that SecureCloud allows the IT department using either public or private cloud-computing services to answer the basic questions, “Is this image OK? And is it mine?”

Now in beta with general availability expected by year end, SecureCloud is provided through a Web site portal and makes use of policy-based encryption to allow access to a virtual-machine image as well as storing related activity logs.

In addition to offering the security service, Trend Micro is looking at making comparable software available to companies for on-premises use.

In a separate announcement, Trend Micro also unveiled an antimalware protection module for its VMware server security software, Deep Security 7.5. It includes integrity monitoring, log inspection and stateful firewall capabilities, and leverages the most recent VMware vShield Endpoint APIs. Trend Micro Deep Security 7.5 is expected to ship in October.

Source

The numbers come from a survey of more than CIOs, selected randomly from companies in the United States with 100 or more employees, conducted by staffing firm Robert Half Technology.

“There will always be employees who feel IT security policies are too restrictive,” said John Reed, executive director of Robert Half Technology, in a statement. “But in most situations, robust information security measures are necessary to protect sensitive data and an organization’s network integrity from increasingly sophisticated threats.”

On the other hand, said Reed, if too many people are complaining, then maybe it’s time to reevaluate whether an organization’s security policies have come down on the wrong side of the security-versus-productivity equation.

Rather than worrying whether their security policies are too restrictive, however, many organizations have a more fundamental problem: they lack any security policies, or else mechanisms for automatically enforcing those policies.

The result in either case is the same: employees often take their chances, ignoring any rules that they think are slowing them down, such as social networking restrictions or file transfer rules. According to numerous studies, when it comes to flouting security policies, IT personnel can be amongst the worst offenders.

But if corporate security or web access rules are cramping your style and making it harder to do your job, Reed recommends speaking up. “Some policies may simply be outdated and no longer make sense,” he said. “Asking someone in your organization’s IT department why access is restricted is often one of the quickest ways to resolve an issue.”

If policies aren’t judged to be outdated, he suggests talking up the business reasons for why they should change. “If employees can’t access a client’s website or a professional networking site that can generate business, it will probably be an easy case to make,” he said.

Source

Gareth Williams, 31, made repeated visits to the U.S. to meet with the National Security Agency and worked closely with British and U.S. spy agencies to intercept and examine communications that passed between an al Qaeda official in Pakistan and three men who were convicted last year of plotting to bomb transcontinental flights, according to the British paper the Mirror.

Williams, described by those who knew him as a “math genius,” worked for the Government Communications Headquarters (GCHQ) helping to break coded Taliban communications, among other things. He was just completing a year-long stint with MI6, Britain’s secret intelligence service, when his body was found stuffed into a duffel bag in his bathtub. He’d been dead for at least two weeks. His mobile phone and a number of SIM cards were laid out on a table near the body, according to news reports. There were no signs of forced entry to the apartment and no signs of a struggle.

Initial news stories indicated Williams had been stabbed, but police have since disputed that information, noting that — other than being stuffed into a duffel bag — there were no obvious signs of foul play. A toxicology report is expected Tuesday.

Investigators say they haven’t ruled out the possibility that the codebreaker was killed over something related to his work. Rumors that sexual bondage equipment was found in his apartment were also nixed by police, who said the rumors were untrue and they found no evidence yet to suggest that anything in Williams’ personal life led to his death.

Williams, an avid cyclist, lived in an apartment in Pimlico in central London that was reportedly part of a network of flats registered to an offshore front company and rented out to GCHQ workers. He is believed to have returned from a trip abroad on August 11. He was last seen alive on August 15, eight days before his body was found.

Williams flew up to four times a year to the U.S. to the NSA’s headquarters at Fort Meade HQ, according to the Mirror. His uncle, Michael Hughes, told the paper that Williams would mysteriously disappear for three or four weeks.

“The trips were very hush-hush,” Hughes said. “They were so secret that I only recently found out about them – and we’re a very close family. It had become part of his job in the past few years. His last trip out there was a few weeks ago, but he was regularly back and forth.”

Williams was said to have worked with the NSA on e-mails intercepted between Abdullah Ahmed Ali and Assad Sarwar and Rashid Rauf, a British national in Pakistan who was allegedly director of European operations for al Qaeda. The e-mails, intercepted by the NSA in 2006, allegedly contained coded messages.

The NSA shared the e-mails with British prosecutors but wouldn’t allow them to use the evidence in an early trial of the suspects out of fear of tipping off Rauf that he was under surveillance. It was only after Rauf was reportedly killed in a U.S. drone attack that the NSA allowed prosecutors to use the e-mails to convict the other suspects. It’s never been known whether the NSA intercepted the messages overseas or siphoned them as they passed through internet nodes on U.S. soil as part of the NSA’s controversial and unconstitutional warrantless wiretapping program.

An unidentified Western intelligence source told the Mirror that Williams’ job would have had him participating in “crucial high-level meetings with American intelligence officers. His job would have been crucial to the security of the UK and our interests abroad – and also to America and Europe.

“Although not particularly high up the GCHQ ladder, the importance of his role should not be underestimated. The man was a mathematical genius.”

His landlady, Jenny Elliott, told the Telegraph, “Occasionally you could hear tapes whirring from his flat, which must have been audio cassettes he used for work, but he never told me what they were.”

Source

The acquisition, expected to close by the end of September, will expand Islandia, N.Y.-based CA’s existing security portfolio by adding fraud prevention and advanced authentication functionality to its existing identity and access management (IAM) offerings. Additionally, the acquisition will allow CA to accelerate its delivery of identity and access management (IAM) solutions from the cloud, CA said in a statement.

Dave Hansen, general manager for the security business at CA Technologies, told SCMagazineUS.com on Monday that customers want to take advantage of the cloud but are concerned about security and want authentication to ensure the right people are accessing the right information.

“People are starting to realize – and this [acquisition] reinforces it – that cloud computing is here, and people want to take more advantage of it and feel like they have the security and control around it to deliver a reliable service,” Hansen said.

Founded in 1997, Sunnyvale, Calif.-based Arcot is a provider of authentication and fraud prevention solutions that can be delivered as cloud services or deployed on premise. Arcot’s technology is used to help prevent fraudulent transactions for about one million credit card transactions each day. CA said that combining Arcot’s technology with its SiteMinder web access management portfolio will enable the company to further help customers reduce risk, support regulatory compliance, and confidentially secure business transitions.

Arcot’s operations and approximately 165 employees will become part of CA’s security business. The acquisition will allow CA to compete with RSA, which also provides advanced authentication solutions, Hansen said.

This is the seventh cloud computing acquisition for CA in the past 14 months. Earlier this month, CA acquired 4Base, a virtualization cloud infrastructure consulting firm. Other recent CA cloud acquisitions include Nimsoft, a cloud monitoring provider; 3Tera, a developer of solutions used to build cloud applications; Cassatt, a provider of cloud computing software for data centers; NetQoS, a network management software and services firm; and Oblicore, a service-level management technology vendor.

Source