Here’s something you don’t often hear of someone in the role of CSO/CISO do; coordinate a concert for the entire company, made up solely of employee musicians, from locations across the globe, and perform for their peers in full rock star fashion at the company’s annual kick-off. But, that is exactly what happened earlier this month.

The idea to take my background in music performance (dates back well before my tech and infosec days), and find a unique way to bring people together from all across the company (infosec, engineering, sales, marketing, it, customer success, ux, and consulting), and then bring the whole company together to be part of a grand performance….well, the post from Jennifer Gregorio below is an example of how we demonstrate our core values (Impact Together, Bring You, Challenge Convention) at Rapid7. #rapid7 #ciso #cso #infosec #rockstars

Jen’s post: https://www.linkedin.com/feed/update/urn:li:activity:6625785654473211904/

Take a chance on someone….this week.

23 years ago, this week, someone took a chance on me, offering me my first professional job on a help desk, supporting UNIX and mainframe systems, and tracking my work on a Windows 3.1 desktop with Lotus Notes. At that time, I couldn’t spell UNIX, nor had any clue what a Lotus Note was. But, someone took a chance on me, and I’m forever grateful.

Fast forward to 2006, I had worked in IT, software and web development, and some experience in professional services…not much in the InfoSec space. Someone took a chance on me again, hiring me to kick-start professional services of a start-up InfoSec product company. I remember starting the job thinking, “What is compliance?”

I’m thankful to those who took chances on me, and always looking for a chance to pay it forward. #infosec #cso #leadership

Link to initial LinkedIn post

At the end of 2019, I met in Boston with global IT and Security leaders to reflect on the year and develop strategic guidance for 2020. Here’s a look into the discussion and where we landed. #CRThinkTank #cybersecurity #infosec

Shawn is a participating member of the Cyber Resilience Think Tank. The Cyber Resilience Think Tank is an independent group of industry influencers dedicated to understanding the cyber resilience challenges facing organizations across the globe, and together, providing guidance on possible solutions.

They define cyber resilience as: “an organization’s capacity to adapt and respond to adverse cyber events—whether the events are internal or external, malicious or unintentional in ways that maintain the confidentiality, integrity and availability of whatever data and service are important to the organization.”

Excerpt from eBook: “Cyber Resilience Think Tank (Sponsored by MimeCast), Commencing A New Decade: 2020 Predictions”

SaaS is Eating the Enterprise

Security leaders discussed the tremendous shift that’s
taken place when it comes to SaaS and InfoSec. In fact,
Shawn Valle, Chief Security Officer at Rapid7, recently
marveled at how quickly SaaS took over the enterprise.

“SaaS is eating on-prem enterprise data centers,” Valle said.
“Just five years ago I was at an ecommerce company, and
the feeling was ‘if it’s SaaS it’s not for us,’ when it came to
InfoSec mentality and software.”

Now, Valle noted that security leaders have changed their
tune: firewall purchases are becoming less critical, and
more and more companies are dabbling in AWS, Azure, and
Google Cloud to keep their organizations secure.

Full eBook here: https://www.mimecast.com/globalassets/documents/ebook/thinktank-new-decade.pdf

In January 2019, I had the honor of joining industry colleagues in an open webcast discussion on Cybersecurity predictions for 2019. Vito Sardanopoli, Gary Hayslip, CISSP, Scott King

With the ever-changing threat environment and increasing prevalence of data breaches, today’s CISOs face a daunting task of securing their organization from a variety of threats. But, with so many priorities and a finite budget, it can sometimes feel like an impossible task to decide where to focus. So, what does 2019 have in store for cybersecurity and what are CISOs’ top priorities?

Join Rapid7 and our panel of expert CISOs for our 2019 predictions. Some of the topics our panel will cover include:

1. What are the top cybersecurity predictions for 2019?
2. How will CISOs’ priorities change in 2019? What will become new areas of focus and what will decrease in priority?
3. How will CISO’s investments change in 2019? What areas of cybersecurity do they see receiving more funding?
4. Actionable insights for how to improve your organization’s cybersecurity strategy in 2019

Webcast here: https://www.brighttalk.com/webinar/what-does-2019-have-in-store-for-cybersecurity-a-cisos-perspective/

This month marks the completion of my twenty-second professional year in the technology industry. From days of system/network/IT work, in the worlds of AS400, UNIX, Novell, Windows NT, and Domino; moving into software development in Notes, Java, web; and into the human facing roles of technical professional services / consulting / training. All that before I dove head first into Information Security 12 years ago & never looked back.

Now, entering year 23, I look back on a career that was never a predetermined path. A kid with little direction, poor grades, initially flunked out of college, introverted & self-conscious; really only good at delivering newspapers, playing the drums, and finding ways to edit/break software on Atari floppy disks. I am fortunate for where my career has taken me, & thankful to the people I’ve met along the way; many who have helped guide me in a path of positivity & prosperity, where several alternative paths would have been easier to take.

I have ideas where the future will take me, but I’ll have to continue on this ride to see where it goes from here.

Thanks to family, friends & colleagues along the way, who have either joined me on this ride, hopped on for a stop or two, or just pointed in a direction that looked interesting enough to explore.

A bunch of industry friends and colleagues were asked to provide security predictions for 2019. Here’s what we each had to say:

Excerpt from Rapid7 Blog: https://blog.rapid7.com/2019/01/02/facing-the-future-rapid7s-2019-security-predictions/

Happy New Year! Whether you’re feeling rattled or relieved to leave 2018 in the rearview mirror, now is your moment to take one deep (and deserved!) breath before launching into 2019. Though the flip of your desk calendar might not exactly result in a discernible change in your day-to-day, the fact is that each new year brings with it shifting opportunities, challenges, trends, and areas of focus.

Fortunately, we at Rapid7 have adhered to one of our favorite seasonal traditions and rounded up some of the best minds in the security industry to predict what they expect to see in 2019. Rapid7’s CEO, Corey Thomas, predicts that people next year will become more aware of mobile spying and compromise, while other predictions revolve around policy changes, breach fatigue, automation, and the need for better security defenses, among other topics.

Shawn Valle, Chief Security Officer, Rapid7

Three things come to mind when I envision 2019. First, more breaches are on the top of my list. We have a long ways to go before we reduce this statistic.

Second, I believe operational security teams will look to leverage automation wherever they can apply it to help monitor, notify, and respond to threats. Automation has existed in multiple forms for many years, but in recent years, many security-focused solutions have launched in the automation space. Automation can be brought into existing security engineering and security operations teams to reduce considerable minutia and administrivia in initial investigations and responses. As this newer capability starts to get better known, I predict more teams will start to dip their toes in the automation waters.

My third prediction is around the cloud security community working with their primary customers and stakeholders to be more transparent and work toward building and continually growing trust. We in cybersecurity (or infosec, as I still often say) are more and more protecting employee and customer data/assets in publicly facing environments (you have all heard of this internet thing, right?) As this data is more easily exposed than ever before and industry regulations are financially/legally requiring us to rapidly acknowledge data losses, the best approach is to transparently communicate with both internal and external stakeholders about what steps we take to protect their sensitive data and how we plan to work with our stakeholders in the event that data is exposed or lost. Providing stakeholders some visibility into how data is protected will lead to more conversations, which is a key piece to building trust. Let’s talk outside our teams a bit more.

Repost from: Veracode blog

The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?

We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.

Our first analysis was to determine whether Angry Birds contained known malicious code, or malicious behaviors. Fortunately, it’s clean in both cases.

Next we analyzed Angry Birds’ behavioral characteristics against several pre-built application security policies. Policies can be created to look for specific code capabilities, Android permissions, location tracking, etc. Based on the items mentioned in the news stories, we focused on the personal information privacy policy (which btw is also a good idea for healthcare companies – see Caitlin’s postFood for Thought: Mobile Application Security & HIPAA).

Angry Birds received seven violations in the code capabilities section of the privacy policy.

CATEGORY	CODE ITEM
Sensitive Information	Access Unique Device Identification Information Information like phone number, IMEI, etc.
Sensitive Information	Retrieve SIM Card Information Contains code that may reveal the serial number of your SIM card as well as information about the provider network with which it is attached.
Sensitive Information	Retrieve Information About Device Type Contains code capable of finding the device brand, model and/or version of the operating system.
Sensitive Information	Monitor Device Location Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Sensitive Information	Retrieve Carrier Information Contains code that may identify and retrieve information about your mobile service provider.
System Access	Monitor Device Statistics Code is present that allows for the tracking of device information such as battery status, signal strengths, network traffic and cpu performance.
System Access	Listen for Key Presses Contains code to listen for key and touch events and take action via callbacks. While this is a normal API enabled ability it may be combined with other nefarious methods.

In regards to geo-location, Angry Birds received one code capability violation and one permission violation.

CATEGORY	CODE ITEM
Sensitive Information	Monitor Device Location Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Permission	android.permission.ACCESS_COARSE_LOCATION

Angry Birds is currently the 18th most popular game for Android in the Google Play Store. All 100 top free games in the Google Play Store have code capabilities violations for privacy/personal information policy, many with a similar granularity of violations. Compared to other top 100 free games, Angry Birds is categorized as one of the least risky for malware and privacy.

The larger problem ties back to comments made by Chris Eng, Vice President of Veracode Research. Chris said that it’s more complicated than complaining to an app developer to stop requesting certain pieces of information from its users’ smartphones. “If I don’t want an app to know my location, the developer could say, ‘I’m planning these new features that rely on location information,‘” he told ABC News. “That’s where you run into these sorts of issues with apps that leak these sorts of info.” Many apps “are communicating to servers without any encryption,” said Eng. “Apps that don’t encrypt everything in transit are open to eavesdropping.”

Source of quote: http://abcnews.go.com/

 

Repost from: MITRE Cybersecurity

Mobile device security still tops the list of IT security concerns. In this post, we interview Shawn Valle about his 2-day training class, Introduction to Android Forensics & Security Testing.

[Editor]: What topics do you cover in your class?

[Shawn Valle]: The class covers exploitation of the Android operating system and applications, and a step-by-step process of gathering and analyzing data. By utilizing several open source and commercial products and data acquisition technologies, students learn and experience the role of a mobile forensics first responder, including documenting chain of custody and techniques for protecting critical data during the early stages of an investigation.

The course also covers the role of a lab forensics analyst, including minimizing evidence corruption during acquisition. Some of the highlights of the course include: learning techniques to bypass passcodes via brute force or using weaknesses in the OS; how to identify common directories/files where sensitive user data resides; and how to use reverse engineering applications. By the end of the course, students should walk away with the knowledge of how to execute a mobile forensics exercise or penetration test on an Android device or application.

[Ed.]: What kind of jobs is your training relevant for?

[SV]: This course helps security engineers, forensics analysts, and Android software engineers. It is meant to teach them the details behind breaking the security model on Android operating systems and Android applications, and give them a methodical approach to gathering and analyzing found data.

[Ed.]: Why do you think it’s important that people know the information you’re teaching?

[SV]: We’ve seen too many mobile software prototypes, or worse, production applications, with little to no security engineering. This course was initially built for software engineers to recognize the need for upfront security engineering and to understand the simplicity of attacking an insecure device and insecure applications to obtain valuable data. Alternatively, this course is a valuable source of techniques, tactics, and procedures for security engineers and digital forensic analysts looking for a crash course in Android security. The more we share this type of knowledge, the better we can protect our valuable devices, data, and applications.

[Ed.]: How would you characterize the security of the Android OS?

[SV]: There is no simple answer to this question. The Android OS is open-source, with Google as the primary contributor to the project. Smartphone and tablet manufacturers obtain the Android open-source code, customize it as they see fit, and negotiate, when necessary, additional changes to the OS with cellular service providers, then build those changes in the OS into their devices.

Historically, Google has made regular functionality and security updates to the open-source OS, although device manufacturers and cellular carriers have been reluctant to adopt the changes in existing devices. Because most smartphone users sign a two-year contract, they get locked into older versions of the OS. Like any other OS, vulnerabilities will be identified and exploited over time. Due to Android’s fragmented marketplace, more than 1/3 of Android users remain on a three-year-old version of the OS, which has more than a dozen actively exploited vulnerabilities. At least the newer versions of Android are implementing additional security controls, including full-disk encryption, address space layout randomization, and mandatory access controls. Device manufacturers and cellular carriers have also improved their record of pushing security patches to existing devices. However, this continues to be a challenge.

As far as application security, developers leverage most of the vast security capabilities of the Java programming language along with additional Android specific tools. All Android applications have an integrity challenge, due to the developer’s ability to self-sign certificates, which has led to application forgery and developer identity spoofing. Also, users have the ability to install applications to their device from any source, like Google Play or others. Google provides dynamic scanning of all apps in its app market and has removed dozens of apps from its market due to critical security flaws or malicious intent. However, third party stores have proven to be less thorough in scanning apps for security flaws.

[Ed.]: How does the security of the Android compare with other mobile operating systems?

[SV]: Each mobile OS has its own security model, application security, and distribution model. Apple’s iOS, for example, maintains complete control over its closed-source OS and hardware. Apple develops all features and security, plus develops its own hardware (iPhone, iPad, iPod). Apple bypasses cellular providers when deploying updates to devices. Apple currently states that 93% of iOS users are running the latest version of the OS. The tight control over distribution allows Apple to quickly react to vulnerabilities found in its OS. Apple is the only mobile OS developer who has successfully been able to retain control over OS distribution after the device has been manufactured. Microsoft Windows Phone and BlackBerry, although distributed in differing ways, have similar OS distribution challenges to those found in the Android OS.

[Ed.]: How does this course topic relate to your work at MITRE?

[SV]: I developed this class after gaining more than a year’s worth of experience providing mobile forensics and mobile application security testing across multiple platforms. My forensics and testing work was conducted in an effort to identify software assurance weaknesses in mobile applications and provide mitigation recommendations to software engineers. Although not the primary focus of my work, a deep understanding of mobile forensics and mobile application penetration testing comes in very handy when I work on mobile security research projects and enterprise mobile security engineering challenges.

[Ed.]: What kind of reaction have you had to your course?

[SV]: I attended three other Android courses and other-security related courses to recognize which topics were not covered elsewhere and to determine how this course could bring additional value. Feedback has been positive from participants, who have stated that this course answered many questions regarding mobile security that other courses did not address.

[Ed.]: So, what’s next?

[SV]: Several courses are in the early stages of exploration and development, including working titles of “Developing Secure Android Applications” and “iOS Forensics.” At some point, I plan to get these courses developed, and perhaps a general “mobile hacking” course too for penetration testers working across the mobile spectrum.

[Ed.]: Thank you, Shawn. We’ll look forward to those courses and making a dent in the top ten IT security concerns.

[Ed]: After this blog post was finalized, Shawn joined Veracode, where he leads their product management team for mobile products. We at MITRE wish him the best in his new endeavor.

Here’s a report from the first publicly released security audit of an iPad app using the iMAS developed open-source security libraries. This report shows that securing an iOS app isn’t too difficult, can greatly improve security without affecting usability, and tools are now freely available (at Project iMAS).

iMAS has partnered with hReader to bolster the Apple provided security model. The developers added iMAS security controls to the application resulting in an experience that proved to be a great test-bed and partnership. hReader is a patient-centric mobile health data manager that securely provides patients and their families with their complete health information. To learn more about the application, go to hReader.org or check out their source code.

hReader Security Audit technical report is now available. The report describes a security audit conducted on hReader in the summer of 2012 and it details the resulting, measured security compliance increase along with the labor costs. Based on this, the iMAS community can add measured security to their applications in a cost effective manner. To read more about this, please read the full report here

Now Available!

iMAS – iOS Mobile Application Security

January 2013

iMAS is a secure iOS application framework research project focused on reducing iOS application vulnerabilities and information loss.

Now Available – iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!

http://project-imas.github.io/

 

 

Details:

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls.  Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions.  The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications.  iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain.  Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.  With iMAS, a developer can leverage our research to considerably raise their iOS applications security level in a measured way.
Principal Investigator: Gregg Ganley
Security Research: Shawn Valle