Risk management is a fundamental requirement for all major information security frameworks, but there is little practical guidance for implementing a risk management program at small or young organizations. Existing risk management practices require varying levels of staff, expertise, tooling, and time — all expensive — as well as a mature concept of risk, when none of these necessities may be available. Consequently, there is an industry-wide need for a “minimum viable program” that allows organizations to manage risk despite lacking the prerequisites for more full-featured risk management programs. This white paper outlines such a program.

White Paper Link

Quantifying the Cost of Cloud Security

We are pleased to announce our new whitepaper: "Quantifying the Cost of Cloud Security." For this whitepaper, the fourth borne of Leviathan's collaboration with Google to study the security impacts of forced localization laws, we chose to focus on the direct costs to companies of forced localization laws--the actual economic disadvantage inflicted by a country on its businesses when it chooses to require that all data be stored within its borders. As we discussed in our three previous whitepapers on this topic (listed below), the harms of forced localization to data confidentiality, integrity, and availability can be devastating, and this can have significant added economic impact--but we wanted to know how much it costs, on day 1, to cut one's country off from the cloud.

One of our outputs from this research is a visualization that we believe will help to crystallize the issues in play. We've taken all the pricing data from the seven public IaaS providers, along with all the locations of their datacenters, and put them onto a map; anyone can simply select the quantity and type of computer they'd like to use, then see where that type is available--and click on a country to find the pricing, the providers that offer it, and the extra cost of using only providers in that country.

We hope you enjoy, and we look forward to contributing to the public debate on this topic in the future.

For more on our work on cloud security policy, please see http://www.valueofcloudsecurity.com.

Value of Cloud Security

We are pleased to announce the release of our three whitepapers on the value of cloud computing as it relates to security issues around data storage, in the areas of data availability, scarcity of expert security talent, and the infrastructure and hardware investment to set up new data storage solutions.

We spent several months exploring the value proposition of storing data in the cloud from a security perspective. We wanted to know whether cloud storage is more or less secure than storing data in a local datacenter, for all the different definitions of secure. We wanted to know whether data can be kept confidential, whether data remains available despite localized outages, whether the supply chains that make maintenance of local data centers can be preserved (and at what cost), and whether companies are able to hire sufficient security expertise to defend their investments in storage.

The three whitepapers are as follows:

More information is available at http://www.valueofcloudsecurity.com.

We would also like to thank the entire project team for this research:

Extending the ELF Core Format for Forensics Snapshots

Malware authors apply advanced techniques to execute and hide malicious activity on victim Linux systems. ELF runtime infections are among those techniques; they mutate the memory of a victim process to then modify its workings while maintaining stealth against disk-based forensics.

Previously, analysts had to rely on a clunky methodology to investigate ELF runtime infections; they had to manually locate information and reconstruct the part of the process they wanted to inspect. In this paper I describe my Extended Core File Snapshot (ECFS) format which accurately captures all relevant, in-memory forensic information necessary for an analyst to diagnose common ELF injection attacks. PDF Link

TLS and SSL Man-In-The-Middle Vulnerability

The recent disclosure of a flaw in the TLS protocol specification and the majority of its implementations has spawned wide ranging debate on the seriousness of the vulnerability. Experts weighing in on all sides have deemed this flaw either earthshaking or inconsequential, that it poses either little risk to enterprises or is potentially devastating. This report presents the current state of our research as well as our understanding of the risks posed by the TLS Renegotiation Flaw, its ramifications for enterprise users, and steps that can be taken to mitigate its risk during the current window of vulnerability. PDF Link