[SecurityRatty] tag: central

Fake Porn Sites Serving Malware - Part Three

Tue, 26 Aug 2008 05:02:26 +0000

Continue the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale .com
bcodecnow .net
best-tranny .com
bestguyportal .com
bestmoviez .com
central-xxx .com
downlfreesexgirlbeach .com
gallery-boy .com
hiosexywomensxxxgirlsx .com
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com
the0download .com
wikiei .com
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

Thousands of Personal Records Being Lost Each Month

Sun, 24 Aug 2008 11:10:19 +0000

More than 160 "significant" incidents of confidential data being misplaced by councils, central government and businesses have been reported to the Information Commissioner's Office (ICO) since last...

It is, too, cyberwarfare... no it isn't... yes it is...

Tue, 19 Aug 2008 03:36:59 +0000

Cyberwarfare. Does it exist or is it a fabrication by doomsayers, conspiracy hounds, and alarmists? And how do we define it? Does a central government have to be directly involved, or is it enough for a countryâs leaders to bolster radical nationalism while ignoring unethical or illegal activities benefiting a governmentâs efforts? These are questions driven by the changing nature of aggression.

MBTA Hack - Is it really this easy?

Fri, 15 Aug 2008 09:19:29 +0000

A lot of the focus of the MBTA vs MIT case has been discussion of the CharlieCards. These are MiFare classic cards which have been known to be broken earlier this year. There is also a paper disposable card called the CharlieTicket that uses a magnetic stripe. The MIT students presentation states that these are cloneable and forgeable using a $150 magnetic stripe reader/writer.

From the Confidential Memo Prepared for the MBTA which was publicly disclosed by the MBTA is court filing:

This seems to break all the rules of integrity of sensitive data storage. How could someone store money on a magnetic stripe in 2008 and not store an identifier that references the account in a central database?

The tickets do have a unique identifier generated when the card is initially purchased so a fraud detection system could be in place or is planned. But this would require tracking the value on the ticket or the usage of the ticket centrally so it isn’t clear why the value is stored on the card in the first place.

There are so many question about the security of this public system. Fraud costs the Massachusetts taxpayer money and refitting an insecure, ill-designed system costs the Massachusetts taxpayer money. [Disclosure: I am a Massachusetts taxpayer.]

It should be a requirement that the current system or the (hopefully) upgraded system be tested by an independent organization that specializes in cryptosystems. If the independent testing uncovers vulnerabilities, they need to be fixed before the system is fielded. Then the system should be retested to verify the fixes. Once the system is deemed secure by an independent organization, a summary of the test document should be published for public inspection. It should include the types of testing conducted and the results.

The public trust requires inspection of taxpayer funded projects to make sure they meet acceptible standards and vendors held responsible for deficiencies. Projects that use computers and software should not get a free pass. It will be interesting to see if the CharlieTicket system is ever held up to public scrutiny.

MBTA Hack: Is It Really This Easy?

Fri, 15 Aug 2008 09:19:29 +0000

From the Confidential Memo Prepared for the MBTA which was publicly disclosed by the MBTA is court filing:

Wee-Fi: Meraki Modifies, Drops Standard; Tempe's Phoenix?; Remote Wake, Wi-Fi Need Not Apply

Thu, 14 Aug 2008 06:32:51 +0000

Meraki reworks product line, drops new sales of community flavor: The cheap mesh router company has mutated slightly once again. The partly-Google-backed firm founded by MIT RoofNet "graduates" built the company on the notion that they could sell $50 routers that could mesh with each other, and use a robust central management system they developed. Over time, the $50 price didn't hold up for commercial networks of scale. Last October, the company mishandled a change in its business model when they abruptly announced a $100 increase in price for newly purchased nodes under their Meraki Pro level for any network that wanted to control whether or not ads appeared, have user accounts, and charge for service. (They eventually recovered, apologized, and reworked some of the transition details.) The company continued to offer a $50 indoor and $100 outdoor Standard level nodes for networks that required ads and had other limits. As of a few days ago, Standard is dead, and the Meraki mini has been upgraded to the Meraki Indoor ($150). The Indoor has signal strength LEDs on the side for better help in placing units, an internal antenna, and better resilience against power fluctuations. The company explains its move in eliminating Standard by noting that most customers moved to Pro. It's not precisely the end of idealism (nor did that happen last October), as Meraki is still one of the major commercial mesh vendors, and their products are still vastly easier and a fraction of the cost of higher-end competitors.

New life for dead Tempe network? Another firm has expressed interest in buying the pennies on the dollar assets that remain of the former Kite Networks installation in Tempe from the firm that financed the venture as long as they can negotiate a new, more favorable deal with the city for mounting and removal rights. CTC, Inc., which the East Valley Tribune reports runs networks in the Kansas City, Mo., area, thinks there's an opportunity. The article notes that reception problems were due in part to the prevalence of stucco in Tempe, common in the southwest. Stucco walls layer plaster or other materials on a wire mesh for strength that turns a house into a bit of an accidental Faraday cage, partially shielding the home from electromagnetic radiation. (Could I go so far to say that Tempe's network could be a phoenix? Ouch.)

Wake up, you darn computer: Intel's new Remote Wake motherboards won't work with Wi-Fi, it's important to note. The feature, announced today, will let an incoming VoIP call (the articles all say "phone call over the Internet") to wake a computer, as long as the call comes from a particular source. Of course, the standard SIP protocol for VoIP doesn't have the kind of security and integrity that would allow this; Intel has to overcome the problem with network address translation that renders most computer unreachable from outside the local network without a separate service like GoToMyPC or LogMeIn; and it will only work for computers connected via Ethernet to a local network, because Wi-Fi is off when a computer sleeps, while Ethernet can remain lightly active. I don't have the protocol details yet, but there's long been a Wake on LAN protocol that required support in a router, operating system, and Ethernet card; Intel may be leveraging this.

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Wee-Fi: TJX Data Theft Arrests; Junxion Sold

Tue, 05 Aug 2008 12:10:41 +0000

Eleven people connected with largest data theft operation arrested: The US Justice Department said this will be the largest prosecution, paired with the largest theft, after arresting 11 people alleged to be behind the theft of over 40m credit card numbers from TJX and others, including Barnes & Nbole, OfficeMax, and other firms. The Wi-Fi angle is that the government charges the break-ins involved some of those charged driving to stores with laptops and entering via improperly secured Wi-Fi to compromise poorly designed back-end systems. (Okay, I'm saying "improperly secured" and "poorly designed," since that's self-evident, and was thoroughly documented in the case of TJ Maxx's parent TJX.) Total cost of this break in is in the billions, although it's clear that the companies whose systems were penetrated are culpable in their lack of data security. It's also clear that unless every card were canceled and reissued, this is the theft that keeps on taking. It's likely the reason why my card number (but not card) was stolen back in 2005, and misused.

Sierra Wireless buys Junxion: Sierra is one of the leading makers of mobile broadband adapters, like ExpressCards and USB modems; Junxion is the leading business-focused mobile broadband bridge maker. Junxion has plenty of competitors on the low end, where products are being sold to small business or individuals, but I'm not aware of another firm whose products have the feature list for centralized IT management and deployment. They bundle the cost of this central management into the products, which can accept any kind of PC Card. Well, perhaps not any kind in the future, though Sierra Wireless is likely to have little interest in making Junxion's box less compatible with rivals. But they'll certainly be a lot of good synergy in developing new hardware for the same market that's cheaper or has a different set of features. How about four adapters in one box that can bond connections together for specialized markets, like railroad Wi-Fi?

HP's NAC- What I've Been Wanting to Tell You (but couldn't)

Tue, 22 Jul 2008 18:29:11 +0000

Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).

User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.

Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.

Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)

Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

Assessing the Security Benefits of Cloud Computing

Mon, 21 Jul 2008 03:00:15 +0000

With all this talk and reporting about security concerns, lets change the channel for a moment and assess the potential security benefits of Cloud Computing.

In my view, there are some strong technical security arguments in favour of Cloud Computing - assuming we can find ways to manage the risks.

With this new paradigm come challenges and opportunities. The challenges are getting plenty of attention - I’m regularly afforded the opportunity to comment on them, plus obviously I cover them on this blog. However, lets not lose sight of the potential upside.

In this post, I walk through seven technical security benefits. Some are immediate, others may arise over time and have conditions attached (some unstated for the sake of brevity). However, I’m including the longer-range benefits now to raise awareness. Some of the outcomes listed are available today without the Cloud, but they are either complex and slow to implement (and thus less likely to happen) or prohibitive for capital cost reasons. I don’t claim this is a definitive list - it reflects where my thinking is today.

Some benefits depend on the Cloud service used and therefore do not apply across the board. For example; I see no solid forensic benefits with SaaS. Also, for space reasons, I’m purposely not including the ‘flip side’ to these benefits, however if you read this blog regularly you should recognise some.

On a sidenote, I believe the Cloud offers Small and Medium Businesses major potential security benefits. Frequently SMBs struggle with limited or non-existent in-house INFOSEC resources and budgets. The caveat is that the Cloud market is still very new - security offerings are somewhat foggy - making selection tricky. Clearly, not all Cloud providers will offer the same security.

Seven Technical Security Benefits of the Cloud

1. Centralised Data

Reduced Data Leakage: this is the benefit I hear most from Cloud providers - and in my view they are right. How many laptops do we need to lose before we get this? How many backup tapes? The data “landmines” of today could be greatly reduced by the Cloud as thin client technology becomes prevalent. Small, temporary caches on handheld devices or Netbook computers pose less risk than transporting data buckets in the form of laptops. Ask the CISO of any large company if all laptops have company ‘mandated’ controls consistently applied; e.g. full disk encryption. You’ll see the answer by looking at the whites of their eyes. Despite best efforts around asset management and endpoint security we continue to see embarrassing and disturbing misses. And what about SMBs? How many use encryption for sensitive data, or even have a data classification policy in place?
Monitoring benefits: central storage is easier to control and monitor. The flipside is the nightmare scenario of comprehensive data theft. However, I would rather spend my time as a security professional figuring out smart ways to protect and monitor access to data stored in one place (with the benefit of situational advantage) than trying to figure out all the places where the company data resides across a myriad of thick clients! You can get the benefits of Thin Clients today but Cloud Storage provides a way to centralise the data faster and potentially cheaper. The logistical challenge today is getting Terabytes of data to the Cloud in the first place.

2. Incident Response / Forensics

Forensic readiness: with Infrastructure as a Service (IaaS) providers, I can build a dedicated forensic server in the same Cloud as my company and place it offline, ready for use when needed. I would only need pay for storage until an incident happens and I need to bring it online. I don’t need to call someone to bring it online or install some kind of remote boot software - I just click a button in the Cloud Providers web interface. If I have multiple incident responders, I can give them a copy of the VM so we can distribute the forensic workload based on the job at hand or as new sources of evidence arise and need analysis. To fully realise this benefit, commercial forensic software vendors would need to move away from archaic, physical dongle based licensing schemes to a network licensing model.
Decrease evidence acquisition time: if a server in the Cloud gets compromised (i.e. broken into), I can now clone that server at the click of a mouse and make the cloned disks instantly available to my Cloud Forensics server. I didn’t need to “find” storage or have it “ready, waiting and unused” - its just there.
Eliminate or reduce service downtime: Note that in the above scenario I didn’t have to go tell the COO that the system needs to be taken offline for hours whilst I dig around in the RAID Array hoping that my physical acqusition toolkit is compatible (and that the version of RAID firmware isn’t supported by my forensic software). Abstracting the hardware removes a barrier to even doing forensics in some situations.
Decrease evidence transfer time: In the same Cloud, bit fot bit copies are super fast - made faster by that replicated, distributed filesystem my Cloud provider engineered for me. From a network traffic perspective, it may even be free to make the copy in the same Cloud. Without the Cloud, I would have to a lot of time consuming and expensive provisioning of physical devices. I only pay for the storage as long as I need the evidence.
Eliminate forensic image verification time: Some Cloud Storage implementations expose a cryptographic checksum or hash. For example, Amazon S3 generates an MD5 hash automagically when you store an object. In theory you no longer need to generate time-consuming MD5 checksums using external tools - its already there.
Decrease time to access protected documents: Immense CPU power opens some doors. Did the suspect password protect a document that is relevant to the investigation? You can now test a wider range of candidate passwords in less time to speed investigations.

3. Password assurance testing (aka cracking)

Decrease password cracking time: if your organisation regularly tests password strength by running password crackers you can use Cloud Compute to decrease crack time and you only pay for what you use. Ironically, your cracking costs go up as people choose better passwords ;-).
Keep cracking activities to dedicated machines: if today you use a distributed password cracker to spread the load across non-production machines, you can now put those agents in dedicated Compute instances - and thus stop mixing sensitive credentials with other workloads.

4. Logging

“Unlimited”, pay per drink storage: logging is often an afterthought, consequently insufficient disk space is allocated and logging is either non-existant or minimal. Cloud Storage changes all this - no more ‘guessing’ how much storage you need for standard logs.
Improve log indexing and search: with your logs in the Cloud you can leverage Cloud Compute to index those logs in real-time and get the benefit of instant search results. What is different here? The Compute instances can be plumbed in and scale as needed based on the logging load - meaning a true real-time view.
Getting compliant with Extended logging: most modern operating systems offer extended logging in the form of a C2 audit trail. This is rarely enabled for fear of performance degradation and log size. Now you can ‘opt-in’ easily - if you are willing to pay for the enhanced logging, you can do so. Granular logging makes compliance and investigations easier.

5. Improve the state of security software (performance)

Drive vendors to create more efficient security software: Billable CPU cycles get noticed. More attention will be paid to inefficient processes; e.g. poorly tuned security agents. Process accounting will make a comeback as customers target ‘expensive’ processes. Security vendors that understand how to squeeze the most performance from their software will win.

6. Secure builds

Pre-hardened, change control builds: this is primarily a benefit of virtualization based Cloud Computing. Now you get a chance to start ’secure’ (by your own definition) - you create your Gold Image VM and clone away. There are ways to do this today with bare-metal OS installs but frequently these require additional 3rd party tools, are time consuming to clone or add yet another agent to each endpoint.
Reduce exposure through patching offline: Gold images can be kept up securely kept up to date. Offline VMs can be conveniently patched “off” the network.
Easier to test impact of security changes: this is a big one. Spin up a copy of your production environment, implement a security change and test the impact at low cost, with minimal startup time. This is a big deal and removes a major barrier to ‘doing’ security in production environments.

7. Security Testing

Reduce cost of testing security: a SaaS provider only passes on a portion of their security testing costs. By sharing the same application as a service, you don’t foot the expensive security code review and/or penetration test. Even with Platform as a Service (PaaS) where your developers get to write code, there are potential cost economies of scale (particularly around use of code scanning tools that sweep source code for security weaknesses).

Your Thoughts?

What benefits do you see that I haven’t included in the above list? Where do you agree/disagree and importantly, why?