Executing an Effective Security Program

In today’s global Internet connected and reliant IT environment, the issue of corporate networks becoming compromised is a fact. Defense in depth is still and important design pattern, but organizations with even relatively mature capabilities are relying on detection since prevention is simply not enough anymore. Whereas several years ago we used to speak about prevention of externally facing application attacks through coding flaws that lead to SQL Injection and buffer overflow attacks, now successful attackers have moved onto the weakest link: users. Compromise of user credentials now comprises 96% of the successful attacks on organizations. Why go through the brute force and difficult path of application compromised when the attackers can simply conduct a successful spear phishing attack on individuals in the organization?

This is where advanced detection comes in. User and Entity Behavior Analysis leads to high quality alerts regarding anomalous behavior that is exhibited by accounts where the user has been successfully compromised. Same detection capability exists for detecting users that are exceeding their authority, typically classed as Insider Threat – as well the machine learning can also detect systems (entities) that are behaving in a way that is antithetical to it’s normal behavior. Think of Point of Sale or healthcare Internet of Things devices that have been compromised and there aren’t specific user identities that can be used to profile normal behavior.

Of all these technologies that can be deployed, the foundation must be a sound information security program that puts policies, standards, guidelines and procedures in place that authorizes and supports the controls. The Security, Cyber, and IA Professionals (SCIAP.org) group have pulled together a concise document that outlines how to build an Effective Security Program.

BlockSync Project

Welcome to the BlockSync Project

This project aims to provide an efficient way to provide mutual protection from deemed bad actors that attack Internet facing servers. The result will be an open source set of communication tools that use established protocols for high speed and light weight transmission of attacker information to a variable number of targets (unicasting to a possibly large number of hosts).

Background

There are many open source firewall technologies in widespread use, most based on either packet filter (pf) or netfilter (iptables). There is much technology that provides network clustering (for example, OpenBSD’s CARP and pfsync; netfilter; corosync and pacemaker), however it’s difficult for disparate (loosely coupled) servers to communicate the identity of attackers in real time to a trusted community of (tightly coupled) peers. Servers or firewalls that use state-table replication techniques, such as pfsync or netfilter, have a (near) real-time view of pass/block decisions other members have made. There needs to be a mechanism for loosely coupled servers to share block decisions in a similar fashion.

Our goal is to create an open source tool for those of us that have multiple Internet facing servers to crowd source information that will block attackers via the firewall technology of choice (OpenBSD/FreeBSD pf/pfSense, iptables, others).

Project Page

All project files are still private yet, but when we publish to GitHub or SourceForge, this section will be updated.

Funding

We have published a GoFundMe page to acquire more lab equipment here at gofundme.com/BlockSync

Trade offs of the terrible syslog protocol

syslog is a very old message transmission protocol that transmits system messages across a network. The first versions of this protocol were drafted into RFC 5426. Some assumed updating the transmission to use TCP would make things better, and the IETF released RFC 6587 describing syslog over TCP. The problem is, that is inherently unreliable as well, since the application (syslog) has no mechanism to ensure that all messages transmitted were actually received, regardless of the network level transport protocol used to convey the messages.

Rainer Gerhards wrote a blog post on the unreliability of using plain TCP to transmit syslog event data.

An attempt to create a reliable syslog protocol is described in RFC 3195, the problem is that very few vendors have adopted that standard (BEEP).

There is a movement to find a more reliable system message delivery mechanism, as described in this Wikipedia post, however the problem is not only one of a technically feasible mechanism – one that relies on the application itself to validate and guarantee message integrity and completeness – but also on wide spread adoption by the 10’s or 100’s of millions of devices that send their system logs via syslog UDP.

That will take decades, so best is to use mechanisms that can collect the event messages in native syslog UDP format as close to the generating source as possible then use an application oriented framework to convey those messages to their destination. HP ArcSight SmartConnectors are a good way to accomplish this, with their application level event queuing on input, persistent caching output, compression, encryption, bandwidth throttling, filtering, aggregation and event QoS policies.

IT Security Topics

Malware Investigation Tools and Notes

Investigating possible malware involves both detection and identification phases. Here are some notes regarding the tools I commonly use for these two phases .. note this is intended to be a living document so may change as I learn of new resources or as older resources become stale or no longer very useful.

WARNING: Links shown below may lead to sites with active malware. Do not navigate to any site or link unless you know what you are doing.

Detection

Tools like HP TippingPoint IPS do a good job of detecting vulnerabilities (versus exploits) and also use vulnerability research and lighthouse sensors across the world to confirm infected systems (by IP) and sites (by domain).

Research

Both Google and Scumware have good domain and URL status reporting data.  URL shortening services are notorious for masking domains that have become infected, although there may be a large percentage of legitimate sites to which they refer. An example is the WordPress site wp.me:

http://www.google.com/safebrowsing/diagnostic?site=wp.me

http://www.scumware.org/report/wp.me

 Broad industry trends and general knowledge of attacks, outbreaks and other relevant news can be found on various blog sites:

hp.com/go/hpsrblog

 

Securing Apache web servers

Great article by Pete Freitag on Securing Apache Web Servers
(20 ways to Secure your Apache Configuration)

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you’ve installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you’re not patched up there isn’t really much point in continuing any longer on this list.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).

Continue reading

90 Day Plan for New IT Security Managers

You’ve just taken over as an information security director, manager, or architect at an organization. Either this is a new organization that has never had this role before or your predecessor has moved on for some reason. Now what? The following outlines steps that have been shown to be effective (also based on what’s been ineffective) getting traction and generating results within the first three months. Once some small successes are under your belt, you can grow the momentum to help the business grow faster or reduce the risk to their success (or both).

Now what do we do?

Apply a tried and true multi phase approach .. assess current state, determine desired target state, perform a gap analysis, implement improvements based on priority. Basically we need to establish current state, determine what future state should be, and use the gap analysis as the deliverables of the IT security program. There may be many trade-offs that are made due to limiters like political challenges, funding constraints and difficulty in changing corporate culture. The plan you build with the business gives you the ammunition needed to persuade all your stakeholders of the value in the changes you’ll be proposing.

1. Understand the Current Environment

For a manager or enterprise architect to determine where to start, a current state must be known. This is basically an inventory of what IT security controls, people and processes are in place. This inventory is used to determine what immediately known risks and gaps from relevant security control frameworks exist. The known risks and gaps gives us a starting point to understand where impacts on the business may originate from.

Take the opportunity to socialize foundational security concepts with your new business owners and solicit their input. What are the security related concerns they have? If there has been any articulation of Strengths, Weaknesses, Opportunities, and Threats (SWOT), obtaining that review can also give you an idea of weaknesses or threats that are indicative of missing controls. In the discussions with your new constituents, talk to the infrastructure managers and ask them what security related concerns keep them awake at night – there is likely some awareness but they don’t know how to move forward. Keep in mind most organizations will want a pragmatic approach versus an ivory tower perfect target state.

Some simple questions can quickly give you a picture of the state of security controls. For example, in organizations I’ve worked with, the network administrators could not provide me a complete “layer three” diagram – a diagram that shows all the network segments and how they hang together. It wasn’t that they didn’t want to, the diagrams simply didn’t exist. With over 1,500 network nodes over two data centers and two office complexes, the network group had the topology and configuration “in their heads”. Obvious weaknesses and threats include prevention of succession planning or disaster recovery, poor security transparency, and making nearly any change to the environment higher risk than necessary.

Continue reading

Resetting user passwords in Mac OS X Leopard without Administrator

For those odd times where you need to reset the password for a user on a Mac (OS X 10.5 Leopard) and you don’t have access to the / an administrator account, this is a procedure that will work if you have physical access to the system and can reboot it. No boot DVD is needed if you can boot the system off the internal hard disk.

We boot into single user mode off the internal hard disk, then reset the target user password.

  1. Boot into single user mode (press Command-S at power on)
  2. Check the root filesystem first
    fsck -fy
  3. Mount up the root filesystem
    mount -uw /
  4. Load system directory services
    launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
  5. Edit user information
    dscl . -passwd /Users/username password (replace username with the targeted user and password with the new password)
  6. Reboot then sign in with the new password.
    reboot

Phishing attacks getting better .. iTunes Receipts

So I get a call this morning from a family member who is freaking out over a six hundred dollar iTunes invoice. Fortunately I knew this person didn't have an iTunes account (they use mine), so I knew right away it was a fraud. On inspecting the invoice, there were so few errors it's chilling. If this had of been an invoice from the (Acme Widget Company) that I do have an account with .. it's possible it may have worked. 

This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials

The quality of phishing emails have dramatically improved as the quality assurance by malware miscreants improves. 

iTunes phish

On closer inspection, there were three very subtle errors made on this iTunes phishing attack:

  1. No street address was shown.  iTunes receipts always have your street address listed and spamming dirt bags don't have that (we hope).
  2. Receipts (that I've paid attention to) come with an American style date format .. month / day / year.  Canadian or European formats are typically day / month / year or year / month / day.  This one is  day / month / year.
  3. Modern corporate invoicing systems don't include leading zeros. Also the quantity and dollar amounts don't add up.

Every web hyper-link in this invoice except for the Apple Store Support and the Apple Legal links point to a non-Apple site.  All the links in iTunes invoices point to Apple.  In this case, the infected domain was  medicineni.com . This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials. Bogus LinkedIn invites have also been confirmed to be coming from the Zeus botnet.

We still need to stay awake to the attacks by these malware miscreants, because they are getting better by the month.

Security tools

This is a (non-comprehensive) list of the various security tools I have used. I started this list to keep track of tools that I've tried out and the level of satisfaction with them. Obviously there are hundreds of tools that any IT security professional uses throughout their career, so I'm just starting to put down the most recent, interesting or particularly effective. As I have time, I'll update and add comments/reviews/examples as well as break this into categories as the list grows.

Assessment / Attack Tools

Web Application Attack and Audit Framework (w3af)  w3af.sourceforge.net

IBM Rational AppScan  www-01.ibm.com/software/awdtools/appscan

Samurai Web Testing Framework samurai.inguardians.com

Visualization Tools

SecViz Security Visualization (davix) www.secviz.org/node/89

Password Tools

L0phtcrack  www.l0phtcrack.com

Forensics

V3RITY Oracle Database Forensics (www.v3rity.com/v3rity.php)  – "V3RITY is a tool that can be used in an Oracle forensics investigation of a suspected breach. It is the first of its kind and is currently in the beta stages of development."