What's your top three concerns?

I was asked to name my top three infosec concerns the other day. What
I came up with was:

- Client side security
Its a battle to keep all of the 3rd party apps (think winzip, adobe,
vlc, microsoft word, etc etc.) patched for known reported
vulnerabilities, let alone the worries of 0day vulnerabilities. Most
enterprises have a 6 monthly patch routine hence there is often many
vulns in software that is in common use. Hence you can't ban the
types of attachments and downloads that contain the malware like you
could in the days of .exe and .vbs email attachment driven malware.

- Asset Management
Its a battle in a large enterprise to identify what critical business
processes you have let alone what devices you have on your network or
what apps you have and which ones of these are
internet/customer/business partner facing. The security team can't
secure what they don't know about. Port scans may help identify what
systems there are out there (to some extent, large network ranges are
hard to scan safely), but what apps are on these systems? Its a sad
state of affairs when your firewall configuration is the only source
of information about what internet facing apps you have. What about
web apps your marketing department has contracted to have hosted by
web development companies? What about business partner routers
connected directly to your internal network?

- Decreasing effectiveness of controls
Firewalls are less effective as everything can be tunnelled through
your outbound web proxy server over HTTP
Antivirus is less effective as criminals are writing custom remote
access trojans and testing them with the software (these are
professionals not pranksters).
IDS and IPS are less effective due to encryption, obfuscation of
shellcode available in all exploit development frameworks.
Web and email content management is less effective due to fast flux
hosting of malware and due to malware being sent in attachment MIME
types who you need to accept (i.e. .zip, .pdf, .doc, .xls) or which is
encrypted (i.e. Winzip file with password)

--
Sent from my mobile device

Staying cheerful despite Barriers to Information Security

Sometimes it's hard to be positive when you work in information security. I have noticed a number of my colleagues get very despondent that they are unable to change the status quo at their respective organisations.

I'm an eternal optimist, and I think it's the job of information security professionals to be constantly active in attempting to improve the state of information security. You've got to keep a ducking and a diving with the grace of Muhammad Ali, taking the opportunity for a tactical win when the rare opportunity exposes itself.

Some maxims that are useful to keep in mind:

1. Success is defined as having the information security program aligned with the business's desired residual risk level. Some notes to consider below:

• management must make the informed decision to run "cheap, lean and risky" not be blindsided by security incidents
• security done well can be a competitive advantage to a business by reducing the costs of doing business when compared to their competitors (i.e. reduction in losses and security cap-ex and op-ex with no increase in risk)
  

2. Funnel the kick-back from a security incident into a productive pre-planned effort. " Oh sir, we've responded well to the incident, however this could have been prevented by the use of a DLP program which we had on the budget request last year".

3. Most intrusions (according to the 2009 Verizon Data Breach Investigations Report) are due to year old vulnerabilities so don't focus on obscure stuff and forget the basics like secure configuration/deploying security patches/ squishing SQL injection vulnerabilities.

Some common challenges encountered and tactics to consider:

• when "bottom up" vulnerability management efforts stall due to business application owners not approving costs/outages for secure configuration/patching/remediation of application security issues try "top down" approaches such as developing a security charter in conjunction with executives and then from that developing a security policy set (aka ISMS) that requires "vulnerability management"
• when information asset classification efforts are failing due to lack of business process documentation and inventory and asset management processes, try some inventory activities yourselves (i.e. some port scans) and share the results with the operations team to kick-start efforts.

If some more problems and tactics come to mind I'll re-edit this post later on.

What works - Incident Response

Hello,
Had a chat with a lovely analyst the other day doing a briefing paper for his clients and here were a few lessons learnt I have picked up;

*It's all about the CSIRT

The Computer Security Incident Response Team is who gets called to help when a security incident is identified. Often security incidents are identified due to an outage or degredation in performance through standard ITIL style incident mangagement processes.

The CSIRT should comprise a virtual team (who have been pre-warned and educated as to their roles) of security operations personnel and IT operations personell (desktop, server, network, app support and database). A "management team" of media liason, legal and senior managemement should operate in parallel and concentrate on communications and public relations.
One method in use is to have a conf call running for the tech team and have a comms person dial in every 30 mins to gather intel for a sitrep for the "management team" so that the CSIRT can get on with responding to the incident rather than returning calls from senior management and producing status updates.

*A preemptive media blitz

Having a pre-approved press release all ready to go in case of customer impact is a good idea IMHO as this will pre-empt bad press. In this day of twitter driven instant communications waiting for half a day to get the message out is far too long.

*Build in resiliancy

Have a hard copy CSIRT manual available with an insert with the latest numbers of the CSIRT members and issued to the IT Help Desk and CSIRT members. This manual and your intranet should reference a contact number (ugh for the hellphone I mean cellphone) that the security ops team will carry on a roster and an email address like csirt@company.com that is CC'd to all current CSIRT members.

*Have a plan of attack

For commonly anticipated incidents have a brief plan of attack documented in the CSIRT manual. Don't go overboard and the process followed should be sanity checked by CSIRT members at each stage during the incident.

*Liaise BEFORE the incident so you have a friend to phone

Identify who you may need to contact in case of a security incident and make friends. This will help you later. This could be your bank, CIO of customers, govCERT, AHTCC, local computer crime unit etc. Who you contact may vary based on your organisation and the type of incident you experience. For example finding illegal content on a computer may require you to call local law enforcement. Experiencing a sustained DDOS attack may require you to call your telco. Fraud conducted via computer maybe your bank and local fraud squad etc.

* Know where to get your intel and practice

Do some exercises based on your commonly anticipated attacks and figure out where you can monitor outbound traffic from your desktops etc. so that you can take actions based on facts not hunches.

*Outsource the forensics

Once you know you have a significant incident on hand that is likely to result in employee dismissal or a civil or criminal case, call in a professional computer forensics team who can independently capture, analyse and present in court the results and stand up to intense cross examination.

*Prepare to capture the info

Think about what incidents you are likely to encounter and hence what logging needs to be turned on. Stream the logs in real time over an encrypted channel to a secured central log server, so that an admin can't tamper with the logs. Sync up all the time sources to the same timezone and time server.

Comments welcome from experienced first responders!

Twas the night before Christmas

An ode to all two infosec people who are keeping the home fires burning over the holidays. May your pager never beep on this specialy day!

Apologies to Clement Clarke Moor - Twas the night before Xmas

Twas the night before Christmas, when all through the office
Not a creature was stirring, not even an optical mouse.
The security budget request was hung by the chimney with care,
In hopes that St Nicholas soon would be there.

The admins were nestled all snug in their beds,
While visions of playstations danced in their heads.
And mamma in her ‘kerchief, and I in my cap,
Had just settled our brains for a long winter’s nap.

When out on the IDS there arose such a clatter,
I sprang from the bed to see what was the matter.
Away to the pager I flew like a flash,
booted and VPN'd in like a dash.

A botnet was built from whoa to go,
through the monitored web proxy its C&C did flow.
When, what to my wondering eyes should appear,
But a CSIRT, incorporating many security engineers.

With a little security leader, so wizened and old,
I knew in a moment it must be the CISO.
More rapid than eagles his direct reports they came,
And he whistled, and shouted, and called them by name!

"Now Analyst! now, Crypto Guy! now, Compliance and Tester!
On, Consultant! On, Communications! on, on IDS dude and Forensics!
To the SEIM solution! to the firewall!
Now dash away! Dash away! Dash away all!"

And then, in a twinkling, I heard on the keyboards
The tappering and twittering of each little hoof.
As I drew in my head, and was turning around,
Into the incident room came the CISO with a bound.

He was dressed all in casuals, from his head to his foot,
a surprise as his team had never seen him without his suit.
A bundle of caffeinated drinks he had flung on his back,
And he looked like a peddler, just opening his pack.

His eyes-how they twinkled! his dimples how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
And the beard of his chin was as white as the snow.

The stump of a pipe he held tight in his teeth,
And the smoke it encircled his head like a wreath.
He had a broad face and a little round belly,
That shook when he laughed, like a bowlful of jelly!

He was chubby and plump, a right jolly old elf,
And I laughed when I saw him, in spite of myself!
A wink of his eye and a twist of his head,
Soon gave me to know I had nothing to dread.

He spoke not a word, but went straight to his work,
And patched all the workstations, then turned with a jerk.
And laying his finger aside of his nose,
And giving a nod, the CIO he called!

He sprang to his car, to his CSIRT gave a whistle,
And away they all flew like the down of a thistle.
But I heard him exclaim, ‘ere he drove out of sight,

"Happy Christmas to all, and to all a good-night!"

2009 in review

Breaches

Gonzalez aka Soup Nazi caught and responsible for some of the largest breaches of credit card data over the last year or two.

RBS Worldpay - Criminals breach a payroll system that pays employees via debit cards. They jack the limits, burn the card data to new card blanks and then withdraw millions simultaneously at multiple locations around the world.

Technologies

Automated Source Code analysis software from Fortify, IBM and HP hit the big time helping secure web applications against the most common threat vector - SQL Injection or now SQLi for short :)

Data Leakage Prevention fizzled with many CISOs not really wanting to go a Career Limiting Move by highlighting to management how broken business processes are and how much personally identifiable and confidential data is stuck on insecure file shares and shuttling around in email attachments.

Legislation, Regulation and Compliance

We got some new laws to make ATM and credit card skimming illegal?

PCI-DSS continued on with an increase in compliance validation requirements for level 2 merchants thanks to MasterCard.

Customers beware - security "consultants" to avoid

Some tweets from @jack_mannino raised some strange feelings and thoughts that I wanted to express about some of the types of people that raise my ire in the security consulting industry:

Public enemy number one - the "nessus cut n paster"

Its all good to use nessus or OpenVAS as it helps shorten the process of grabbing banners with nmap and using google/secunia/mitre to find out publicly reported vulnerabilities about the network services in use (which we pretty much end up doing anyway!). We all use nessus as part of our suite of tools but you shouldn't just use nessus! And you definitely shouldn't just append the raw scan results as an appendix with a covering letter! Your client deserves you:

• confirm that the reported vulnerabilites actually provide a risk (i.e. are the vulnerable modules on that webserver actually in use or is this a false positive)
• provide some interpretation and an indication of how easy this vulnerability is to exploit based on your knowledge and experience (i.e. how likely is it that the client be attacked by an SSL MITM attack) and any compensating controls that are in place
• provide pragmatic recommendation on how to address the issue (i.e. a link to technet article etc.)

Oh its worth adding, running nessus does not test web applications! It may test the configuration of the web server software but not the susceptibility of a custom web application to SQLi etc!

The "nessus cut n paster" leaves you feeling conned and frustrated as you paid too much for an assessment you could have performed yourself. You have to investigate each of the issues to identify if you should bother fixing them and find out how to address them.

Public enemy number two - the "over caffeinated try hard hacker"

This guy is someone who has just read "Hacking Exposed" and instead of building himself some vmware virtual machines and trying out what he is learning on them, he wants to "play hacker" on your network. On an external network he will focus on "cool and neat" vulnerabilities and forget to report "boring" vulnerabilities (the ones you are likely to get pwned by). On an internal network instead of focusing on testing key controls that secure critical applications (e.g. database listener passwords) he will do crazy stuff like pwning workstations with metasploit and looking for pirated games/music/pron to take home.

The "over caffeinated try hard hacker" leaves you bemused wondering what the hell happened, rebooting boxes and apologising to executives whose email accounts have been ransacked.

Public enemy number three - the "talky talky consultant"

This Svengali like consultant mesmerises you with talk about risks, approaches, ISO standards and buzzwords however never gets down to the discussions you want to have like:

• what are my critical business processes and what applications, infrastructure and information assets are associated?
• what are my key controls?
• how do I test them and record the results and supporting evidence?
• what should be in my security plan to improve my key controls?
• how do I tweak my policy to address new risks?

The talky talky consultant often leaves you stuffed and slightly boozed after a long lunch wondering what value they actually added to your organisation and trying to find a deliverable to justify to your management why you engaged this clown in the first place.

Tips to Countering the fallout:

• Make sure your security consultant has scoped the required work well and documented the scope in a contract or engagement letter in enough detail. It should be clear that work outside the agreed scope is not to be undertaken without express permission (i.e. running exploits, scanning other systems apart from the defined target systems)
• Make sure if an assessment is being provided that the criteria for the assessment is detailed in the engagement letter and provided in the report
• The contract or engagement letter should also describe the required deliverables for each phase of work in detail and the requested structure and content of the report
• Ask for a sample report, mark it up and return it if it doesn't meet your needs.
• Ask for regular updates on activities and require that they be provided so you can keep tabs on what is going on.

What does 2010 hold for us infosec types?

I would like to see some of the following happening in the new year in Australian organisations in order for them to address key risk areas:

Application Security programs

• Implementing trust but verify gates into the SDLC for security risk assessments, requirement documentation, static source code analysis, functional and vulnerability testing
• Risk based testing schedules for applications in production that test the key controls in the applications (i.e. test critical apps in a detailed manner each release/year, with a rolling schedule of vulnerability testing for low criticality apps)

Tactical Security Infrastructure projects

• Large scale Data Leakage Prevention (DLP) deployments with associated business process remediation
• Virtualisation and rationalisation of perimeter security infrastructure
• Logging Monitoring and Reporting programs with integrity monitoring implementation and enablement of logging in end devices and configuration of alerts on central monitoring software.

( I doubt organisations will be kicking off large difficult projects such as identity & access management projects next year due to the after effects of the GFC and a hesitancy to launch projects that won't have a "quick win")

Security Management initiatives

• furthering development of good asset management, change and release management processes so that the outputs can be used to drive appsec programs and vulnerability management processes.
• pragmatic Information Asset Classification and Labelling (which could be facilitated by DLP used to discover information assets)
• Security awareness and induction training

What I suspect I will see is the following:

• DLP product sales that expect rollout and management by BAU resources forgetting that DLP will identify broken business processes and systems that need to be remediated and that well organised support mechanisms will be requried to prevent disruption to one off business processes
• the compliance driven annual penetration test will now involve web application security assessment of a sample application bundled in as an optional extra
• writing of security policies only to satisfy audit findings that are destined to become shelfware due to a lip service approach to security
• refreshes of end of life perimeter security infrastructure forced by capacity driven outages and a lack of vendor and system integrator support
• purely top down risk management initiatives that do not progress beyond the generic due to a lack of expertise amongst those performing the risk assessment

Any thoughts from out there in the blogosphere and twitterverse?