Blog Home - Defending the Network - Information Security by Dan Tinsley

Sunday

Apr012012

"Now why would I pay someone to break into our network and steal our data?"

Sunday, April 1, 2012 at 5:34PM

The Shake down test - Just like testing your fire alarm and evacuation procedure annually, you should always put your infrastructure through some rigorous evaluation criteria. Security on the whole is a continuous evolving process to which changes to business direction, rushed system integration and modern day threats can all go to create vulnerabilities which may go unnoticed; that is until a hacker finds it, exploits it and your data is slapped on paste bin for the entire world to see.

I am an advocate in emphasising that no collaboration of systems can be ever 100% secure at any point in the system life cycle, just like no availability provider can say “Yes Sir, we guarantee 100% uptime”. Information system security professionals must adapt to the increasing possibility that at some point their network may be breached from external or internal entities. How we handle this can diminish the impact this will have on our business operations and outside reputation. By developing and enforcing strict security policies and procedures, complying with legal and regulatory guidelines, and constantly reviewing operational systems and future designs we can minimise our exposure factor and reduce risk. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and on-going testing (after system changes).

So, how do we audit our network? This is done by Penetration Testing.

Pen Tests (also sometimes called “ethical hacking”) consists or a formal set of steps and procedures simulating the methods and techniques an hacker or malicious employee would likely to use that are implemented to intentionally, at the invitation of the business requesting the penetration test, to bypass and evade physical, technical and policy security controls and obtain access to a particular system and the data it holds. Simply put, the purpose is to evaluate how well the company can thwart the attack and how it might be compromised by the potential intruder.

Pen Tests can be used to evaluate the effectiveness of the businesses security incident response and any countermeasures that may be in place. Countermeasures may be technical, administrative or even physical. Remember Pen tests can go two ways; they can add to the credibility of the current security in place and demonstrate due diligence or the tests can alert management that they have significant security weakness that must be addressed.

The most common vulnerabilities tend to be design flaws, configuration errors, and software bugs. These can be introduced during development, implementation and maintenance, generally by accident, and once identified by the penetration tester, can usually be quickly resolved by the IT team.

Pen Tests can be both internal and external in nature. For example, external testing refers to attacks to devices or services on the perimeter of the network. This can be extranet services, email servers, firewalls, remote service gateways, web servers ect. Internal testing is performed from inside the local network and determines what an attacker or authorised employee with malicious intent could gain access to or penetrate.

Testers like me can class our attack methods in three ways; Black box, grey box and white box. With black box testing the pen tester has no knowledge about the targets network and must operate the same way an external hacker would by using social engineering, dumpster diving and other publically available information to help scope the network before the simulated attack. This can be classed as a double blind test as no one on the targets IT team will know about the planned test. This will test the company’s security monitoring, incident response and escalation procedures.

Grey box refers to “need to know” principles. Certain members of the targets management or internal security team may be informed, or the tester may be given certain details of the network.

Finally, White Box is a type of test that typically takes less time and effort to complete, but may not provide as complete picture of the overall security vulnerabilities and response capabilities of the IT team. The tester will have full knowledge of the target environment (such as passwords, network topology diagrams, technology overview ect) and is expected to simulate an inside attack or targeted attack on a particular system.

Basic white box penetration testing is often done as a fully automated inexpensive process. However, black box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits in knowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated

Typically the pen test consists five steps;

Discovery

Vulnerability mapping

Enumeration

Exploitation

Document and Report

For more information please feel free to contact me. ( I will continue to up date this post in the next few weeks)

Tiger http://www.tigerscheme.org

Tiger Scheme is a commercial certification scheme for technical security specialists, backed by University standards and covering a wide range of expertise. The Tiger Scheme was founded in 2007, on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring in a recognised and reputable company.

OWASP https://www.owasp.org

The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

PCI https://www.pcisecuritystandards.org

The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

ISACA https://www.isaca.org

ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

CHECK http://www.cesg.gov.uk

The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.

OSSTMM http://www.osstmm.org

The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

CREST http://www.crest-approved.org

The Council for Registered Ethical Security Testers (CREST) exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. It provides globally recognised, up to date certifications for organisations and individuals providing penetration testing services.

3 Ways Internet Monitoring Software Protects Businesses - A Human Response

Saturday, March 10, 2012 at 12:20PM

Internet monitoring software is a key component of your defense-in-depth strategy, and can help to protect your corporate information assets, your company’s reputation, and your bottom line. Internet monitoring software is not just about enforcing the Acceptable Usage Policy; it’s about protecting your users from problems involving Human Resources, your workstations from downtime, and your company from lawsuits. Let’s look at three ways in which this solution helps protect businesses.

1. Protect users from malicious content

Perfectly legitimate websites are compromised every day and, as each new vulnerability in operating systems, web applications, and locally installed software are discovered, there’s another way a user’s machine can be taken down or become compromised by malicious content all while they were accessing a valid business website. Internet monitoring software can block access to sites known to be compromised, scan all downloads and scripts in web pages for malicious content, and protect users from accessing a compromised website.

2. Protect the company from users accessing inappropriate content

Internet monitoring software can also ensure that users do not access inappropriate content. Whether accidentally or intentionally, employees tend to access websites containing material that is inappropriate for work. While many users might simply say “oops” and hit the back button, others might be offended by something they see, and if it is offensive enough, they might seek redress from the company. Internet monitoring software can stop access to adult or other offensive content before anyone sees something they shouldn’t and before any policy is violated. Some can even enforce the “safe search” options of popular search engines, further protecting users from the results of those nebulous search terms that have double meanings.

3. Protect the company from users accessing illegal and unauthorized content

Some users have problems separating what they do at home from what they do at work, and they might not have the same respect for copyrights and licensing as they should. Whether they want the latest blockbuster action flick, or just a key-gen for that great software package that wasn’t in the budget this month, when they access such material from work it’s the company that can be found liable. Internet monitoring software can block access to the sites on the darker parts of the Internet, protecting the company from legal liability associated with users downloading copyrighted material.

With Internet monitoring software protecting your business, you can focus on more important things - like security patching, capacity planning, and systems upgrades - and let your users surf the web confident that they are protected from the worst the Internet has to offer. Internet monitoring software enables you to allow your users access to the Internet in a safe and productive way.

I have worked with GFI and their fantastic GFI web monitor software since 2004 and thoroughly recommend it for the SMB market. If your company runs ISA server or requires a standalone product, please feel free to head over to www.gfi.com and download a fully functional 30 day trail. Even if you don't decide to purchase the product; you will open eyes to what you users are doing on your network and how much time is actually spent on internet usage.

Remember, as previously discussed on Defending the Network, it only takes one carefully constructed webpage with a known or zero day vulnerability, virus or script to completely take down a company or worse, your customer or trade secrets released to the world. Why risk a painful data breach and big fines from the ICO when software like this can be added to your security arsenal very quickly?

Also bandwidth is expensive – so during the trail you can work out the percentage of unsolicited internet usage and correlate this to your internet break out costs. How much are you spending on wasted bandwidth?

Coming soon, I will post a full review of GFI webmon 2011, along with an Internet AUP template which you can customise for your company.

Enjoy,

Dan

3 Comments |

tagged

AUP,

Acceptable Usage Policy,

GFI,

illegal content in

GFI,

Hacking,

Internet,

Policy,

Security

Wednesday

Feb082012

Offensive words and DLP filters - Tick box on the audit clipboard

Wednesday, February 8, 2012 at 10:33AM

Operating in the financial\banking industry generally requires that you try your best not to offend anyone. Sometimes hard, but in this day and age with social media allowing for rapid spread of an employee’s mishap via twitter and Facebook, new legislation and data protection laws, coupled with the fact that generally people do make honest mistakes, engineers are required to find ways of protecting the company’s reputation and stop accidental data leaks.

Let's face it, we have all accidentally fallen for outlook's auto complete feature and that document that should be encrypted is now on its merry way outside the company! Queue auditor’s worst nightmare! Once it is out in the public domain, it is out there for good.

I have designed, installed and configured many data level protection (DLP) systems for various infrastructures ranging from email content filtering systems that sit either between front or backend exchange clusters, first response data control gateways or data analysis systems sitting between the VDI client and hypervisor. The idea is that all content passing through these systems is screened and audited by predefined algorithms to ensure HR, information security and company compliance.

This why as a security engineer you need to not only understand the technical requirements in detail, but translate audit, compliance and HR polices into clear defined business objectives. Today, I can spend almost 40% of my time working on system polices outside of my engineering background. But, and this is a big but, audit requirements especially say, "PCI-DSS" and some fine points on ISO 27001 does not mean by a long shot that you are secure – just compliant against the guys with the overly LARGE clipboard.

One mail appliance I have worked with is the Sophos ES5000. This great piece of kit, in either physical or virtual form can screen 380,000 an hour. Some of the key features of this product are;

Protect sensitive data with integrated SPX Encryption technology
Prevent accidental loss of sensitive information with unique and simple Data Loss Prevention (DLP)
Eliminate over 99% of spam with Sender Genotype Technology and Live Anti-Spam real-time updates
Proactively protect against evolving threats including viruses, phishing, and malware with Sophos Behavioural Genotype technology

The SPX encryption engine is the real key selling point of this product though. For example, if your company is audited by regulatory bodies, handles very sensitive customer, financial or top secret data and you want to comply with FSA, CESG, or British Security Standards for information security then this box of tricks should be at the top of your pile. Simply, the SPX engine scans any mail leaving the company’s network, audits, logs and then checks the entire contents and attachments against defined DLP rules.

For example, certain email or attached documents might have SECRET, NOT FOR RELEASE watermarks or meta tags embedded, contain a number of customer account details, or just be sent from a user group that should not be sending email outside the company\network. The SPX engine flags this email, and can do a few things with it.

Firstly, it can be configured to drop the item or return to sender, or maybe copy to your compliance department for review; secondly, it can encrypt the entire email and attachments and store it securely on the appliance.

The appliance will then send an email to the recipient stating that they have received an encrypted document from 'yourcompany.com' and that to access this they must click the hyperlink, which will direct the user via SSL\HTTPS to a front end portal of the Sophos appliance. The recipient can then log on by either supplied credentials or create their own and access the secure email with any documents. Sophos SPX Encryption does not require installation of client software. SPX uses the ubiquitous and cross-platform PDF reader software installed by default on all systems (cough).

Basically the sensitive data never leaves your network, nor does it cross the public internet. Big win for your compliance and security objectives! Enough of the Sophos sales chat, but if this is of interest to you please drop me an e-mail - As a Sophos trusted sales and technical engineer I can have the techy or human discussion about how this appliance can work in your environment.

Anyway, stripping back down to the basics. What if you needed to create simpler rules, such as blocking offensive terms to and from your company?

Compiling a list can be a hard but amusing task. I have spent a number of days with a few friends, and after a couple of beers later, we came with as many offensive terms as possible. All you need to do is import the below text file into your appliance, DLP engine and bingo.

Download Offensive Words from Defending the Network

Enjoy,

Dan

2 Comments |

tagged

DLP,

ES5000,

ISO 27001,

Offensive words,

PCI-DSS,

Sophos,

Sophos Mail Appliance,

banking industry,

data leak,

financial,

offensive words download,

twitter in

Policy,

Wednesday

Dec212011

Safari users click here: Windows 7 & 2008 x64 Safari iframe vulnerability

Wednesday, December 21, 2011 at 1:34PM

A zero day vulnerability with the way Safari handles extremely large IFRAMES running on a Windows 7 & 2008 64-bit platform has been found to cause a kernel level blue screen. Windows 7 and 2008 (non R2) 32-bit systems are immune to this flaw.

The very simple Proof-of-concept code (shown below) has now been leaked into the public domain: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a BSOD blue screen of death.

<iframe height='18082563'></iframe>

You can view the iframe exploit (in Safari, of course) from defendingthenetwork.com here

Worst part is that we can now social engineer users to either open the attachment via e-mail or get them to download the file. Since the exploit is simple HTML code, no IDS/IPS or AV solutions will trigger an alert. Though we can look for the above string signature using Snort or manually create a trigger rule on our security solutions.

Worrying problem is that hackers are now looking for the underlying code execution path to discover how we can further use this exploit to perform remote code execution to either install malware rootkits or gain access to privileged parts of kernel memory.

To be honest, usermode applications should not be able to bring down a machine.

According to ThreatPost, Microsoft hasn’t confirmed the weakness, but the issue is being looked into.

“We are currently examining the issue and will take appropriate action to help ensure the customers are protected,” said Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing Group.

So far, the attack method seems to work only on Safari, but it may later turn out that other web browsers can be utilised to launch a successful malicious operation.

Time to remove Safari off your network? (why was it there in the first place?)

Dan

Food for thought VDI: Good move, new security risks?

Tuesday, December 20, 2011 at 10:34AM

Cloud based Virtual desktop infrastructures or VDI, is now common place in the enterprise sector. Improved security is consistently the key business driver for VDI for most companies, followed by ease of overall management, strategic application or cloud SaaS\PaaS deployments, and enhance remote access - especially via non-Windows or consumer devices such as tablets and smartphones. Furthermore, desktop virtualisation has removed physical assets from the network by moving isolated workstations and applications that were once separated by hardware and network levels onto a single server; in theory.

So, rising to meet this shifting environment are newer, alternative solutions, including the classic virtual desktop infrastructure and, more recently, desktop or user virtualisation. Though these alternatives are not viable replacements for traditional desktop security management. The changes advocated by these approaches are not accompanied by adequately broad or maintainable gains.

Instead, we now have Intel who proposes an evolutionary framework called Intelligent Desktop Virtualization, or IDV, whereby the overall system of managing user computing is made significantly more intelligent. IDV embodies an approach to desktop management that ensures the user experience is always maximised while also giving security engineers all the control it requires within an economically viable framework.

By migrating to a VDI service, we security folk can fundamentally deliver a more secure working environment to our users by streamlining desktop management for patching, improving the security strategy for incidents, migrate data risks on typical physical endpoints and ensure operational user continuity. For example, from SearchSecuirty @ Techtarget, we can clearly see the befits in terms of security for an VDI envrioment;

Centralised provisioning allows security engineers to create virtual desktops from authorised images. Instead of chasing and assessing distributed endpoints, security operations in a VDI approach only have to patch, upgrade, and check vulnerabilities of desktop applications on the centralized farm. This has the potential to significantly improve security performance metrics, including those for patch coverage and time to remove critical desktop vulnerabilities.

Once a compliant desktop image has bee created, terminating idle virtual desktops during off hours and re-provisioning automates the delivery of compliant desktops to the user, effectively reducing the possibility of desktops drifting out of compliance. This not only allows IT to easily deploy new software agents, replace software that is not easily patched such as obsolete versions of Adobe, Java, or custom built applications, but it also means that malware is less likely to persist on the desktop because the malware disappears when the virtual desktop is terminated.

Security software can be shifted from individual desktops to become a shared resource on the virtual server host. For example: Antivirus that is designed for VDI shares signature pattern files and coordinates system scans across all virtual desktops resident on the server; transparent disk encryption can be enabled for sensitive data; virtual patching allows security to plug a critical vulnerability at low levels in the server without disrupting users’ desktops; and high performance application whitelisting is being utilised to ensure the integrity of the virtual desktop. This approach reduces the complexity and costs of managing desktop security – and antivirus will always be active with the most up-to-date patterns. Hypervisor aware AV is now the de facto for virtual farms.

User virtualisation technology removes user preferences from the desktop allowing users to move freely between virtual desktops, remote desktops, and mobile devices and tablets. As organisations evolve from physical to virtual desktop infrastructures, user virtualisation can provide the consistent look and feel across devices to increase user satisfaction and increase the chances of a successful VDI roll-out.

Simplify data leakage prevention, DLP, strategies by restricting sensitive data to the data center with virtual desktops. Since the data never leaves the data center, not only is there less risk of costly disclosure incidents due to data loss, there is also less demand to purchase and administer device control and DLP software on desktops.

Sensitive data can be transparently encrypted, and data center resources can be used for automatic backup and recovery of desktop data. The separation of data from the physical constructs of the PC also allows security executives to evaluate the cost savings of cloud-based storage.

Reduce the costs of a disaster recovery plan by shifting virtual desktops to remote data centers. Rather than purchasing extra hardware in stand-by data centers, business continuity services maintain copies of the provisioning server to be able to recreate virtual desktops and reconnect users to the business.

All sounds great, but like all things nice and shiny, we have some concerns. VDI has its own set of associated risks which unfortunately not most people know of.

Before virtual machines, compromised systems gave attackers access to the internal network. With virtual machines, not only do they get access to the network, but also any attached virtualisation infrastructure, putting all virtualised systems and the data they contain at risk.

With various virtualisation platforms, the attack surface (the area that systems are prone from attack)increases from multiple physical machines to standalone hosts containing numerous virtual machines. So why can an attack area widen despite your efforts at server consolidation? To prevent this problem, you need to treat each VM as a standalone host and consider the physical servers on which they reside.

For example, all a Virtual machine is at the basic level is a set of configuration file and a virtual disk file. An attacker can easily gain access to the storage network, SAN or intercept storage traffic and grab the virtual files, resulting in the actual machines and any data being stolen. I have seen proof of concept rouge deployments, in which the attacker can replace the virtual machine files with a modified compromised versions, again resulting in an internal breach; we can protect against this to a certain degree but VDI opens up security risk that previously would not be feasible within physical desktop constraints.

For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms and will need to be created with a virtual platform in mind.

Look at storage; NFS, iSCSI, and SAN storage pass data in clear text, which implies disk data can be read by others. If a VM has mounted an iSCSI target from the same storage network as used to hold virtual disks, then this is a possible attack point. Take HP left-hand network boxes, have you change the default SNMP string as we can exploit a known vulnerabilities to gain root access to the storage array.

Finally, I have also seen poorly configured hypervisors with default SSH access credentials, console NIC’s inside DMZ networks, unencrypted replication traffic sent over WAN…

Food for thought?

Dan