Académique Documents
Professionnel Documents
Culture Documents
Security Solutions Architect @ TIG
Agenda
IT Audit is not Enough
Network Security
Web Application Security
Countermeasures
Ignorance is Risk
Managing by Measurement
IT Assessment
IT Audit is not enough
Unclear Scope
New Vulnerabilities/Risks
Use of Lagging Indicators
Common IT Audit Deficiencies
Third-Party agreements and contracts weak
Employee Awareness Training needed improvement
Too many privileged accounts
Inability to document user privileges
Log collection weak
Critical assets not clearly defined & documented
DR/BCP not regularly tested
Internal controls not routinely reviewed
Change management documentation & consistency lacking
ERP systems riddled with segregation issues
- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007
Human Stupidity
Changing configurations
Installing rogue programs
Human Error (audits)
Incorrect User Provisioning
− Automation tools generally too costly for SMB
− “AD-Aware” tools often can authenticate but cannot
provision access control
− User-Errors
− Asset Owners
Often do not know what to provision
Do not know granularity capabilities
Generally rely on what has worked previously
“Is-Like”
If using Microsoft “Is-Like” make the account
generic
Conduct an
IT Risk Assessment
Critical Assets
Critical assets provide services to enable the
business
May be external facing
May be a single machine or set of machines
Risk Management Frameworks &
Functions
Frameworks
− NIST (SP800-30)
− Octave
− Octave Allegro
− Factor Analysis for Information Risk (FAIR)
Primary Functions
Create Value Account for People, Process, and
Technology
Integral Organizational Process Continual
Systematic Focused on Continual Improvement
Octave Allegro
Great for a small group
Smaller in scope than other options
Can be conducted in waves (IE: IT/Business,
etc.)
Containers
Describe where the information resides
May be a single system
May be a group of systems
Does not have to be electronic
Threats
Describe the
actors upon which
vulnerabilities are
executed causing
risk to the
organization
Threat Trees
Vulnerabilities
Issues which cause a system or process to
deliver undesirable results
May impact
− Confidentiality
− Integrity
− Availability
Risks
The result of a threat agent
acting upon a vulnerability
Vulnerability Exploitation
− Compromise of sensitive
data
− Manipulation of
funds/account data
− Denial of Service against
Internet-Facing Systems
Deliverables
Identification of Critical
Assets
Ranking of Assets
Portfolio view of
organizational risks
Network Security
TCP/IP
Transport Control Protocol / Internet Protocol
Internet is based on TCP/IP
Designed for unstable networks
IPV4 prominent with IPV6 growing
TCP, UDP, & ICMP are the primary types of
packets
TCP
Connection-Oriented
Used when integrity or state is necessary
Maintains state
3-way handshake to initiate session
Significant overhead compared to UDP
TCP/IP/Packet
Telnet
Command-Line interface to operating system
Commonly used for
− Networking equipment
− UNIX systems
SSH should be used instead
SSH
Encrypted version of Telnet
Enables remote management through CLI
Preferred method of remote management
Should be used instead of Telnet
HTTP
Hyper Text Transfer Protocol
Pieces of page come across
as unique TCP connections
(images, text, etc.)
Ok to be used across
network segments
− External to DMZ
HTTPS
Secure HTTP
Encrypted with Secure Socket Layer (SSL)or
Transport Layer Security
SSL inherently flawed based on use of MD5 for
hashing
Application data is now an encrypted payload
May conduct server, and client, authentication
Ok to be used across network boundaries
− External to DMZ
SMTP
Simple Mail Transfer Protocol
Over port 25
Used for outbound mail
Notorious for security vulnerabilities
Ok to be exposed from Internet to DMZ
SMTP Relaying
Allows someone from one domain to relay
information through another SMTP Server
A SMTP server should only allow outbound
email from the domains it serves
EXPN/VRFY
EXPN- Expand Address
− This attempts to expand the list of email addresses
from a mailing list.
VRFY- Verify Address
− Attempts to validate email addresses
− Many systems will/should provide a generic
response
POP
POP- Post Office Protocol
Port 110
Used to receive emails
Can use Apop which uses strong authentication
APOP or IMAP are preferred methods
Server Message Block (SMB)
This is the protocol associated with Microsoft
file-sharing, and network printer, and serial
ports (IE: for network-based modems)
Due to the complexity and bulkiness of this
protocol it is recommend to not allow across
bondaries whenever possible
This should not be allowed on any Internet
connections
Remote Desktop Protocol (RDP)
“Windows Terminal Services”
Not recommended to use on the Internet
Instead use;
− VPN
− Citrix
− HTTPS
− VMWare
R-Commands
Rsh- Remote Shell
Rlogin- Remote Login
Rcp- Remote Copy
− Etc.
R-Commands allow users to define access
control rights
− Exploited with “+ +” in .rlogin ,etc.
R-Commands should not be used- SSH, etc.
instead
IP Security (IPSEC)
Used for VPNs
Can run in two modes
− Tunnel- TCP/IP header encrypted and a new src/dst
pair is added to the connection
− Transport- only payload is encrypted
Tunnel Vs. Transport
Voice Over IP (VOIP)
Allows for phone conversations across IP
networks
Many security risks
− Sniffing
− MAC Spoofing
− Application Vulnerabilities
− Session Hijacking
File Transfer Protocol (FTP)
Preferable protocol used to transfer files
May be used cross-boundaries into a DMZ
Historically many vulnerabilities
− I often find exposure here
Trivial File Transfer Protocol (TFTP)
Similar to FTP but less interactive
Not used very often
Can be used inbound into a DMZ
UDP Pros and Cons
Connection-Less protocol
No error correction or retransmission
Doesn't require sequence # or handshake
− MUCH easier to spoof
Only 1 way communication
No sequencing
No 3-way handshake
Domain Name System (DNS)
Used to resolve IP's to hostnames and vs.
versa
− 72.167.183.41 = jeromiejackson.com
− jeromiejackson.com = 72.167.183.41
Single queries use UDP port 53
DNS Zone Transfers
Zone transfers provide a copy of the name
table that is stored by the DNS server
Zone Transfers occur over TCP 53
Zone Transfers should only be available to
upstream providers/peers
DNS Caching
When a client requests something to be
resolved it will accept more information than
what it had inquired about
DNS Redirection & Spoofing
− Attacker spoofs reply with bogus data
− Attacker replies with correct data & corrupt data
− Attacker compromises DNS Server & uses it to
distribute additional bogus answers to queries
Simple Network Management
Protocol (SNMP)
Can provide vast amounts of data about
systems
Based on Management Information Base
(MIB)s
V3 is the only one with built in authentication,
privacy, and access control
Internet Control Message Protocol
(ICMP)
Use for various tasks
Ping (Echo Request/Reply)
Host Not Reachable
Network Unreachable
Redirects
Only allow across borders if required
Hijacking
TCP Hijacking
− Man-In-The-Middle
− TCP Reset
− MAC Spoofing
UDP
− Race condition- Respond prior to legit request
ICMP
− ICMP Redirect through an infected
machine/network
BREAK- Next
Web Application Security
Web-App Overview
Cross-Site Scripting
Injection Flaws
Malicious File
Insecure Direct Object Reference
Cross-Site Request Forgery
Information Leakage & Error Handling
Broken Authentication & Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access
Tools Being Used
WebScarab
− Allows for HTML massaging
− Transcoder
Firefox Developer Tools
− Form Editing
− Subvert client-side security settings
1- Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes
user supplied data and sends it to a web
browser without first validating or encoding the
content.
XSS allows attackers to execute script in the
victim's browser
Worry About Encodings
Original URL: www.comsecinc.com/contact.php
Base64
− d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=
URLEncoding
− www.comsecinc.com%2Fcontact.php
Derivatives to further obscure intent
− Spaces or content breaks within content
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Vulnerability
Hijack user sessions
Redirect to hostile location
Website Defacement
Possibly introduce worms
Protection
Utilize a standard input validation mechanism
Do not attempt black-list validation
Java- Use Struts <bean: write>
.NET- Use Microsoft Anti-XSS Library
PHP- Use htmlentities() or htmlspecialchars()
References
Rsnake put together a great XSS Cheat Sheet
− http://ha.ckers.org/xss.html
How to Obscure Any URL
− http://www.pc-help.org/obscure.htm
2- Injection Flaws
User-Supplied data sent to an interpreter
− SQL
− LDAP
− Xpath
− XML,
− SOAP
− OS command injection
Vulnerability
SQL Injection
− Create, Modify,Delete,View tables/databases
OS Command Injection
− Read/Modify/Delete/Create files
− Execute Processes with Privileges of application.
Protection
Sanitize Input
Enforce least-privilege-especially in the
database
Avoid detailed error messages
Use strongly typed parameterized queries
3- Malicious File Execution
Applications using data input for filename
usage are generally vulnerable
Vulnerability
Hostile File Uploads
Access to Sensitive Data
Reading confidential data
Protection
Use a “Known Good” strategy
Sanitize User Input
PHP
− Disable allow_url_fopen and allow_url_include
− Disable Register Globals & E_Restrict
Java- Ensure Security Manager is enabled for is
properly configured
.NET- Leverage least privilege via Security manager
4- Insecure Direct Object Reference
A user's direct access to object references
− IE: Filenames, & directories
Vulnerability
Hostile File Uploads
Access to Sensitive Data
Reading confidential data
Protection
Avoid exposing private object references
Indirectly reference objects
− Index files as opposed to utilizing their name
5- Cross-Site Request Forgery
A CSRF attack forces a logged-on victim’s
browser to send a request to a vulnerable web
application, which then performs the chosen
action on behalf of the victim.
IE: Vulnerable Banking relationship, shopping
site, etc.
Vulnerability
Can exploit the vulnerability on behalf of the
attacker.
Submit bank transfer
Send credit card information
Automatically post information out to an Internet
site
Protection
Re-Authenticate or use transaction signing to ensure that the request is
genuine.
Set up external mechanisms such as e-mail or phone contact in order to
verify requests or notify the user of the request.
Do not use GET requests (URLs) for sensitive data or to perform value
transactions.
Use only POST methods when processing sensitive data from the user.
POST alone is insufficient protection. You must also combine it with random
tokens, out of band authentication, or re-authentication to properly protect
against CSRF
For ASP.NET, set ViewStateUserKey
− Provides a similar type of check to a random token as described above.
Vulnerability
Data in errors may be useful for social
engineering
May disclose internal object references
Often discloses account names
Protection
Disable or limit error handling
A common error handler is often useful
− Can send details out-of-band
Ensure development team shares a unified
approach
7- Broken Authentication & Session
Management
Allows attacker to bypass the I&A Process
Often introduced through ancillary
authentication functions
− Logout, password management, timeout, remember
me, secret question, and account update.
Vulnerability
Subversion of authentication within the
application
Portions of application go unauthenticated
Protection
Only use the inbuilt session management mechanism.
Limit or rid your code of custom cookies for authentication
or session management
Use a single authentication mechanism
Do not allow the login process to start from an unencrypted
page.
Use a timeout period
Check the old password when the user changes to a new
password
8- Insecure Cryptographic Storage
Protecting sensitive data with cryptography has
become a key part of most web applications.
Simply failing to encrypt sensitive data is very
widespread.
Vulnerability
Inappropriate information disclosure
Regulatory violation
Protection
Do not create cryptographic algorithms.
Do not use weak algorithms, such as MD5 /
SHA1.
− Favor safer alternatives, such as SHA-256 or better.
Generate keys offline and store private keys
with extreme care.
Ensure that encrypted data stored on disk is not
easy to decrypt.
9- Insecure Communications
Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive
communications.
Encryption (usually SSL) must be used for all
authenticated connections.
In addition, encryption should be used
whenever sensitive data is transmitted.
Vulnerability
Inappropriate access to conversations
− Any credentials or sensitive information transmitted.
Protection
Use SSL for all connections that are
authenticated or transmitting sensitive or value
data
Ensure that communications between
infrastructure elements are appropriately
protected.
Under PCI Data Security Standard requirement
4, you must protect cardholder data in transit.
10- Failure to Restrict URL Access
Frequently, the only protection for a URL is that
links to that page are not presented to
unauthorized users
Security by obscurity is not sufficient to protect
sensitive functions.
Vulnerability
"Hidden" or "special" URLs, rendered to all
users if they know it exists
− /admin/adduser.php or /approveTransfer.do.
Applications often allow access to "hidden"
files, such as static XML or system generated
reports.
Protection
Ensure the access control matrix is part of the
business, architecture, and design of the
application
Perform a penetration test
Do not assume that users will be unaware of
special or hidden URLs or APIs.
Block access to all file types that your
application should never serve.
Action Plan
Embed security early in projects
Utilize standard data validation processes
Implement a standardized error handler
Properly segment the environment(s)
Test all externally-facing applications
Implement Security in Projects
The earlier security is implemented the lower
the cost of the project
− Inception- Ensure plans meet security standards
− Development- Ensure it stays on track
− Implementation- Validate implemented
appropriately
− Operations- Monitor & Measure
− Disposal- Ensure proper asset disposal processes
Implement Standardized Processes
for Data Validation
Implement standard error handling processes
to limit data exposure
Utilize standardized santization processes to
ensure consist quality protection
Properly Segment the Environments
Three-Tier DMZ
Test All External-Facing
Applications
Application test all applications accessible on
the Internet
Assess all system which utilize restricted data
− (Healthcare, Credit Cards, ACH Transfers, etc.)
Strength in Numbers
Contact Information
Join Local Associations
Jeromie Jackson- CISSP/CISM
− OWASP & ISACA
jeromie@comsecinc.com
ComSec, Inc.
702-866-9412
ComSec Services
Security Services
Qualifications
Virtual CISO Social Engineering
OWASP SD Chapter President CISSP & CISM Practitioners
Risk
BoardAssessment
Members to ISACA Awareness
ITIL & COBITTraining
Certified
Security
NSS LabsAssessment
Advisory Board Policy Development
800+ Regulated Customers
Part 3
Technical Countermeasures
Firewalls
IP Filtering
− (Src, port, dst, port, flags)
− IP ACLs
Stateful Inspection
− Just like IP Filtering but maintains state
− Identifies existing flows and uses for rule base
Application-Level
− Understands the application
− IE: Can do FTP PUT, but not GET
− Mitigates least-privilege
Intrusion Detection/Prevention
(IDS/IPS)
Can be signature or anomaly based
Signature
− Floods
− Brute Force
− SQL Injection
Anomaly
− Keystrokes & typing
− Standard system usage
− Obscure destinations or services being utilized
Web Application Firewall (WAF)
Monitors and mitigates web-based
vulnerabilities
Some IDS/IPS Signatures may see
Some provide application profiling
− Imperva
− Breach
− Data Power
Antivirus/ Anti-Malware
Mostly signature based
− Identified files/processes
Whitelisting becoming more prevalent
Should be deployed @ the desktop & at the
gateway
Preferably two different engines/vendors
Content Filtering
Blocking sites and/or frames in a site
Can be white-list or black-list based
Sometimes used for anticipated productivity
gains
Authentication
3 factors of authentication
− Something you know
PIN
Password
− Something you have
Smart Card
RFID Card
Digital Certificate
− Something you are
Biometrics
Log Management
Logs are critical importance to auditors
− Centralized
− Monitored
− Escalated
− Consistent
− Secure
SIMs are a great way to correlate these
Access Control
Role-Based
User-Based
Permissions (MAC & DAC)
Discretionary Access Control
User's discretion
− Found on most multi-user operating systems
− (Read, Write, Execute / User, Group, Other)
Maximize the applications that are AD aware,
and hopefully can leverage groups for access
control
Symmetric Encryption
Asymmetric Encryption
Disk Encryption
Should be deployed on all remote devices
Full-Disk is preferable
Mitigates the significant threats of a device
being lost/stolen
Email Encryption
Email goes over unencrypted ports
Some tools require end-user to encrypt
outbound
Some can have policies based on destination
Can be Symmetric or Asymmetric
SIM/SIEM
Great way to reduce cost of security
Consolidate those logs- make them useful!
Pivoting is very functional (BI for Security)
− Trigeo
− Arcsight
− NetIQ
Database Auditing
Some built-in
− Be careful of turning auditing on without tuning
Imperva has a Database play
Don't let developers directly connect to the SQL
port(s)
Data Loss Prevention (DLP)
Great way to gain visibility into previously
unidentified risk vectors
− Remember Due Diligence & Due Care
Some can import databases
Some are agent based
− This is good for mobile computing!
Physical Countermeasures
Information Security != Technical Security
Many attacks/breaches due to physical security
weaknesses
ID Cards
Various Type
− RFID Cards
− Smart Cards
− MAG Stripes
RFID Pros/Cons
Pros
− Easy
− Cost Efficient
− Lots of vendors
Cons
− Cloning
Smart Cards Pros/Cons
Pros
− Intelligent
− Built-in CPU
Cons
− More expensive
− Complexity generally adds risk
Mag Stripes
Pros
− Cheaper cards
− Cheaper Readers
Cons
− Exploitation costs lower
Administrative Controls
Policies, Procedures, and Standards mitigate
end-user risk
Do not fall under the panacea that technology
comprehensively mitigates risk
Policies
Describe management expectations
Describe what is to be done
Should be aligned with high-level control
objectives/intentions
Procedures
Describe the actions required to carry out
policies
Describe the How to execute the policies
Standards
Describe high-level objectives for IT
− Consolidate types of technology in the environment
− Ensure implementation of security principals
A Guidebook for architects
A Summary of what the stakeholders described
Dual Control
Two-Pieces of a key to open a door
Two people to execute a transaction
Additional signatures for processing
Audit
Policies, procedures, and standards not
beneficial if not in use
Logs are required by auditors to ensure
controls are consistently being implemented
Primary Concepts
− Least Privilege
− Segregation of Duty
− Dual-Control
− Continual
− Repeatable
Least Privilege
Users should be given access only to resources
necessary to carry out their job
Mitigates inappropriate disclosures
Enhances auditability
Should be used to help stakeholders define
access control requirements for an asset
OS Hardening
Least privilege
− Only required services allowed
− Remove unnecessary services
Patching
− Mitigate vulnerability affecting the environment
Consistency
− Reduce Complexity
− Limit types of vulnerabilities affecting the
environment
− Minimize vulnerabilities present in the environment
− Stabilize a baseline
Racking & Stacking @ a 3 Party rd
How far up will they manage?
− Up to the rack?
OS & App threats
Ability to install countermeasures
− Up to the OS?
Can you deploy OS/Network Countermeasures?
Patching strategies
What about non-Microsoft Applications?
− Up to the app?
Auditability
Least-Privilege
Virtualization Threats & Risks
Virtual Host to Virtual host connections
− Network-Based countermeasures
Hypervisor security
− Mainframe
− Process Sockets
Ignorance is Risk
Manage by Measurement
Through the Use of a Control
Framework
Security Risks & Exposures are
Growing
More than 35 million data records were
breached in 2008 in the United States
-Theft Resource Center
Jan 20, 2009- Heartland Payment Systems-
100 Million Transactions Per Month!
http://www.2008breach.com/
252,276,206 records with personal information
since January 1995
- www.privacyrights.org
Risk is a Business Issue
“Ignoring or misunderstanding financial risks played a
substantial role in creating the world financial crisis in
2008.”
3 ways to improve
profitability
− Increase top-line sales
− Reduce COGS
− Optimize Operations
Optimize IT
− Bridge the gap between control
requirements, technical issues, and
business risk
− Use a portfolio approach to risk
management
− Manage by measurement
− Enable your organization to reap
maximum benefit from technology
investments
Regulation With Minimal Benefit
Redundant
Overlapping
Requirements
and vague
Controls requirements
without clear
Costly resource
benefits
allocation
Regulations
Increasing complexity
Resource intensive
Divert focus on maturing risk management
Optimize Regulatory
Remediation Convergence
Assert
Compliance
Simultaneously
IT & Business Alignment- Are we communicating?
IT is meant to
serve the business
IT must be aligned
with business
goals
IT is costly and
requires prudent
management
Become Proactive
Instill best-practice governance
Utilize a risk-management portfolio to guide
remediation
Consolidate Regulations
Managing by Measurement
Leading the Trauma Unit
50 Case Studies
130 Firms Surveyed
2000+ Executives Refined
The Root-Cause of
IT Risk -
Lack of Governance
“..Manifested as uncontrolled complexity, and inattention to risk.”
George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage
(Harvard Business School Press, 2007)
Risk Management
Process
− Identify critical assets
− Define containers
− Identify risks & threats
− Quantify or qualify risks
Prioritize Remediation
Efforts
Stop The Bleeding -
Cauterize the Wounds
Identify & Collect Known Risks
Create a Remediation Portfolio
Document the “As-Is” State
Stabilize the Patient
Classify Known Risks
External Audits
Internal Audits
Regulatory Audits
Vulnerability Assessments
Risk Assessments
Address Availability
Focus on Business Consequence
Consolidate Regulations
Identify Primary Controls
Confidentiality Integrity
Paradigms- 7 Habits of Highly Effective People- “A man on a subway sees 2
obnoxious children...”
The sum is greater than the
individual pieces
Balanced Scorecards
Focus on 4 key paradigms
− Financial- Fiscal Measurements
− Customer- Service Qualities
− Operations- Operational Efficiency & Agility
− Learning & Growth- Fostering Growth & Innovation
Provides measurements based on key
“customers” being serviced
Balanced Scorecards
Strategy Maps
Describe the “To-Be” state graphically
Facilitate collaboration
Minimize jargon
Collaborate
Strategy Map
Leading & Lagging Indicators
Leading indicators
− Sales Targets
− # of site visitors expected this year
Lagging indicators
− $ Closed Deals last month
− Visitors last year
− Amount a specific product has generated thus far
KPIs & KGIs
A Key Goal Indicator, representing the process goal, is a measure of "what"
has to be accomplished. It is a measurable indicator of the process
achieving its goals, often defined as a target to achieve.
− Remain Profitable
− Take over 15% market share in a territory
By comparison, a Key Performance Indicator is a measure of "how well" the
process is performing.
− % of Bench time for engineers - “Riding the Pine”
− # of opportunities in the pipeline
Prudent Management is not just for
the enterprise anymore
Governance has been slowly adopted in the
SMB space
− Perceived as an “enterprise play”
− ROI/CBA/NPV communication muddled with jargon