Académique Documents
Professionnel Documents
Culture Documents
Volume 13 Issue 5
Infosec
Tools
Issue
the
104th
Working with
Indicators
of Compromise
Table of Contents
Articles
21 Free/Open Source Forensics Tools
By Richard Abbott
This article demonstrates some free and open-source (f/
oss) tools regularly used by the author for the purpose
of forensic investigations and argues that many basic
task can be accomplished without resorting to expensive
proprietary tools.
26 Wireshark
By Didier Stevens ISSA member, Belgian Chapter
This article is a quick introduction to Wireshark as a
security tool. After discussing capturing, filtering, and
analyzing traffic, we look at a couple of scenarios.
Sabetts Brief
6
7
8
9
Herding Cats
My Favorite Things
10 Association News
17 Ship of Tools
25 Donns Corner
42 toolsmith
t this years RSA Conference, there was a great deal of focus on making
the conference comfortable for women. There was the news of banning
Booth Babes on the expo floor. RSA president Amit Yoran made
statements during both his keynote and the Executive Womens Forum meeting that he was looking
to make the conference and industry as a whole more welcoming to women. While this is good, it is
important to look well beyond conferences and booth babes to see how the industry is really treating
women. Unfortunately, I recently witnessed this first hand.
I use the word unfortunately not to indicate how the profession as a whole treats women, but that I witnessed an individual incident of Sexual Battery and the resulting impact on the victim. While the fact
that the woman had to go through something horrible is bad, it was actually good to see how others
reacted to the incident.
When I heard the back story, it was clear that almost everyone, and especially the men who witnessed
the initial incidents a year prior, rallied around the victim to offer help. When the victim was scared
to report the incident, it was actually a man who reported the incident to the appropriate corporate
department. The company took action against the perpetrator and eventually fired him.
The victim believed that the perpetrator could ruin her career, and that reporting the incident or cooperating with the investigation would somehow brand her That woman. Clearly this is absurd, but that
is what society has trained woman to believe, despite every action to that point clearly supporting her.
Recently the perpetrator was brazen enough, as many sexual predators are, to pull the woman away
from a crowd (Battery according to the responding police officer), threaten her with retaliation, and put
his hand on her behind as a further act of intimidation (making it Sexual Battery). I saw the incident
first hand. I helped her file the police report, pull the video from the venue, and otherwise alert the
relevant authorities of the incident.
I am personally taking every action reasonable to protect the Association, our members, and the profession from the perpetrator. This is clearly a complicated issue that needs to be handled properly.
Getting rid of booth babes will not stop incidents like this from occurring. Sexual predators are present in all professionsand are luckily fewbut they do exist. And yes, there are women who make
false claims. They are likewise despicable and damaging to the profession, and even more damaging to
genuine victims. Luckily, they are as rare as the men who commit the harassment.
Anyone with minimal empathy can see the pain in a real victim. While it is despicable that anyone has
to go through this experience, it is, however, encouraging to see the reaction by others in the profession. At just about every level the woman received support from those who could help her.
I have to admit that I never previously saw the pain of a victim of extreme sexual harassment, and it
is horrible. While anything we can do to make women comfortable is welcome, it is easy to trivialize
the problem when the focus is on booth babes. Hopefully though, the recognition of booth babes as
an issue will sensitize everyone to the larger issues, and the profession and ISSA members will offer all
victims the same level of support that this woman has received, and will continue to receive.
Ira Winkler
May 2015 | ISSA Journal 3
Board of Directors
President
Vice President
Secretary/Director of Operations
Bill Danigelis, CISSP,
Senior Member
Services Directory
Website
webmaster@issa.org
866 349 5818 +1 206 388 4584
Chapter Relations
chapter@issa.org
Member Relations
member@issa.org
Executive Director
execdir@issa.org
Vendor Relations
vendor@issa.org
Sabetts Brief
Tool, Tool, Everywheres A Tool
By Randy V. Sabett ISSA Senior Member, Northern Virginia Chapter
comes an app on
your device). In
light of how several
of the high profile
attacks have involved authentication issues, this would be one that companies
may want to consider.
One last thing to consider: DHS recently announced that it had certified the
first two pure cybersecurity commercial
products under the SAFETY Act. This
means that companies that utilize such
products will have certain automatic
limitations on their liability in the event
of a terrorist event. More such certifications will likely happen in the future.
This is a slightly different take on what
we talked about aboveinstead of incurring liability for not using a tool, now
you have a shield against at least some
liability by using certain certified products. So now get out there and figure out
what tools make sense for you while I go
and tie up my barge!
Herding Cats
My Favorite Things
By Branden R. Williams ISSA Distinguished Fellow, North Texas Chapter
ome of you
may not realize, but Im
truly a techie at
heart (and a Trekkie too). Technology
was always easy for me. My parents tell
stories of how I took over the nurses
computer station in 1982 at the hospital
when my sister was born. I was not quite
four years old. I have no memory of this,
but I embrace it today just as much as I
did back then. My family was an Apple
family from the get-go. My first real Internet account was a Netcom shell dialup account. Unix variants were the first
real operating systems I learned inside
and out. I did spend time swearing at
Windows 95, 98, NT4, and XP (for about
a decade) like the rest of you, but eventually switched back. I feel at home in the
Unix world, and OSX does a good job of
keeping me grounded there.
I would be remiss if
I didnt mention the
biggest and best tool of
all, your brain.
By Frederick Scholl ISSA Senior Member, Middle Tennessee Chapter and Chuck Capps
Publish security program transformation results in either raw data or graphical format. Select those who are succeeding and report their numbers. Ask the
CEO/manager to publicly acknowledge
the employees and work sections that
are succeeding in the change process.
This action alone shows she is paying
attention and rewarding those who are
engaged in the organizational initiative.
Its time to reimage information security; we are the ones who can make this
happen.
The final lesson learned from the OC experience is the need to include appropriate metrics throughout the change process. Metrics are already the bread and
butter of security professionals. However, to lead to change, these metrics
must be transparent to the organization.
While transparency is not often part of
enterprise security programs, it can be a
critical determinant for success.
2 Jay Galbraith, Designing Organizations, Pfeiffer (2002).
Compiled by Joel Weise ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter
and Kris Tanaka ISSA member, Portland Chapter
http://www.forbes.com/sites/jasonbloomberg/2015/04/24/cybersecurity-at-rsa-all-about-the-tools-no-trouble/
RSA Conference 2015 THE place to see the latest and greatest tools and technological advances the information
security world has to offer. However, keep in mind that while tools are an important part of an organizations
security strategy, they are only as good as the professionals who wield them. Its all about the tools AND the
cyber warriorsno trouble!
http://gizmodo.com/who-on-earth-would-attack-github-for-its-anti-great-fir-1694134233
It was the largest DDoS attack in the sites history, evolving several times to circumvent GitHubs defenses. It
still isnt clear who was behind the attack. However, since the attack was aimed at two popular projects that
help Chinese citizens get around restrictive government online censors, the Great Firewall of China and CN-NY
Times, one can assume that the instigators were pro-censorship. It appears that protests have moved from the
streets into cyberspace.
http://www.bbc.co.uk/news/technology-32087919
Its all about balance. Yes, we need to make sure that law enforcement has access to online data in order to
fight terrorism and cybercrimes. However, should police and other officials have access to all available electronic
information and communication? Encryption does make it more difficult to monitor suspects. But encryption also
gives us privacy and keeps our data safe. At least it does in theory.
http://www.vancouversun.com/news/Saanich+mayor+vindicated+privacy+commissioner+report+spyware/10932007/story.html
Spyware in Canada? Say it aint so! For those of us in Canada, where we do take privacy very, very seriously, it
is almost a shock to hear that a local government would illegally install spyware on municipal computers. The
scary part is, The software was also too invasive, tracking not only Atwells Internet and email usage, but also
recording all the keystrokes he made and taking screenshots of his screen every 30 seconds.
New Executive Order: Obama Takes Total Control of Internet Declares National Cybersecurity Emergency
http://www.infowars.com/new-executive-order-obama-takes-total-control-of-internet-declares-national-cyber-security-emergency/
http://www.wired.com/2015/04/new-obama-order-allows-sanctions-foreign-hackers/
Its hard to say how this will play out, but the US government appears to be taking cyber threats and cybersecurity very seriously. The executive order allows the US government to levy economic sanctions against individuals
overseas who engage in destructive cyberattacks or commercial espionage. The concern here is who defines what a
cyberattack is? Will my use of whitehat security forensic tools be deemed a form of cyberattack?
http://krebsonsecurity.com/2015/04/hacking-atms-literally/
Most information security practitioners, myself included, dont often consider physical threats. Heres a great
example of physical security in action. It seems to me, only a novice criminal would try to attack an ATM. The
vaults within them are usually very strong and lets face it, stealing money electronically is easier and I would
guess more profitable.
Florida Teen Charged with Felony Hacking for Using Password His Teacher Showed Him
http://www.networkworld.com/article/2908555/opensource-subnet/florida-teen-charged-with-felony-hacking-for-usingpassword-his-teacher-showed-him.html
In my opinion, this is a case of police over-reach. On its face, this sounds like a simple prank by a typical
14-year-old juvenile. Im hard pressed to understand why police would expend their energies on what I would call
a trivial threat. It would be interesting to hear from readers what their take is on this incident.
https://citizenlab.org/2015/04/chinas-great-cannon/
Im sure almost all security practitioners are aware of the Great Firewall of China. Now we have to deal with
Chinas Great Cannon, which according to this article deploys DDoS attacks. As the authors state, the operational deployment of the Great Cannon represents a significant escalation in state-level information control:
the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. I wouldnt
call this an escalation in cyberattacks, but rather a better awareness of the tools that the Chinese are using.
http://www.darkreading.com/endpoint/new-security-flaw-spans-all-versions-of-windows/d/d-id/1319884
Well this doesnt sound too good for Microsoft users. A newly discovered vulnerability called Re-Direct to SMB
has been found that can potentially enable an adversary to determine different user credentials. The attack does
appear viable although not trivially easy. And not to pick on only Microsoft, it seems iTunes is also vulnerable.
8 ISSA Journal | May 2015
Security Awareness
The Security Culture Framework
By Geordie Stewart ISSA member, UK Chapter
Association News
ISSA Pre-Professional Virtual Meet-Up
Call for Nominations Now Open
SSA annually recognizes outstanding information security professionals, their companies, and chapters that are
at the top of their respective games. Who would you like
to see recognized? Nominations may be made by any member in good standing; please thoroughly review theAwards
Policies and Procedures. This years awards will be presented
at theISSA International Conferencein Chicago, Oct. 12-13.
All nominations and supporting documents must be receivedby May 15, 2015, at 11:59 p.m. Eastern time.
Hall of Fame: Pays homage to an individuals exceptional
qualities of leadership in his or her own career and organization as well as an exemplary commitment to the information
security profession. (ISSA membership not required.)
Honor Roll:Recognizes an individuals sustained contributions to the information security community, enhancement
of the professionalism of ISSA members, and advancementof
the association.
Security Professional of the Year:Honors the member who
best exemplifies the most outstanding standards and achievement in information security in the preceding year.
Volunteer of the Year:Recognizes a member who has made a
significant difference to his or her chapter, the association, or
the information security community through dedicated and
selfless service to ISSA.
Chapters of the Year: Rewards chapters that have done
anexceptional job of supporting ISSAs mission, serving their
member communities, and advancing the field.
Three awards will be given based on size: less than 100
members, 100-200 members, more than 200 members.
Pat Myers, Joan Rose, and Tim Hoffman are shown preparing for the thousands
of conference goers at the ISSA booth during the RSA Conference, April 2024, San Francisco. More than 700 members and prospective members visited
the booth, and ISSA received more than 100 new membership applications
throughout the conference, including at least one new CISO Executive.
SAVE $200
Register with
priority code
GARTISSA
2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner
is a registered trademark of Gartner, Inc. or its affiliates. For more
information, email info@gartner.com or visit gartner.com.
Association News
Cybersecurity Coalition Aims at Shortage of One Million
Infosec Professionals
San Francisco, CA April 22, 2015
The need for all groups within the profession to collaborate to define the profession
Among the groups attending were the (ISC)2, Center for Internet Security, US Cyber Challenge, Colloquium for Information Systems Security Education, CompTIA, National Cybersecurity InstituteExcelsior College, Global Information
Assurance Certification, Institute of Electrical and Electronics Engineers (IEEE), ISACA, ISSA Education Foundation,
National Cybersecurity Institute, Purdue UniversityCenter
for Education and Research in Information Assurance and
Security (CERIAS), and the SANS Institute.
With more than 400,000 members in 160 countries, IEEE
and its members are major stakeholders in this issue, said
chair of the IEEE Cybersecurity Initiative, Dr. Greg Shannon.
We are all facing the same challenges in efficiently creating a
cybersecurity-capable workforce. The more we collaborate as
a community, the more efficiently we can create broad solutions, the better we can thwart cyber threats.
The international cybersecurity community is looking for
solutions to pressing cybersecurity issues. Its important that
we listen to all voices in the industry from certifications to
professional organizations and education. The importance of
public-private partnerships would serve everyone greatly in
order to attain a new level of cooperation to help define the
profession, said former cybersecurity advisor for both President Bush and President Obama, Howard Schmidt.
Over the last few decades, many groups have attempted to
define the profession, resulting in curricula, certification
standards, and lists of skills that only partially intersect. This
12 ISSA Journal | May 2015
Association News
CISO Executive Forum Update
Industry Events
SecureWorld Houston
SecureWorld Atlanta
ISSA
Working with
Indicators
of Compromise
By Jason Andress ISSA Senior Member, Puget Sound Chapter
This article discusses indicators of compromise and some of the tools that might be used to work
with them. Discussed are sources of IOC data in OpenIOC format, tools used to manipulate IOC
files, and the deployment of IOC files in an environment to scan for indicators of compromise on
individual hosts.
I know Google Fu
A bit of googling will often turn up IOC data as well. This may
not always be the case with brand new malware or attacks,
as such events often take several weeks to sort the particulars well enough to get solid IOCs generated. Usually simple
search terms such as stuxnet ioc or blackpos ioc will generate decent results, or, at the very least lead to others who are
discussing the situation. Google Alerts10 can be very helpful
when searching for IOCs relating to new threats.
http://www.fbi.gov/contact-us/field.
https://www.infragard.org/.
https://www.fsisac.com/.
http://www.rila.org/rcisc/RetailISAC/Pages/default.aspx.
https://www.it-isac.org/.
http://www.isaccouncil.org/memberisacs.html.
https://www.iocbucket.com/.
Cusom IOCs can, of course, also be developed. This does require a certain amount of instrumentation to provide a view
into what is going on with our networks and hosts and likely a
bit of detective work, but has the potential to produce very interesting results. A few places to look for potential IOCs are:
Unusual spikes in incoming or outgoing network traffic
Access from IP addresses in unexpected geographic
locations
DNS logs
There are, of course, any number of locations and/or activities that might turn up as being interesting data. IOCs can
be constructed based on reading in the security domain,
information presented at conferences, newly released vulnerability information from vendors, previous incidents,
and so forth. The ultimate measure of how interesting
these types of IOCs end up being lies in deploying them in
our environment.
Ship of Tools:
All the Security Tools in the World Cant Save You
If the foundation is weak. Even sophisticated detection tools
cant help you if the infrastructure theyre monitoring is weak.
Think of users with bad passwords--the bad guys are in before hitting any reasonable threshold that would trigger the alarm. And
once they are in, most of their behavior will look normal since they
are now authorized with someone elses credentials.
If you dont know what you have. If you cant track your assets on
the network, youll end up with forgotten, unpatched systems with
an ever-growing assortment of vulnerabilities that your scanners
would detect...if only they knew where to look. And when the bar
is that low, an attacker can take herself from attack mode to normal user mode in minutes, even seconds.
If you have insufficient defense in depth. Layers of security are
key: its while crossing these layers that alarms are triggered, and
those alarms are your best chance of catching the attacker before
the damage is done. In this context, layers mean firewalls, authentication, host intrusion detection tools, file integrity checkers, and
so on.
If you are not paying enough attention. Slapping a monitoring
tool into place and then ignoring the results is a classic mistake. If
Deploying IOCs
Figure 5 IOCe
and do a diff between two IOC files. IOC Editor (IOCe) with
the Stuxnet IOC file loaded can be seen in figure 5.
Career Opportunities
isit the Career Center to look for a new opportunity. These are among the 1,057 current job
listings you will find [as of 4/30/15]:
Deploying IOCs by using them to scan our environment is really where the rubber meets the
road. There are several purpose-built tools for
accomplishing this aim, but any of the myriad of scripting
languages would suit the bill if there was a desire to create a
custom scanning tool for this effort.
Redline
Redline15 (free, not open source), a GUI tool specifically created to search systems for signs of malicious activity, can
create a collector script to search specifically for indicators
in an IOC file. Running the Redline wizard for IOC search
collectors will walk you through the process and result in a
directory containing the scripts to use and a readme file with
instructions on how to put these files to use, as shown in figure 6.
Using the Redline IOC collector manually on a large set of
systems may be somewhat labor intensive, but, fortunately,
the set of scripts lends itself well to automation. In a Windows
14 https://github.com/yahoo/PyIOCe.
15 https://www.mandiant.com/resources/download/redline.
Oct
ob
er
12
13,
20
15
Dat
e
he
eT
Sav
In conclusion
There are a number of great tools available for working with
IOCs, the majority of which are free to use, and all can be
helpful in hunting evil within an organization. The best way
of sorting out which tools will work in a given environment
is to experiment with the different options that are available
and to assemble a purpose-built tool chain.
As the use of IOCs continues to develop and become more
common, there is an expectation of refinement of the standards that are used to share such data, as well as a much more
fully-developed set of tools to support their use. The need for
sharing threat-intelligence data will only increase moving
forward, and research in this area promises to be an interesting thing to watch.
ISSA
file. These hashes can later be used to detect any changes. Standard proprietary
forensics tools such as Encase contain
powerful hashing tools. In reality these
are little more than a fancy interface.
The underlying hashing algorithms are
publicly available and most have been
released to the public via various open
source licenses. A 256-bit SHA hash of
a file by Ecase is no better or worse than
one by free and open source projects such
as sha256sum. There is only one correct
output no matter which tool is used.
During the infamous iCloud hack I was
contacted by an attorney for a corporation that had caught an employee downloading leaked photos to a company
computer. They feared that this behavior
was not unique and needed a tool to scan
for the offending images across multiple
platforms. Needless to say, they did not
want to have to download the images in
order to make a comparison manually.
Searches for offending filenames were
turning up too many false positives (i.e.,
001.jpg). Instead I took hashes of the
leaked files and created a blacklist. These
hashes, not files or even file names, were
used by internal investigators when scanning company machines. I did this using
md5deep, a program famously written
by Jesse Kornblum during his time as an
investigator with the Air Force Office of
Special Investigations. If you know your
copyright law, that makes the software
public domain within the United States.1
$ md5deep -r * > icloud_hashes.
txt
This command hashes all files within a
directory and subdirectories (-r for recursive) and outputs them to a file. I ran
it from a directory on a cloud instance
where I had collected troves of leaked
images (figure 2).
This file was sorted and deduped to remove unnecessary data such as file
names, resulting in a simple list of hashes disconnected from the files from
which they were taken. Internal investigators used this list while scanning for
leaked files possibly stored on company
machines, again using md5deep.
1 Copyright protection under this title is not available
for any work of the United States Government, 17 U.S.
Code 105. See https://www.law.cornell.edu/uscode/
text/17/105.
$ md5deep -r -m icloud_hashes.txt *
The -m flag tells to match files against the list of known hashes and output any such matches. There is no need to output
the results to a file. Any results, any matches, would warrant
further investigation by hand. In reality the command used
was slightly more complex. There were additional commands
instructing md5deep to skip large files for purposes of speed
and to use a list of hashes stored at a shared network location that I updated as new leaks appeared. The novel aspect of
this internal investigative sweep was that none of the people
handling the company computers had access to any leaked
data, reducing any accusations that they could have planted
evidence.
can see, the output format was less than ideal (figure
3a). With a little command-line savvy it was cleaned
up considerably. Using a pipe (the vertical bar
| ) to feed the output of Exiftool into grep, I created a tidy list of latitude-longitude pairs. These were
then mapped to physical locations, mostly celebrity
homes, so that any physical security implications
could be evaluated (figure 3b).
$ exiftool -r -S -GPSLatitude -GPSLongitude * |
grep -E GPSLatitude|GPSLongitude > results.txt
Conclusion
Hopefully this brief description of a handful of tools demonstrates that it is possible to perform some basic forensics without resorting to expensive tools.
Links:
sha256sum: http://www.gnu.org/software/coreutils/.
Grep:http://www.gnu.org/savannah-checkouts/gnu/grep/
manual/grep.html.
MD5deep: http://md5deep.sourceforge.net/.
ExifTool: http://www.sno.phy.queensu.ca/~phil/exiftool/.
Donns Corner
By Donn Parker
Segregation of duties
Dual control
Workplace observation
ISSAs Pre-Professional
Virtual Meet-Up Series
ISSA
Wireshark
A brief overview
Wireshark runs on many operating systems like Windows,
Linux, and OSX. It has a graphical user interface (GUI), but
when you install Wireshark, you get many more tools like
TShark, which is a full-featured command-line version of
Wireshark that uses a text-terminal interface. Wireshark
comes in 32-bit and 64-bit versions. As network captures can
be quite large and require much memory for analysis, the 64bit version is a welcome addition.
Wireshark can capture network traffic, analyze and display
network traffic, and save captured network traffic to disk. On
Linux and OSX, Wireshark captures traffic from the network
interfaces via libpcap; though it does not exist on Windows,
there is a free, open source equivalent called WinPcap. WinPcap comes bundled with the Windows setup binaries for
Wireshark. With WinPcap, Wireshark on Windows can capture network traffic from the network interfaces.
Filtering traffic
It can be quite overwhelming when you start analyzing all the
network traffic captured on a server. There can be so many
conversations that you will have a hard time finding all the
packets relevant to the traffic you are interested in. Being able
to filter network traffic according to your taste would be very
useful. And as can be expected from a feature-rich tool like
Wireshark, it has many options to filter traffic.
Wireshark allows you to specify a filter to be applied when
capturing network traffic (this filter is actually active at the
libpcap/WinPcap layer). A filter can be as simple as specify2 https://isc.sans.edu/forums/diary/
No+Wireshark+No+TCPDump+No+Problem/19409/.
Figure 1 - Main Wireshark window with packet list, packet details, and packet bytes panes
ing that you just want to capture the IP network protocol and
nothing else, or all traffic from or to a host, or a combination.
This filtering is done with filter expressions according to the
Berkeley Packet Filter (BPF) standard.
Only network traffic that satisfies the BPF filter will be seen by
Wireshark and ultimately saved to disk. And this points out a
potential problem with capture filters: if your filter expression
is too narrow, you will miss data that you can never recover
without redoing the capture. For example, say you use a capture filter for TCP packets. But when you do the analysis, you
realize you would also like to have the network names for the
IP addresses you see. Since normal DNS is UDP and not TCP,
it was not captured and thus you have no name resolution.
I advise to only use a capture filter if you do not have the
resources to capture all traffic. If you do have the resources
(disk space, bandwith), capture all traffic and filter it during
your analysis with display filters.
Analyzing traffic
In figure 1 you see the Wireshark GUI with an open capture
file. Wireshark used pcap capture files by default, but since
recent versions, the pcang format is the default.
Below the menu and toolbars, Wireshark has three panes:
1. Packet list pane
2. Packet details pane
3. Packet bytes pane
The packet list pane shows you the packets in the capture file:
one packet per line, and the packets are numbered. A couple
of columns help you make sense of what is displayed: Time,
Source, Destination, Protocol. The packet that is selected in
the list pane (packet #1 in the figure) is displayed below in the
details pane and the bytes pane.
The details pane show you the results of the protocol dissectors. Wireshark uses protocol dissectors (these are programs,
A couple scenarios
We can all come up with scenarios where network engineers
use Wireshark: troubleshooting network communications
like lost packets, long delays, time outs, and others. But here I
want to illustrate some simple, practical scenarios that can be
very useful in your professional life.
No SYN/ACK
You try to SSH into a server but you get no connection. What
is wrong? Launch Wireshark, start capturing, and restart
your SSH connection. Now stop Wireshark and use a display
filter to see TCP packets to or from the server (tcp and ip.addr
== 10.10.10.10). Do you see a SYN packet going to the server?
Good. Now do you see a SYN/ACK packet coming from the
server? No? OK, then adapt your filter to include ICMP (Internet control message protocol). Do you see ICMP traffic?
May 2015 | ISSA Journal 27
Figure 2 - Dialog window appearing when exporting HTTP objects: it lists all HTTP objects
that can be saved (exported)
Take the hex bytes, and arrange them in a text file like this
(16 digits per file):
000000 E6 7B 01 00 00 01 00 00 00 00 00 00 03 77
77 77
000010 06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 01
00 01
Prefix the hex bytes with a counter: 000000, 000010,
000020...
Start Wireshark and select File / Import from Hex Dump (figure 3).
28 ISSA Journal | May 2015
Figure 4 - Tree view of DNS data in the packet details pane after importing a
hex dump
Conclusion
Wireshark is a very powerful, versatile packet analysis tool.
It has many powerful features for experienced network engineers, but also powerful features for occasional users, like
I tried to illustrate with some scenarios. It is very extensible:
it accepts new dissectors written in C and in Lua. And did I
mention that it is free? And open-source?
References
Laura Chappell ,Wireshark Network Analysis (Second Edition): The Official Wireshark Certified Network Analyst Study
Guide, Chappell University (March 1, 2012).
Laura Chappell, Troubleshooting with Wireshark: Locate
the Source of Performance Problems, Chappell University
(January 26, 2014).
Figure 7 Part of the Lua code for the BOTNET01 protocol dissector
Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark
Certified Network Analyst, CISSP, GSSP-C,
GCIA, GREM, MCSD .NET, MCSE/Security, MCITP
Windows
Server 2008, RHCT, CCNP Security, OSWP) is a member of
the Belgian ISSA Chapter and
an IT security consultant currently working at a large Belgian financial corporation. Didier started his own company
in 2012 to provide IT security
training services (http://DidierStevensLabs.com). Didier also
provides Wireshark training.
You can find his open source
security tools on his IT security
related blog at http://blog.DidierStevens.com.
May 2015 | ISSA Journal 29
ISSA
Cruise missiles
Game consoles
Telecommunication infrastructure
Medical devices
Governments
UPCOMING
Hospitals
Banks
Price tag?
BOMtotal is a free service, and as such it allows you to get
your feet wet with software supply chain management. It provides you with crucial visibility into the software you build
and buy, allowing you to make informed decisions about risk.
Also, keep in mind the following:
BOMtotal can only detect the components it knows about.
At this writing (April 2015), BOMtotal has a database of
over 1,000 software components, but obviously it cannot
find a component if it is not already in the database.
Summary
BOMtotal is a free software composition analysis service
that allows anyone to see the BOM for any piece of software.
BOMtotal democratizes software supply chain management
by giving everyone visibility into the components that are
used to build software. 2015 is the year of software supply
chain management. If youre not already actively managing
your software supply chain, you can get started today with
BOMtotal.
Figure 1
32 ISSA Journal | May 2015
Figure 2
SECUREWORLD
See Globally. Defend Locally.
Distilling the Global Complexities of Cybersecurity
Down to Your City, Your Network, Your Shot at a
Decent Nights Sleep
Spring 2015
Houston - May 13
Atlanta - May 27 & 28
Portland - June 17
Fall 2015
Detroit - September 16 & 17
St. Louis - September 22 & 23
Cincinnati - October 6
Denver - October 15
Dallas - October 28 & 29
Bay Area - November 4
Seattle - November 11 & 12
SECUREWORLD
Web Conferences:
Featured Keynotes:
Carl Herberger
Christopher Pierson
Demetrios Lazarikos
Larry Ponemon
IT Security Researcher
and Strategist
ISSA
Users should recognize that to ensure a comprehensive assessment all security control objectives and related controls
noted within the standard should be integrated into the tool.
In this example, all 11 control sections, all associated security control objectives, and all individual controls of the ISO
27002:2005 standard were integrated into the tool. These
were likewise structured as they are in the standard. The control sections from the ISO standard include:
Access Control
Asset Management
ture, applications, and services. Information security is not an afterthought and is instead part of a holistic approach to IT operations.
The overall score for the security policy control section is 2.5,
which is subpar for the target security maturity level for the
organization. Recall that our target security maturity level for
this example was 4. Such a score should tell an organization it
has some work to do in its security policy process.
As each control is scored, an average score is created for each
control section. These are automatically integrated into an
overall score as well as mapped to different graphs as defined
in the tool. For example, a histogram or spider graph can be
included to better illustrate ones level of compliance against
the security maturity model.
With the assumption that all 11 control sections of the ISO
standard are considered in scope, the third step is performed
for all security control objectives under each control section.
Note that even if all 11 control sections are selected, it is possible that some security control objectives may be out of scope.
ISO 27002
CONTROL OBJECTIVE
REFERENCE
To provide management direction and support for
A.5.1.1
the information security in accordance with business
requirements and relevant laws and regulations.
To provide management direction and support for
A.5.1.2
the information security in accordance with business
requirements and relevant laws and regulations.
A.5.1.1
Determine if a security policy exists.
If no, score = 1
=2
If yes but not endorsed or published, score
3
=
score
,
shed
publi
If yes, endorsed, and
mechanism exists, score = 4
If yes, endorsed, published, and a revision
Guidance:
The policy should take account of the following:
ations
a) Secuity requirements of individual business applic
ess applications and the
busin
the
to
d
relate
ation
inform
all
of
on
b) Identificati
facing
is
risks the information
rization, e.g., the need-to-know
c) Policies for information dissemination and autho
ation (see 7.2)
inform
of
n
ficatio
classi
and
levels
principle and security
classification policies of
ation
d) Consistency between the access control and inform
rks
netwo
different systems and
tions regarding protection of
e) relevant legislation and any contractual obliga
15.1)
(see
es
access to data or servic
roles in the organization
f) Standard user access profiles for common job
and networked environment that
uted
g) Management of access rights in a distrib
ble
availa
ctions
conne
of
types
all
recognizes
s request, access authorization,
h) Segregation of access control roles, e.g., acces
on
istrati
access admin
s requests (see 11.2.1)
i) Requirements for formal authorization of acces
ls (see 11.2.4)
contro
s
acces
of
j) Requirements for periodic review
8.3.3)
(see
rights
s
k) Removal of acces
CONTROL
SCORE
3
Security Policy Score
2.5
1.21
.80
3.80
4.88
Compliance
1.40
3.67
2.60
2.19
4.18
2.85
Security Policy
2.50
Overall Score
2.73
Figure 3 Individual scores of each controls section and the overall score
The spider graph (figure 4) is a very effective means of demonstrating where the organization should focus its efforts to
raise the security maturity level. In fact, this organization
should be focusing on a number of areas including security
policy, asset management, and access control to name a few.
The overall scores of the control sections in conjunction with
the individual scores for each control under each control objective enables an organization the ability to tailor a focused
gap analysis and remediation plan in an efficient manner.
Conclusion
The tool demonstrated in this article is an example of a simple
security and governance controls matrix married to a security
maturity model. This is a useful tool that can be implemented in a spreadsheet as was done here, or via the creation of a
dedicated application or other means. A tool such as this can
be designed to support other frameworks such as COBIT [7]
or ITIL [8] and likewise integrate with other security-related
models such as the Capability Maturity Model (CMM) [9].
Using such a tool has the benefits of organizing and rating
applicable security control objectives, diagramming those
Joel Weise has worked in information security for over 30 years. His current research is focused on adaptive security, cloud computing,
cryptographic systems, security governance,
and security maturity modeling. Joel is a
founding member of the ISSA and a member
of the American Bar Association, serving as a subject matter
expert for the Science and Technology working committee. He
may be reached at jmweise@gmail.com.
May 2015 | ISSA Journal 37
ISSA
Abstract
Information security professionals routinely face an array
of tools and techniques available to perform their job. One
particular toolYARAand a suite of accompanying complementary tools provide a great way to quickly leverage
threat-intelligence information without having extensive expertise in malware analysis. This article introduces readers
to YARA, its applications, and suggests additional resources that information security professionals can use to make
YARA part of their defensive toolkit.
With the modest beginning of YARA, rules were originally intended to find basic text patterns within files that were
scanned by the custom YARA engine. The tool is much more
powerful today, capable of dissecting executable files, both
ELF (executable and linkable format) and PE (portable executable ) binary files, as well as other modules and additions.
However, with that increased capability comes an onslaught
of complex options that may seem unwieldy to a novice malware analyst.
7 Florian Roth, How to Write Simple but Sound Yara Rules, bsk consulting (blog),
February 15, 2015, https://www.bsk-consulting.de/2015/02/16/write-simple-soundyara-rules/; Florian Roth, yarGen, Github, last modified February 11, 2015, https://
github.com/Neo23x0/yarGen/.
8 Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software, (San Francisco: No Starch Press, 2012), 13.
9 Ibid.
10 Joxean Koret, Extracting binary patterns in malware sets and generating Yara rules,
Unintended Results (blog), April 29, 2012, http://joxeankoret.com/blog/2012/04/29/
extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/.
11 Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software, (San Francisco: No Starch Press, 2012).
12 Michael Ligh, Steven Adair, Blake Harstein, and Matthew Richard, Malware
Analysts Cookbook and DVD: Tools and Techniques For Fighting Malicious Code,
(Indianapolis: Wiley Publishing, Inc., 2011).
Conclusion
Symantecs CEO famously announced in mid-2014 that antivirus is dead, lending credence to the growing suspicion
that hackers are more consistently evading standard antivirus detections.16 The need for better and more proactive
methods for finding malicious activity has become apparent,
and YARA is a great way to help bridge that gap. Using the
open source tools described above, analysts can easily create
YARA rules and quickly begin scanning files. In addition to
its ease of use, YARA also makes for an excellent endpoint
scanning engine since it can scan subsequent files that are
written to disk, perhaps after a compromise occurs, as well as
processes running in memory. The tool is flexible and, most
importantly, it is a freely available, open source tool that has
changed how the security community operates.
Bibliography
Alvarez, Victor. Welcome to YARAs documentation! Read
the Docs. Last modified February 10, 2015. http://yara.readthedocs.org/en/v3.3.0/.
Clark, Chris. YaraGenerator. Github. Last modified August
29, 2013. https://github.com/Xen0ph0n/yaragenerator.
Dias, Ricardo. Intelligence-Driven Incident Response
with YARA. SANS Institute InfoSec Reading Room. http://
www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542.
Documents. Snort. Accessed April 19, 2015. https://www.
snort.org/documents.
Koret, Joxean. Extracting binary patterns in malware sets and
generating Yara rules. Unintended Results (blog). April 29,
2012.http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/.
Ligh, Michael, Steven Adair, Blake Harstein, and Matthew
Richard. Malware Analysts Cookbook and DVD: Tools and
Techniques For Fighting Malicious Code. Indianapolis: Wiley
Publishing, Inc., 2011.
Obama, Barack. Promoting Private Sector Cybersecurity Information Sharing. Executive Order 13691. February 20, 2015.
http://fas.org/irp/offdocs/eo/eo-13691.pdf.
Roth, Florian. yarGen. Github. Last modified February 11,
2015. https://github.com/Neo23x0/yarGen/.
Sikorski, Michael, and Andrew Honig. Practical Malware
Analysis: The Hands-On Guide to Dissecting Malicious Software. San Francisco: No Starch Press, 2012.
Yadron, Danny. Symantec Develops New Attack on Cyberhacking. Wall Street Journal. May 4, 2014. http://www.wsj.
com/articles/SB100014240527023034171045795421402358505
78.
16 Danny Yadron, Symantec Develops New Attack on Cyberhacking, Wall Street
Journal, May 4, 2014, http://www.wsj.com/articles/SB10001424052702303417104579
542140235850578.
JANUARY
FEBRUARY
MARCH
Physical Security
APRIL
MAY
Infosec Tools
JUNE
JULY
AUGUST
Privacy
SEPTEMBER
OCTOBER
NOVEMBER
DECEMBER
Best of 2015
You are invited to share your expertise with the association and submit an
article. Published authors are eligible for CPE credits.
For theme descriptions, visit www.issa.org/?CallforArticles.
EDITOR@ISSA.ORG WWW.ISSA.ORG
May 2015 | ISSA Journal 41
toolsmith
toolsmith
#104
Prerequisites
Any Python-enable system if running from source
There is a standalone exe with all dependencies met, available
for Windows.
his month represents our annual infosec tools edition, and Ive got a full scenario queued up for you.
Were running with a vignette based in absolute reality. When your organizations are attacked (you already have
been) and a compromise occurs (assume it will), it may well
follow a script (pun intended) something like this. The most
important lesson to be learned here is how to assess attacks of
this nature, recognizing that little or none of the following activity will occur on the file system, instead running in memory. When we covered Volatility in September 2011, we invited
readers to embrace memory analysis as an absolutely critical
capability for incident responders and forensic analysts. This
month, in a similar vein, well explore Rekall. The projects
point man, Michael Cohen, branched Volatility, aka the scudette branch, in December 2011 as a technology preview. In
December 2013, it was completely forked and became Rekall
to allow inclusion in GRR1 as well as methods for memory
acquisition, and to advance the state of the art in memory
analysis.2 April, 2, 2015, saw the release of Rekall 1.3.1 Dammastock,3 named for Dammastock Mountain in the Swiss
Alps. An update release to 1.3.2 was posted to GitHub April
26, 2015.
Michael provided personal insight into his process and philosophy, which Ill share verbatim in part here:
For me memory analysis is such an exciting field. As a field it
is wedged between so many other disciplines such as reverse
engineering, operating systems, data structures, and algorithms. Rekall as a framework requires expertise in all these
fields and more. It is exciting for me to put memory analysis
to use in new ways. When we first started experimenting with
live analysis, I was surprised how reliable and stable this was.
No need to take and manage large memory images all the
1 https://github.com/google/grr.
2 http://www.rekall-forensic.com/about.html.
3 https://github.com/google/rekall/releases/tag/v1.3.2.
time. The best part was that we could just run remote analysis
for triage using a tool like GRRso now we could run the
analysis not on one machine at the time but several thousand
at a time! Then, when we added virtual machine introspection support, we could run memory analysis on the VM guest
from outside without any special support in the hypervisor
and it just worked!
While we wont cover GRR here, recognize that the ability to
conduct live memory analysis across thousands of machines,
physical or virtual, without impacting stability on target systems is a massive boon for datacenter and cloud operators.
Scenario overview
We start with the assertion that the red teams attack graph is
the blue teams kill chain.
Per Captain Obvious: The better defenders (blue team) understand attacker methods (red team), the more able they
are to defend against them. Conversely, red teamers who are
aware of blue team detection and analysis tactics, the more
readily they can evade them.
As we peel back this scenario, well explore both sides of the
fight; Ill walk you through the entire process including attack and detection. Ill evade and exfiltrate, then detect and
define.
As you might imagine the attack starts with a targeted phishing attack. We wont linger here; youve all seen the like. The
key take away for red and blue: the more enticing the lure,
the more numerous the bites. Surveys promising rewards are
particularly successful; everyone wants to win something,
and sadly, many are willing to click and execute payloads to
achieve their goal. These folks are the red teams best friend
and the blue teams bane. Once the payload is delivered and
executed for an initial foothold, the focus moves to escalation
of privilege if necessary and acquisition of artifacts for pivoting and exploration of key terrain. With the right artifacts
(credentials, hashes), causing effect becomes trivial and often leads to total compromise. For this exercise, well assume
weve compromised a user who is running his system with
administrative privileges, which sadly remains all too common. With some great PowerShell scripts and the omniscient
toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee
Attack
Keep in mind, Im going into some detail here regarding attack methods so we can then play them back from the defenders perspective with Rekall, WinPmem, and VolDiff.
Veil
All good phishing attacks need a great payload, and one of the
best ways to ensure you deliver one is Christopher Truncers
(@ChrisTruncer) Veil-Evasion,4 part of the Veil-Framework.
The most important aspect of Veil use is creating a payload
that evades anti-malware detection. This limits attack awareness for the monitoring and incident response teams as no
initial alerts are generated. While the payload does land on
the victims file system, its not likely to end up quarantined or
deleted, happily delivering its expected functionality.
I installed Veil-Evasion on my Kali VM easily:
1. apt-get install veil
2. cd /usr/share/veil-evasion/setup
3. ./setup.sh
Thereafter, to run Veil you need only execute veil-evasion.
Veil includes 35 payloads at present; choose list to review
them. I chose #17, powershell/meterpreter/rev_https as seen in
figure 1.
I ran set LHOST 192.168.177.130 for my Kali server acting as
the payload handler, followed by info to confirm, and generate
to create the payload. I named the payload toolsmith, which
Veil saved as toolsmith.bat. If you happened to view the .bat
file in a text editor, youd see nothing other than what appears
to be a reasonably innocuous PowerShell script with a large
Base64 string. Many a responder would potentially roll right
past the file as part of normal PowerShell administration. In
a real-world penetration test, this would be the payload deliv4 https://www.veil-framework.com/framework/veil-evasion/.
toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee
meterpreter_output.txt confirms the win. Figure 3
displays the results.
If I had pivoted from this system and moved to a
heavily used system such as a terminal server or an
Exchange server, I may have acquired domain admin credentials as well. Id certainly have acquired
local admin credentials, and no one ever uses the
same local admin credentials across multiple systems, right? ;-)
Remember, all this, with the exception of a fairly innocent looking initial payload, toolsmith.bat, took
place in memory. How do we spot such behavior and
defend against it? Time for Rekall and WinPmem,
because they can remember it for you wholesale!
Defense
Rekall preparation
Installing Rekall on Windows is as easy as grabbing
the installer from GitHub, 1.3.2 as this is written.
Figure 3 Invoke-Mimikatz for the win!
toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee
Suspicious indicator #1
From the interactive shell, I started with the netstat plugin,
as I always do. Might as well see who it talking to whom, yes?
Were treated to the instant results seen in figure 4.
Yep, sure enough we see a connection to our above mentioned
attacker at 192.168.177.130; the owner is attributed to powershell.exe and the PIDs are 1284 and 2396.
Suspicious indicator #2
With the pstree plugin we can determine the parent PIDs
(PPID) for the PowerShell processes. Whats odd here from a
defenders perspective is that each PowerShell process seen in
the pstree (figure 5) is spawned from cmd.exe. While not at
all conclusive, it is at least intriguing.
Suspicious indicator #3
I used malfind to find hidden or injected code/DLLs and
dump the results to a directory I was scanning with an AV engine. With malfind pid=1284, dump_dir=/tmp/ I received
feedback on PID 1284 (repeated for 2396), with indications
specific to Trojan:Win32/
Swrort.A. From the MMPC
writeup,8 Trojan:Win32/
Swrort.A is a detection for
files that try to connect
to a remote server. Once
connected, an attacker can
perform malicious routines
such as downloading other
files. They can be installed
from a malicious site
or used as payloads of exploit files. Once executed, Trojan:Win32/Swrort.A may connect to a remote server using different port numbers. Hmm,
sound familiar from the attack scenario above? ;-) Note that
the netstat plugin found that powershell.exe was connecting
via 8443 (a different port number).
Suspicious indicator #4
To close the loop on this analysis, I used memdump for a few
key reasons. This plugin dumps all addressable memory in
a process, enumerates the process page tables, writes them
out into an external file, and creates an index file useful for
finding the related virtual address.9 I did so with memdump
pid=2396, dump_dir=/tmp/, ditto for PID 1284. You can
use the .dmp output to scan for malware signatures or other
patterns. One such method is strings keyword searches. Given that we are responding to what we can reasonably assert
is an attack via PowerShell, a keyword-based string search is
definitely in order. I used my favorite context-driven strings
tool and searched for invoke against powershell.exe_2396.
dmp. The results paid immediate dividends; Ive combined to
critical matches in figure 6.
Suspicions confirmed; this box be owned, aargh!
The strings results on the left show the initial execution of the
PowerShell payload, most notably including the Hidden attribute and the Bypass execution policy followed by a slew of
Base64 that is the powershell/meterpreter/rev_https payload.
The strings results on the left show when Invoke-Mimikatz.
ps1 was actually executed.
Four quick steps with Rekall and weve, in essence, reversed
the steps described in the attack phase.
Remember too, we could just as easily have conducted these
same step on a live victim system with the same plugins via
the following:
rekal -f \\.\pmem netstat
rekal -f \\.\pmem pstree
rekal -f \\.\pmem malfind pid=1284, dump_dir=/
tmp/
rekal -f \\.\pmem memdump pid=2396, dump_dir=/
tmp/
8 http://www.microsoft.com/security/portal/threat/encyclopedia/entry.
aspx?name=Trojan%3aWin32%2fSwrort.A&threatid=2147630763 - tab=2.
9 http://www.rekall-forensic.com/docs/Manual/Plugins/Windows/WinMemDump.
html.
toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee
In conclusion
In celebration of the annual infosec tools addition, weve definitely gone a bit hog wild. But because it has been for me, I
have to imagine youll find this level of process and detail useful. Michael and team have done wonderful work with Rekall
and WinPmem. Id love to hear your feedback on your usage,
particularly with regard to close, cooperative efforts between
your red and blue teams. If youre not yet using these tools,
you should be; and I recommend a long, hard look at GRR as
well. Id also like to give more credit where its due. In addition to Michael Cohen, other tools and tactics here were developed and shared by people who deserve recognition. They
include Microsofts Mike Fanning, root9bs Travis Lee, and
Laconiclys Billy Rios. Thank you for everything, gentlemen.
Acknowledgements
www.issa.org/?OnDemandWebConf
Certifications ___________________________________
* Employer ___________________________________________________
* Email ________________________________________
* Address 1 __________________________________________________
* Phone ________________________________________
Address 2 __________________________________________________
Fax _________________________________________
In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question:_____________________________________________
* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.
ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.
To enable us to better serve your needs, please complete the following
information:
Your Industry (Select only ONE number from below and enter here) _________
A. Advertising/Marketing
J. Engineering/Construction/Architecture S. Manufacturing/Chemical
B. Aerospace
K. Financial/Banking/Accounting
T. Medicine/Healthcare/Pharm.
C. Communications
L. Government/Military
U. Real Estate
D. Computer Services
M. Hospitality/Entertainment/Travel
V. Retail/Wholesale/Distribution
E. Security
N. Information Technologies
W. Transportation/Automobiles
F. Consulting
O. Insurance
X. Energy/Utility/Gas/Electric/Water
G. Education
P. Internet/ISP/Web
Y. Other ___________________
H. Computer Tech-hard/software Q. Media/Publishing
I. Electronics
Membership Fees
Membership Categories (descriptions on back)
General Membership: $95 (USD) plus chapter dues
2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD)
Government Organizational: $90 (USD) plus chapter dues
Student Membership: $30 (USD) plus chapter dues
CISO Executive Membership: $995 (USD) plus chapter dues
R. Legal
Your Primary Job Title (Select only ONE number from below and enter here) _________
1. Corporate Manager/CIO/CSO/CISO
9. Operations Manager
17. Engineer
2. IS Manager/Director
10. Operations Specialist
18. Auditor
3. Database Manager, DBA
11. LAN/Network Manager
19. President/Owner/Partner
4. Database Specialist, Data Administrator 12. LAN/Network Specialist
21. Financial Manager
5. Application Manager
13. Security Specialist
22. Administrator
6. Applications Specialist
14. Contingency Planner
23. Educator
7. Systems/Tech Support Manager
15. Sales/Marketing Specialist
24. Other________________
8. Systems Programmer/Tech Support
16. Independent Consultant
Your Areas of Expertise (List all that apply) ______________________________________
A. Security Mgmt Practices
E. Security Architecture
I. Operations Security
B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security
C Network Security
G. Law/Investigations/Ethics
K. Telecommunications Security
D. Access Control Systems/Methods
H. Encryption
L. Computer Forensics
The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that
will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve
this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA
has established the following Code of Ethics and requires its observance as a prerequisite for continued
membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I
have in the past and will in the future:
Perform all professional activities and duties in accordance with all applicable laws and the highest
ethical principles;
Promote generally accepted information security current best practices and standards;
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
course of professional activities;
Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and
Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or
employers.
*Chapter(s) _______________________________________
(Required within 50 miles of local chapter - list on reverse)
$ _______________
$ _______________
$ _______________
$ _______________
$ _______________
(on reverse)
www.ISSAEF.org
$ _______________
DOWNLOAD FORM
DOWNLOAD
FORM
ISSA Member Application 2/14
Professionals who have as their primary responsibility information systems security in the private
or public sector, or professionals who supply information systems security consulting services to
the private or public sector; or IS Auditors, or IS professionals who have as one of their primary
responsibilities information systems security in the private or public sector; Educators, attorneys
and law enforcement officers having a vested interest in information security; or Professionals with
primary responsibility for marketing or supplying security equipment or products. Multi-year memberships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year:
$275; 5-Year: $440.
This membership offers government agencies the opportunity to purchase membership for an employee. This membership category belongs to the employer and can be transferred as reassignments occur. When an employee is assigned to this membership, he or she has all of the rights and
privileges of a General Member.
Student members are full-time students in an accredited institution of higher learning. This membership class carries the same privileges as that of a General Member except that Student Members
may not vote on Association matters or hold an office on the ISSA International Board. There is no
restriction against students forming a student chapter.
The role of information security executives continues to be defined and redefined as the integration
of business and technology evolves. While these new positions gain more authority and responsibility, peers must form a collaborative environment to foster knowledge and influence that will
help shape the profession. ISSA recognizes this need and has created the exclusive CISO Executive Membership program to give executives an environment to achieve mutual success. For more
information about CISO Executive Membership and required membership criteria, please visit the
CISO website http://ciso.issa.org.
n MasterCard
n American Express
Spain................................. 60
Switzerland........................ 80
Turkey ............................... 30
UK ..................................... 0
Latin America
Argentina............................. 0
Barbados ........................... 25
Brasil................................... 5
Chile ................................. 30
Colombia ............................ 5
Ecuador ............................... 0
Lima, Per........................... 5
Puerto Rico ....................... 35
Uruguay .............................. 0
North America
Alamo................................ 20
Alberta............................... 25
Amarillo ............................ 25
ArkLaTex ............................. 0
Baltimore........................... 20
Baton Rouge...................... 25
Blue Ridge......................... 25
Bluegrass ............................ 0
Boise ................................. 25
Buffalo Niagara.................. 25
Hampton Roads................. 30
Hawaii ............................... 20
Inland Empire .................... 20
Kansas City ....................... 20
Kentuckiana....................... 35
Kern County ...................... 25
Lansing ............................. 20
Las Vegas.......................... 30
Los Angeles ...................... 20
Madison ............................ 15
Mankato ............................ 20
Melbourne, FL................... 25
Memphis ........................... 30
Metro Atlanta..................... 30
Middle Tennessee ............. 35
Milwaukee ......................... 30
Minnesota ......................... 20
Montana ............................ 25
Montgomery ..................... 20
Montreal.............................. 0
Motor City ......................... 25
Mountaineer ...................... 25
National Capital................. 25
New England ..................... 20
New Hampshire ................. 20
New Jersey ........................ 20