Information Security- Base Concepts & Leadership
Transcript of Information Security- Base Concepts & Leadership
Information Security-Base Concepts & Leadership
Jeromie Jackson- CISSP, CISMCOBIT & ITIL [email protected]@comsecinc.com619-368-7353
Brief Bio.
President- San Diego OWASP Vice President- San Diego ISACA CISSP Since 1996 CISM, COBIT, & ITIL Certified SANS Mentor Security Solutions Architect @ TIG
Articles* Covered on Forbes Magazine* Credit Union Business Magazine* Credit Union Magazine* CU Times* Insurance & Technology Review* CMP Media* Storage Inc.
Speaking Events* SPC 2009* SecureIT 2008* SecureIT 2009* Interop* Government Technology Conference (GTC)* Many Credit Union Leagues
Agenda
IT Audit is not Enough Network Security Web Application Security Countermeasures Ignorance is Risk Managing by Measurement
Common IT Audit Deficiencies
Third-Party agreements and contracts weak
Employee Awareness Training needed improvement
Too many privileged accounts
Inability to document user privileges
Log collection weak
Critical assets not clearly defined & documented
DR/BCP not regularly tested
Internal controls not routinely reviewed
Change management documentation & consistency lacking
ERP systems riddled with segregation issues
- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007
Incorrect User Provisioning
− Automation tools generally too costly for SMB− “AD-Aware” tools often can authenticate but cannot
provision access control− User-Errors− Asset Owners
Often do not know what to provision Do not know granularity capabilities Generally rely on what has worked previously
“Is-Like”
If using Microsoft “Is-Like” make the account generic
Critical Assets
Critical assets provide services to enable the business
May be external facing May be a single machine or set of machines
Risk Management Frameworks & Functions
Frameworks− NIST (SP800-30)− Octave− Octave Allegro− Factor Analysis for Information Risk (FAIR)
Primary Functions Create Value
Integral Organizational Process ContinualSystematic Focused on Continual Improvement
Account for People, Process, and Technology
Octave Allegro
Great for a small group Smaller in scope than other options Can be conducted in waves (IE: IT/Business,
etc.)
Containers
Describe where the information resides May be a single system May be a group of systems Does not have to be electronic
Threats
Describe the actors upon which vulnerabilities are executed causing risk to the organization
Vulnerabilities
Issues which cause a system or process to deliver undesirable results
May impact− Confidentiality− Integrity− Availability
Risks
The result of a threat agent acting upon a vulnerability
Vulnerability Exploitation− Compromise of sensitive
data− Manipulation of
funds/account data− Denial of Service against
Internet-Facing Systems
Deliverables
Identification of Critical Assets
Ranking of Assets Portfolio view of
organizational risks
TCP/IP
Transport Control Protocol / Internet Protocol Internet is based on TCP/IP Designed for unstable networks IPV4 prominent with IPV6 growing TCP, UDP, & ICMP are the primary types of
packets
TCP
Connection-Oriented Used when integrity or state is necessary Maintains state 3-way handshake to initiate session Significant overhead compared to UDP
Telnet
Command-Line interface to operating system Commonly used for
− Networking equipment− UNIX systems
SSH should be used instead
SSH
Encrypted version of Telnet Enables remote management through CLI Preferred method of remote management
Should be used instead of Telnet
HTTP
Hyper Text Transfer Protocol Pieces of page come across
as unique TCP connections (images, text, etc.)
Ok to be used across network segments
− External to DMZ
HTTPS
Secure HTTP Encrypted with Secure Socket Layer (SSL)or
Transport Layer Security SSL inherently flawed based on use of MD5 for
hashing Application data is now an encrypted payload May conduct server, and client, authentication Ok to be used across network boundaries
− External to DMZ
SMTP
Simple Mail Transfer Protocol Over port 25 Used for outbound mail Notorious for security vulnerabilities
Ok to be exposed from Internet to DMZ
SMTP Relaying
Allows someone from one domain to relay information through another SMTP Server
A SMTP server should only allow outbound email from the domains it serves
EXPN/VRFY
EXPN- Expand Address− This attempts to expand the list of email addresses
from a mailing list.
VRFY- Verify Address− Attempts to validate email addresses− Many systems will/should provide a generic
response
POP
POP- Post Office Protocol Port 110 Used to receive emails Can use Apop which uses strong authentication
APOP or IMAP are preferred methods
Server Message Block (SMB)
This is the protocol associated with Microsoft file-sharing, and network printer, and serial ports (IE: for network-based modems)
Due to the complexity and bulkiness of this protocol it is recommend to not allow across bondaries whenever possible
This should not be allowed on any Internet connections
Remote Desktop Protocol (RDP)
“Windows Terminal Services” Not recommended to use on the Internet Instead use;
− VPN− Citrix− HTTPS− VMWare
R-Commands
Rsh- Remote Shell Rlogin- Remote Login Rcp- Remote Copy
− Etc. R-Commands allow users to define access
control rights− Exploited with “+ +” in .rlogin ,etc.
R-Commands should not be used- SSH, etc. instead
IP Security (IPSEC)
Used for VPNs Can run in two modes
− Tunnel- TCP/IP header encrypted and a new src/dst pair is added to the connection
− Transport- only payload is encrypted
Voice Over IP (VOIP)
Allows for phone conversations across IP networks
Many security risks− Sniffing− MAC Spoofing− Application Vulnerabilities− Session Hijacking
File Transfer Protocol (FTP)
Preferable protocol used to transfer files May be used cross-boundaries into a DMZ Historically many vulnerabilities
− I often find exposure here
Trivial File Transfer Protocol (TFTP)
Similar to FTP but less interactive Not used very often Can be used inbound into a DMZ
UDP Pros and Cons
Connection-Less protocol No error correction or retransmission Doesn't require sequence # or handshake
− MUCH easier to spoof Only 1 way communication No sequencing No 3-way handshake
Domain Name System (DNS)
Used to resolve IP's to hostnames and vs. versa
− 72.167.183.41 = jeromiejackson.com− jeromiejackson.com = 72.167.183.41
Single queries use UDP port 53
DNS Zone Transfers
Zone transfers provide a copy of the name table that is stored by the DNS server
Zone Transfers occur over TCP 53 Zone Transfers should only be available to
upstream providers/peers
DNS Caching
When a client requests something to be resolved it will accept more information than what it had inquired about
DNS Redirection & Spoofing− Attacker spoofs reply with bogus data− Attacker replies with correct data & corrupt data− Attacker compromises DNS Server & uses it to
distribute additional bogus answers to queries
Simple Network Management Protocol (SNMP)
Can provide vast amounts of data about systems
Based on Management Information Base (MIB)s
V3 is the only one with built in authentication, privacy, and access control
Internet Control Message Protocol (ICMP)
Use for various tasks Ping (Echo Request/Reply) Host Not Reachable Network Unreachable Redirects Only allow across borders if required
Hijacking TCP Hijacking
− Man-In-The-Middle− TCP Reset− MAC Spoofing
UDP− Race condition- Respond prior to legit request
ICMP− ICMP Redirect through an infected
machine/network
Web-App OverviewCross-Site Scripting
Injection FlawsMalicious File
Insecure Direct Object ReferenceCross-Site Request Forgery
Information Leakage & Error HandlingBroken Authentication & Session Management
Insecure Cryptographic StorageInsecure Communications
Failure to Restrict URL Access
Tools Being Used
WebScarab− Allows for HTML massaging− Transcoder
Firefox Developer Tools− Form Editing− Subvert client-side security settings
1- Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding the content.
XSS allows attackers to execute script in the victim's browser
Worry About Encodings Original URL: www.comsecinc.com/contact.php
Base64
− d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=
URLEncoding
− www.comsecinc.com%2Fcontact.php
Derivatives to further obscure intent
− Spaces or content breaks within content
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Vulnerability
Hijack user sessions Redirect to hostile location Website Defacement Possibly introduce worms
Protection
Utilize a standard input validation mechanism Do not attempt black-list validation Java- Use Struts <bean: write> .NET- Use Microsoft Anti-XSS Library PHP- Use htmlentities() or htmlspecialchars()
References
Rsnake put together a great XSS Cheat Sheet− http://ha.ckers.org/xss.html
How to Obscure Any URL− http://www.pc-help.org/obscure.htm
2- Injection Flaws User-Supplied data sent to an interpreter
− SQL− LDAP− Xpath− XML, − SOAP− OS command injection
Vulnerability SQL Injection
− Create, Modify,Delete,View tables/databases OS Command Injection
− Read/Modify/Delete/Create files− Execute Processes with Privileges of application.
Protection
Sanitize Input Enforce least-privilege-especially in the
database Avoid detailed error messages Use strongly typed parameterized queries
3- Malicious File Execution
Applications using data input for filename usage are generally vulnerable
Protection Use a “Known Good” strategy Sanitize User Input PHP
− Disable allow_url_fopen and allow_url_include− Disable Register Globals & E_Restrict
Java- Ensure Security Manager is enabled for is properly configured
.NET- Leverage least privilege via Security manager
4- Insecure Direct Object Reference
A user's direct access to object references− IE: Filenames, & directories
Protection
Avoid exposing private object references Indirectly reference objects
− Index files as opposed to utilizing their name
5- Cross-Site Request Forgery
A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
IE: Vulnerable Banking relationship, shopping site, etc.
Vulnerability
Can exploit the vulnerability on behalf of the attacker.
Submit bank transfer Send credit card information Automatically post information out to an Internet
site
Protection Re-Authenticate or use transaction signing to ensure that the request is
genuine.
Set up external mechanisms such as e-mail or phone contact in order to verify requests or notify the user of the request.
Do not use GET requests (URLs) for sensitive data or to perform value transactions.
Use only POST methods when processing sensitive data from the user.
POST alone is insufficient protection. You must also combine it with random tokens, out of band authentication, or re-authentication to properly protect against CSRF
For ASP.NET, set ViewStateUserKey
− Provides a similar type of check to a random token as described above.
Vulnerability
Data in errors may be useful for social engineering
May disclose internal object references Often discloses account names
Protection
Disable or limit error handling A common error handler is often useful
− Can send details out-of-band Ensure development team shares a unified
approach
7- Broken Authentication & Session Management
Allows attacker to bypass the I&A Process Often introduced through ancillary
authentication functions− Logout, password management, timeout, remember
me, secret question, and account update.
Vulnerability
Subversion of authentication within the application
Portions of application go unauthenticated
Protection Only use the inbuilt session management mechanism.
Limit or rid your code of custom cookies for authentication or session management
Use a single authentication mechanism
Do not allow the login process to start from an unencrypted page.
Use a timeout period
Check the old password when the user changes to a new password
8- Insecure Cryptographic Storage Protecting sensitive data with cryptography has
become a key part of most web applications. Simply failing to encrypt sensitive data is very
widespread.
Protection Do not create cryptographic algorithms. Do not use weak algorithms, such as MD5 /
SHA1. − Favor safer alternatives, such as SHA-256 or better.
Generate keys offline and store private keys with extreme care.
Ensure that encrypted data stored on disk is not easy to decrypt.
9- Insecure Communications Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive communications.
Encryption (usually SSL) must be used for all authenticated connections.
In addition, encryption should be used whenever sensitive data is transmitted.
Vulnerability Inappropriate access to conversations
− Any credentials or sensitive information transmitted.
Protection Use SSL for all connections that are
authenticated or transmitting sensitive or value data
Ensure that communications between infrastructure elements are appropriately protected.
Under PCI Data Security Standard requirement 4, you must protect cardholder data in transit.
10- Failure to Restrict URL Access
Frequently, the only protection for a URL is that links to that page are not presented to unauthorized users
Security by obscurity is not sufficient to protect sensitive functions.
Vulnerability
"Hidden" or "special" URLs, rendered to all users if they know it exists
− /admin/adduser.php or /approveTransfer.do. Applications often allow access to "hidden"
files, such as static XML or system generated reports.
Protection
Ensure the access control matrix is part of the business, architecture, and design of the application
Perform a penetration test Do not assume that users will be unaware of
special or hidden URLs or APIs. Block access to all file types that your
application should never serve.
Action Plan
Embed security early in projects Utilize standard data validation processes Implement a standardized error handler Properly segment the environment(s) Test all externally-facing applications
Implement Security in Projects
The earlier security is implemented the lower the cost of the project
− Inception- Ensure plans meet security standards− Development- Ensure it stays on track− Implementation- Validate implemented
appropriately− Operations- Monitor & Measure− Disposal- Ensure proper asset disposal processes
Implement Standardized Processes for Data Validation
Implement standard error handling processes to limit data exposure
Utilize standardized santization processes to ensure consist quality protection
Test All External-Facing Applications
Application test all applications accessible on the Internet
Assess all system which utilize restricted data− (Healthcare, Credit Cards, ACH Transfers, etc.)
Strength in Numbers
Join Local Associations− OWASP & ISACA
ComSec ServicesQualificationsOWASP SD Chapter President CISSP & CISM PractitionersBoard Members to ISACA ITIL & COBIT CertifiedNSS Labs Advisory Board 800+ Regulated Customers
Security ServicesVirtual CISO Social EngineeringRisk Assessment Awareness TrainingSecurity Assessment Policy Development
Contact Information
Jeromie Jackson- CISSP/CISM
ComSec, Inc.
702-866-9412
Firewalls
IP Filtering− (Src, port, dst, port, flags)− IP ACLs
Stateful Inspection− Just like IP Filtering but maintains state− Identifies existing flows and uses for rule base
Application-Level− Understands the application− IE: Can do FTP PUT, but not GET− Mitigates least-privilege
Intrusion Detection/Prevention (IDS/IPS)
Can be signature or anomaly based Signature
− Floods− Brute Force− SQL Injection
Anomaly− Keystrokes & typing− Standard system usage− Obscure destinations or services being utilized
Web Application Firewall (WAF)
Monitors and mitigates web-based vulnerabilities
Some IDS/IPS Signatures may see Some provide application profiling
− Imperva− Breach− Data Power
Antivirus/ Anti-Malware
Mostly signature based− Identified files/processes
Whitelisting becoming more prevalent Should be deployed @ the desktop & at the
gateway Preferably two different engines/vendors
Content Filtering
Blocking sites and/or frames in a site Can be white-list or black-list based Sometimes used for anticipated productivity
gains
Authentication
3 factors of authentication− Something you know
PIN Password
− Something you have Smart Card RFID Card Digital Certificate
− Something you are Biometrics
Log Management
Logs are critical importance to auditors− Centralized− Monitored− Escalated− Consistent− Secure
SIMs are a great way to correlate these
Permissions (MAC & DAC)
Discretionary Access Control User's discretion
− Found on most multi-user operating systems− (Read, Write, Execute / User, Group, Other)
Mandatory Access Control
- Objects are given labels− Labels often hard-coded− Specific access control provisions used (IE: Read
down, write equal)
User Provisioning
Often resource intensive Prone to error Provisioning software generally not cost-
effective for SMB space
Maximize the applications that are AD aware, and hopefully can leverage groups for access control
Disk Encryption
Should be deployed on all remote devices Full-Disk is preferable Mitigates the significant threats of a device
being lost/stolen
Email Encryption
Email goes over unencrypted ports Some tools require end-user to encrypt
outbound Some can have policies based on destination Can be Symmetric or Asymmetric
SIM/SIEM
Great way to reduce cost of security Consolidate those logs- make them useful! Pivoting is very functional (BI for Security)
− Trigeo− Arcsight− NetIQ
Database Auditing
Some built-in− Be careful of turning auditing on without tuning
Imperva has a Database play Don't let developers directly connect to the SQL
port(s)
Data Loss Prevention (DLP)
Great way to gain visibility into previously unidentified risk vectors
− Remember Due Diligence & Due Care Some can import databases Some are agent based
− This is good for mobile computing!
Physical Countermeasures
Information Security != Technical Security Many attacks/breaches due to physical security
weaknesses
Smart Cards Pros/Cons
Pros− Intelligent− Built-in CPU
Cons− More expensive− Complexity generally adds risk
Administrative Controls
Policies, Procedures, and Standards mitigate end-user risk
Do not fall under the panacea that technology comprehensively mitigates risk
Policies
Describe management expectations Describe what is to be done Should be aligned with high-level control
objectives/intentions
Procedures
Describe the actions required to carry out policies
Describe the How to execute the policies
Standards
Describe high-level objectives for IT− Consolidate types of technology in the environment− Ensure implementation of security principals
A Guidebook for architects A Summary of what the stakeholders described
Dual Control
Two-Pieces of a key to open a door Two people to execute a transaction Additional signatures for processing
Audit
Policies, procedures, and standards not beneficial if not in use
Logs are required by auditors to ensure controls are consistently being implemented
Primary Concepts− Least Privilege− Segregation of Duty− Dual-Control− Continual− Repeatable
Least Privilege
Users should be given access only to resources necessary to carry out their job
Mitigates inappropriate disclosures Enhances auditability Should be used to help stakeholders define
access control requirements for an asset
OS Hardening Least privilege
− Only required services allowed− Remove unnecessary services
Patching− Mitigate vulnerability affecting the environment
Consistency− Reduce Complexity− Limit types of vulnerabilities affecting the
environment− Minimize vulnerabilities present in the environment− Stabilize a baseline
Racking & Stacking @ a 3rd Party
How far up will they manage?− Up to the rack?
OS & App threats Ability to install countermeasures
− Up to the OS? Can you deploy OS/Network Countermeasures? Patching strategies What about non-Microsoft Applications?
− Up to the app? Auditability Least-Privilege
Virtualization Threats & Risks
Virtual Host to Virtual host connections− Network-Based countermeasures
Hypervisor security− Mainframe− Process Sockets
Security Risks & Exposures are Growing
More than 35 million data records were breached in 2008 in the United States -Theft Resource Center
Jan 20, 2009- Heartland Payment Systems- 100 Million Transactions Per Month! http://www.2008breach.com/
252,276,206 records with personal information since January 1995 - www.privacyrights.org
Risk is a Business Issue
“Ignoring or misunderstanding financial risks played a substantial role in creating the world financial crisis in 2008.”
“Organizations need to assess risk as part of cost-cutting decisions and should manage increased IT risks to prevent operation failures that will lead to further loss.”
- Gartner, “Managing IT Risks During Cost-Cutting Periods”, October 22, 2008
Risk is a Business Issue (Cont.)− CardSystems Solutions Inc.
Mid 2005 breach of 40 million credit cards.
Visa & Mastercard terminated their processing capability- they soon went under
35+ million data records were breached in 2008 in the United States-Theft Resource Center
− Heartland Payment Systems
Jan 20, 2009
100 Million Transactions Per Month
http://www.2008breach.com
− 252,276,206 records with personal information since January 1995 -http://www.privacyrights.org
Risk Adverse Avoids Discussions of Risk
Avoids Responsibility for risks
No tracking or Analysis of Features & Successes
Can't Learn From Mistakes; High Repeat Failure Rates
Padded Budgets, Extended Time Lines, Surprise Overruns
Managers Assign Blame, Don't Share the Risk
Risk Aware Vs. Risk Adverse
Risk Aware OK to Talk About Risk
Ok to Take Risks
Ok to Fail (if managing appropriately)
Success and failures tracked and analyzed
Continuous learning and improvement for key processes
Realistic budgets and time lines that are continuously monitored
Enterprise is able to take on bigger risks
2007 MIT Sloan Center for Information Systems Research & Gartner Inc.
Being Risk Aware Enables Agility & InnovationBeing Risk Aware Enables Agility & Innovation
Down Economy causing executives to focus on profitability
3 ways to improve profitability
− Increase top-line sales− Reduce COGS− Optimize Operations
Optimize IT− Bridge the gap between control
requirements, technical issues, and business risk
− Use a portfolio approach to risk management
− Manage by measurement− Enable your organization to reap
maximum benefit from technology investments
Regulation With Minimal Benefit
Redundant Requirements
Controls without clear benefits
Overlapping and vague requirements
Costly resource allocation
Implications
IT is meant to serve the business
IT must be aligned with business goals
IT is costly and requires prudent management
Become Proactive
Instill best-practice governance Utilize a risk-management portfolio to guide
remediation Consolidate Regulations
Governance- “Specifying the decision rights and accountability framework to encourage desirable behavior in using IT.”
- Peter Weill and Jeanne Ross, IT Governance: How Top Performers Manage IT Decisions Rights for Superior Results (Boston: Harvard Business School Press, 2004)
The Root-Cause of IT Risk -
Lack of Governance
50 Case Studies130 Firms Surveyed2000+ Executives Refined
George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage (Harvard Business School Press, 2007)
“..Manifested as uncontrolled complexity, and inattention to risk.”
5 Facets of Governance
Value Delivery Strategic Alignment Performance Measurement Resource Management Risk Management
Improve Risk Management
Risk Management Process
− Identify critical assets− Define containers− Identify risks & threats− Quantify or qualify risks
Prioritize Remediation Efforts
Stop The Bleeding - Cauterize the Wounds
Identify & Collect Known Risks Create a Remediation Portfolio Document the “As-Is” State
Stabilize the Patient Classify Known Risks
External Audits
Internal Audits
Regulatory Audits
Vulnerability Assessments
Risk Assessments
Address Availability Focus on Business Consequence
Consolidate Regulations
Identify Primary ControlsConfidentialityConfidentiality Integrity
AvailabilityAvailability AuditabilityAvailability Performance Measurement
Have a clear architectural direction / “To-Be” state
Conduct an IT Assessment to identify “As-Is” State
Through planning identify core strategies and architecture
Manage by Measurement
Seek Optimal Treatment Plan
Benefits of utilizing best practices
− Enables external expertise
− Facilitates benchmarking
− Auditor familiarity resulting in reduced costs
Components of Controls
Defines a specific goal Aligns with business objectives Describes the focus required to manage Summarizes how the goal will be achieved Defines potential KPIs/KGIs RACI Table
Communicate & Collaborate
Paradigms- 7 Habits of Highly Effective People- “A man on a subway sees 2 obnoxious children...”
Balanced Scorecards
Focus on 4 key paradigms− Financial- Fiscal Measurements− Customer- Service Qualities− Operations- Operational Efficiency & Agility− Learning & Growth- Fostering Growth & Innovation
Provides measurements based on key “customers” being serviced
Strategy MapsDescribe the “To-Be” state graphically
Facilitate collaboration Minimize jargon
Collaborate
Leading & Lagging Indicators
Leading indicators− Sales Targets− # of site visitors expected this year
Lagging indicators− $ Closed Deals last month− Visitors last year− Amount a specific product has generated thus far
KPIs & KGIs
A Key Goal Indicator, representing the process goal, is a measure of "what" has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve.
− Remain Profitable
− Take over 15% market share in a territory
By comparison, a Key Performance Indicator is a measure of "how well" the process is performing.
− % of Bench time for engineers - “Riding the Pine”
− # of opportunities in the pipeline
Prudent Management is not just for the enterprise anymore
Governance has been slowly adopted in the SMB space
− Perceived as an “enterprise play”− ROI/CBA/NPV communication muddled with jargon
Talk to your audience- don't belabor acronyms and frameworks.
Focus on sound stewardship principals.
References
Privacy Violations- www.privacyrights.org COBIT - www.isaca.org/cobit VAL IT - www.isaca.org/valit Strategy Maps -
http://www.valuebasedmanagement.net/methods_strategy_maps_strategic_communication.html
BSC - http://www.balancedscorecard.org/ Lean Six-Sigma - www.qimacros.com Harvard Business Review
Jeromie Jackson- CISSP, CISM [email protected]
619-368-7353-directwww.linkedin.com/in/securityassessment
Questions?