Author Archives: ecole

Critical Control 20: Security Skills Assessment and Training to Fill Gaps

0
Posted by ecole on August 19, 2009 – 5:18 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 20 of the 20 Critical Security Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 20: Security Skills Assessment and Training to Fill Gaps

Technology moves and evolves at such a fast pace that without a good training plan and motivated self learners, most IT professions get left behind after only a short amount time. For an organization to maintain security, it must afford the opportunity to its personnel to enhance their skill set through various training efforts.

Any organization that hopes to be ready to find and respond to attacks effectively owes it to their employees and contractors to find the gaps in their knowledge and to provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices

Training is the most effective way to increase the workforce proficiency but is generally the first thing cut during economic challenges. The value add to an organizations security posture is directly proportionate to its willingness to allow its trained personnel to increase their skill set, which in turn increases the ability to identify security risks. Additional benefits include the ability to:

  • Identify and report malicious activity
  • Respond to an incident in accordance to set policies
  • Minimize the impact of an incident
  • Return to normal operation in a more efficient manner

There are a number of training opportunities available to organizations. These range from online webinars to locally hosted classrooms. Most training sessions can be tailored to meet the needs of an organization and the budget available.

Training comes in a variety of packages. Some are relatively inexpensive, while others are very costly for an organization. The organization must identify its critical needs to increase or maintain an excellent security posture and focus on training that meets the task at hand. Primary types of training that have the greatest impact:

  • Specific, incident-based scenarios
  • Lessons learned
  • Trends and methods

Specialized pointed training gives added benefit to the organization and allows for the increase in workforce talent.

For additional details on the controls, please go to SANS 20 Critical Security Controls.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 19: Data Recovery Capability

0
Posted by ecole on August 19, 2009 – 5:17 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 19 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 19: Data Recovery Capability

Data is one of the most important assets of most organizations.  If this is the case, then why is it most organizations don’t incorporate a good data recovery plan?  Without a good plan, “when it’s gone it’s gone” and there is no getting it back. If it’s a major event and the organization loses large amounts of data, then the same can be said for the organization: “When it’s gone it’s gone.”

When attackers compromise machines, they often make significant changes to configurations and software.  Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information.  When the attackers’ presence is discovered, organizations without a trustworthy data recovery capability can have extreme difficulty removing all aspects of the attacker’s presence on the machine.

Data recovery has been an ever increasing field as more companies rely on data. In their eyes, it’s irreplaceable.  Primary reasons, but not the only reasons for data recovery requirements, are:

  • Trace evidence of an incident
  • Lost files due to user error
  • Lost files or data due to system malfunction

Malicious activity has also become more of a challenge to find and identify the root cause.  Some malicious code starts a process and then deletes itself.  This then becomes a challenge to identify and to recover the deleted code.  With a good backup recovery procedure in place, an organization can recover, regardless if its hardware malfunction or malicious attacks.  The goal of data recovery is just that, recover the lost data. It may not be possible to recover all of the data but the majority is generally enough to resume operations.  That’s the goal, to resume operation with the minimum amount of disruption.

Back-up solutions are available in many different forms and different levels. You can choose from a software solution that also requires hardware such as tape drives, tapes, and interfaces to ensure that all of the equipment works together.  Tapes even come in a variety of sizes and storage capacities. Software must be used in conjunction with tape drives to properly back-up and/or restore the data when needed.

Hardware solutions include raid solutions that require controllers, hard drives, and the ability to configure them. Organizations must determine the best method to utilize raid for their needs. The biggest issue for most organizations is that all back-up methods require funding and an IT professional to maintain them.

Identifying the level that best meets the needs of the organization and the processes to run it is a challenge.   Depending on the need, an off-site back-up solution may be identified as the best choice. Once proper levels have been identified and established, the overall ability to recover after a significant disaster increases tremendously.   Current best practices identify that information should be stored encrypted. With this said, back-ups are often overlooked and not encrypted.  It’s easy to take back-up software out of the package, install it, and let it do its thing. The problem is that most back-up solutions do not encrypt the back-ups by default. This can be a significant security risk and should be a priority to ensure the back-ups are encrypted.

Ensure that the software or method being used to back-up the data has the ability to encrypt the data as it’s backed up. If not, then this should be addressed and an alternate back-up plan should be reviewed that includes the ability to encrypt the data.

Data storage media must be handled and stored to ensure security of the media. Once the data is saved it must be stored for future use if needed. The sensitivity of the data will directly effect the way the information is stored.  If the information is sensitive or classified, does the storage facility meet government regulations for the handling and storage of that type of data. Does it meet your policies?

When identifying the storage locations the last thing that may be necessary to consider is climate control and accessibility in the advent of an emergency. If the data is of high value and would be needed to recover operations of the organization, then the location must be in close proximity to the operation’s center to be recovered.

For additional details on the controls, please go to the 20 Critical Security Controls site.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 18: Incident Response Capability

0
Posted by ecole on August 18, 2009 – 4:58 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 18 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 18: Incident Response Capability

A great deal of damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response programs in place.  Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion.  Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible with an effective incident response plan.

If there is an incident and it’s identified as an attack, there are several things that can be done. The worst of course is the “lets close our eyes and maybe it will go away.” This happens more often than not.  So with that said there are two ways to approach incident response: Reactive and Proactive. Either is better then nothing, but if you can set your organization up to incorporate both you have a plan that will carry you through the worst situations.

A good reactive plan involves policies and training to identify what requires response, what should be done when an incident is identified, and the best course of action to take.  A good proactive plan puts in place all of the necessary components towards identifying or stopping  potential attacks before they are able to be completed.

Incident response is key when safeguarding data once an incident has occurred. If an incident is identified and personnel identifying it are able to respond appropriately, the ability to safeguard data and recover back to an operational state has increased.  In some cases a properly developed incident response plan can prevent a small incident from becoming a catastrophe.  Incident response is more than a group of people responding to an incident.  A good response team is developed with a strong set of procedures in place to ensure each member knows their role and that the individual who identified the incident also knows the proper reporting procedures.

For any good process to work, management must see the value of having the policies and process. This is a key element towards developing a working response plan.  There are numerous guides and standards that outline response procedures and methods. It is important to know which guidelines your organization falls under and incorporate your own standards that meet or exceed government minimum standards.  A good baseline is the NIST Guidelines.

Once the standards have been identified, ensure that all team members are aware of their roles and responsibilities.  Conduct training to reinforce the policies and incident response roles for both team members and managers. Executive management should be involved in various aspects of the incident response plan to ensure buy-in and support.

Before an incident response can be initiated there must be set policies that identify what actions must be taken for the different types of incidents. Policies and training will ensure that the proper methodology is followed to ensure a successful outcome to the incident.  Policies should be clear and not left for interpretation by members of the organization or contractors.

When an incident occurs, all aspects of training and policy must be followed. This will ensure a positive outcome.   All reports should be based on an organization-wide template to ensure uniformity.

The key element of this process is the reporting and documentation of the incident. The documentation can be useful in identifying shortfalls and high points. Documentation will allow for good audit reviews and process improvements as well as protection from legal repercussions due to an incident.

All reports should be clear and concise, they should contain only factual observations and information. A report should not contain information based on conjecture.

For additional details on the controls, please go to SANS 20 Critical Security Controls.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 17: Penetration Tests and Red Team Exercises

0
Posted by ecole on August 17, 2009 – 12:50 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 17 of the 20 Critical Controls: Penetration tests and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 17: Penetration Tests and Red Team Exercises

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware.  Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control.  Most organizations do not exercise their defenses so they are uncertain about their capabilities and unprepared for identifying and responding to attack.

A red team exercise is guided by what the customer needs or wants.  In developing the Rules of Engagement (ROE) these could differ from exercise to exercise. The end result is still designed to strengthen an organization’s network security.  It will assist in the identification of weak areas and highlight the strengths used to establish baselines for the weaker areas. Some possible avenues used to identify security risks are:

  • Scans
  • Social engineering
  • Malware
  • Specialized tools
  • Passive attacks

Each test should have a specific goal, and provide different pertinent information to the customer. Each test by itself will not provide an overall picture of the current security state of the network, but when all the areas are evaluated and put together, you will have a good overall picture of the security posture of the organization’s network.

Red team efforts can identify multiple areas of concern they are:

  • System vulnerabilities
  • Personnel complacency
  • Security monitoring flaws
  • Response procedures

Using the above items, it’s possible to conduct a root cause analysis in an effort to assist the shoring up of the network.

Each area tested is designed to mimic the actual methods and tools used by a would-be hacker. The assessment team should be skilled and have the ability to identify weaknesses and use them to gain access to the network.  This access presents itself to an organization, the opportunity to identify weaknesses, gauge response abilities and, and correct shortcomings.

The overall goal of an assessment is to ensure the organization is as secure as possible and is prepared for future incidents.

For additional details on the controls, please go to 20 Critical Security Controls.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 16: Secure Network Engineering

0
Posted by ecole on August 16, 2009 – 9:14 am
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 16 of the 20 Critical Security Controls, Secure Network Engineering, and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 16: Secure Network Engineering

Many controls are effective but can be circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines.  Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation.  Therefore a robust, secure network engineering process must be employed to complement the detailed controls being implemented within an organization.

Networks are networks are networks: each and every one is only as good as the configuration behind it. There are many guides that tell you how to design and implement a network. Each network should be designed and implemented to meet the exact needs of the organization in which it is being used.

The network design for a doctor’s office will not be sufficient for a government network that handles classified information.  Each has government regulations that must be adhered to but, they are not the same.

When networks are designed improperly, this allows for security holes.

Common Areas that are misconfigured

  • Firewalls
  • IDS/IPS
  • Poor or missing inventories
  • Poor or nonexistent patch management
  • Poor physical and logical designs

When designing an IT infrastructure, you must take into account the ability to incorporate both a proactive and reactive posture. A proactive posture is achieved by:

  • Developing a network architecture that is secure and manageable
  • Document the design to allow for rapid redevelopment in the advent of a disaster
  • Allow for rapid deployment of updates or patches if needed
  • Manage functioning network security devices

When the above items are taken into consideration during network design and implementation, the organization is already afforded the ability to be flexible and change as the environment changes.

A good reactive plan allows for the implementation of an IDS that will notify the responsible party when attacks occur.  The network administrator can then adjust the network protection to meet the threat or to prepare for future attacks.

Today’s technology affords organizations the ability to select from a wide variety of software and hardware appliances to meet their needs. An organization must identify its security needs and what is the best method to achieve those goals.  Talented IT staff is important to ensure the needs are identified correctly and that the implementation is completed correctly.

One area of consideration is in security implementation, scalability, and management.

If designed and developed correctly, it allows for adaptation and implementation of changing security requirements as time progresses or new threats emerge.

New government requirements identified by the US-CERT, require specific controls to be in place:

  • Access control lists
  • Signatures
  • Blackholes
  • Other security measures as needed

For additional details on the controls, please go to the 20 Critical Security Controls.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 15: Data Loss Prevention

0
Posted by ecole on August 15, 2009 – 2:41 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 15 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 15: Data Loss Prevention

Data flow is an issue that most organizations have never addressed and still don’t.  We monitor our users, we monitor attacks or access from the outside, but we fail emphatically on monitoring the actual payloads of information to see what types of data is being transmitted.  Sometimes, technology being used precludes this, but most companies haven’t even broached the subject. 

In recent years, attackers have exfiltrated more than 20 terabytes of often-sensitive data from Department of Defense and Defense Industrial Base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information.  Yet, in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows.  The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.

The loss of control over protected or sensitive data by organizations is a serious threat to business operations, as well as potentially, national security.  While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error.  Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or non-existent.

The phrase “Data Loss Prevention” (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework.  Over the last several years there has been a noticeable shift in attention and investment from securing the network, to securing systems within the network, to securing the data itself.  DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.

In order to compromise data, we are presented with several methods.  Some involve just sitting back and viewing data as it crosses the wire due to lack of end-to-end encryption.  Simple though it may sound, this requires placing ourselves between the communicators and capturing all the data packets and then attempting to rebuild the communication. 

Okay, let’s take another approach, hacking the mail servers where e-mail is gathered and delivered.  These systems are prime targets since e-mail and their attachments reside on these boxes until delivered, and even then sometimes copies are maintained for extensively long periods until purged.  Again this approach requires us to exploit a system, which may or may not be outside of a DMZ or is inaccessible. 

Posted documentation from an organization is a passive way that most people overlook.  What I am referring to is the old adage of copying a document (generally done in blocks) to a public accessible location for browser access.  Was the document sanitized of any residual data before being published.  Did the copy process also copy unallocated bits of information containing other corporate information. 

Now for the more common transportable and removable devices, the thumb drives, the iPods, the MP3 players, removable hard drives and laptops.  One simple theft and what data has been gained?

In a proactive state, we have the ability to monitor and audit the data being sent. Auditing access to critical information and monitoring actions taken against it is a front line defense towards protecting data loss. 

Enforce our physical review of personnel entering and leaving our data sites to ensure electronic media is authorized, encrypted (especially if removing from site) and inventoried or monitored.

Once a data loss compromise has been identified, we must immediately conduct a business impact analysis (BIA) and determine the acceptable loss, along with how we can mitigate the loss.  Every detail concerning time and funds to recoup the loss must be pursued and maybe even the reputation of the company.

Integrity of data may be at stake and we should verify levels of compromise and the extent as well.  Can we reconstitute the data through the use of backups? 

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 14: Wireless Device Control

0
Posted by ecole on August 14, 2009 – 4:28 pm
Filed under Consensus Audit Guidelines, Leadership techniques

Let’s look at control 14 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 14: Wireless Device Control

Major data thefts have been initiated by attackers who have gained wireless access to organizations from nearby parking lots, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization.  Wireless clients accompanying travelling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafés.  Such exploited systems are then used as back doors when they are reconnected to the network of a target organization.  Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network.  Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

Wireless technology has complicated our security operations by introducing a mobile threat that sometimes goes beyond our control.  In order for us to ensure our corporate security is maintained, we must identify and assess all assets, which we control in an effort to reduce risk to operations.  This section will attempt to answer the most common questions and afford recommendations as to how to mitigate most risks.

Wireless networks afford attackers a cornucopia of avenues into a network without the worries of physical awareness, or do they?

To compromise a network through a wireless device requires:

  • A relative close proximity to the network being attacked
  • Determination of the Service Set Identifier (SSID) (not always required)
  • The channel being used (identifies the frequency used)
  • The type of encryption (if any) used:
    • WEP (Wired Equivalent Privacy)
    • WPA (WiFi Protected Access)
    • WPA2 (government grade security implementation)
    • Other implementations

Improperly configured devices always offer easy avenues for exploitation and compromise.  Attacking a system that has been left in a default configuration, generally means it is in an adhoc (peer to peer) open mode or one that does not require authentication to join.  These types of networks create a great risk to anyone who uses them since every bit of data transmitted over them is subject to compromise, not just the network.  Regular scanning and monitoring of wireless networks is necessary since some devices, if power surges or loss occurs, lose their configurations and will default to an open state and therefore a threat.

Attacking authenticated systems is a challenge but with weak implementations of encryption technologies will afford easier avenues in.  Cracking encryption usage requires the monitoring, collecting, and cracking effort of a large amount of packets.  Lack of packets being transmitted does not mean cracking cannot be attempted, it just requires the use of tools designed to request traffic, such as a broadcast, authentication request, or similar activity.  These types of attacks cause the Access Points (APs) to respond in kind with requested information.

Attacks on wireless networks require a near proximity if desiring two way access to networks, but if all that is desired is the ability to monitor and steal data, then these types of attacks can be conducted up to seven miles, yes miles, away.  Generally a monitoring effort need only have line-of-sight with the targeted site.

A well thought-out policy that includes a complete inventory of authorized devices, version of firmware, approved software, approved and tested encryption algorithm, and method of key rotation should be developed before implementing a wireless solution. 

Configuration issues seem to be the most predominant lapse in security, not the users.  This is due to the lack of knowledge of the actual capabilities, the ability to discern the difference between WEP, WPA, and WPA2 and which affords the best protection, along with how to implement an easy-to-understand, and enforce, key rotation policy.  Educating our administrators as to appropriate configurations to implement, followed by an education and awareness program for our users as to how to protect and rotate encryption keys, will greatly enhance a wireless network’s security.  Don’t forget to be aware of the radio theory involved to understand the potential for signal strength when referring to broadcast of information.  Physically, an organization can even limit the distance their signals are broadcast, not only by reducing the strength through the configuration software, but by physical location of the devices, shielding of office windows with inexpensive film, and landscaping. 

MAC (Media Access Control) address management, awareness, and filtering can offer security to your wireless networks.  Limiting address assignment to specific MAC addresses can offer the flexibility to incorporate this type of security filtering technique.  DO NOT rely solely on this method, as MAC addresses can be compromised over the airwaves, and hackers know this.  They will incorporate MAC spoofing and ARP (Address Resolution Protocol) poisoning to overcome these restrictions.  So incorporate a good secure “blend” of techniques to afford appropriate protection.   802.11w is looking to improve this and the committee estimates to finish the standard by Jan 2010.

Consistent monitoring and auditing of assigned IP addresses and MAC address access is the only way to determine if someone has infiltrated your wireless network.  Discovering a compromise should prompt for immediate key rotation, and potentially new key generation followed by a physical distribution method and reassessment of your network.  Utilizing appliances such as AirDefense (one such product is by Motorola®) and the BVS Yellowjacket wireless network analyzer allow us to detect and identify wireless devices to search for rogue devices, and to deny unauthorized wireless devices’ connectivity to our wireless networks.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

1
Posted by ecole on August 13, 2009 – 1:02 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 13 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

Attackers search for remotely accessible network services that are vulnerable to exploitation.  Common examples include poorly configured web servers, mail servers, file and print services, and DNS servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled.  Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code.

When climbing the face of a cliff, rock wall climbers look for every nook and cranny to place their fingers or piton into in order to secure a foot hold and ensure a solid avenue is established.  When attacking a network or computer system, hackers look for any port or offering that they can grab hold of and push in their foot hold.  We must seal the avenues we don’t want them to gain access to, and secure or monitor those that we must have open.

Actively scanning a network is one way to become well-known and a quick way to be caught.  Seasoned hackers know that to attack successfully, one needs to remain below the radar and yet gain enough knowledge about a site to allow for critical preparations so when they do attack it is quick and with the best chance of success.  Methods vary from the novice attackers and thrill seekers who just do “blanket” scans (scan every port whether known to be open or not) to those methods which require time and patience.

A precise approach to gaining information about a site is to research the target, determine the potential services that the company or site may support and research vulnerabilities of each.  This may require scanning only one or two potential ports to see if they respond, this being conducted by only sending a few tailored packets to specific ports.  Space these scans across a few hours or even days, and even a seasoned auditor may miss the attempts to glean information.   Formulating a variety of scans using several protocols, such as scanning port 53, a well know UDP port for Domain Name Service (DNS) with a modified TCP packet could result in error codes, which may provide insight into the version of BIND (Berkeley Internet Naming Daemon) or an existing filtering mechanism in place, or even an immediate bound port.

Spending many hours in preparation for an attack, by taking scan results and researching each discovered service, version, service bound, and other identifying details and searching for attacks tailored for just such occurrences, can provide all the leverage required to gain access.

Researching one’s network for open services and ports is like running around your house and looking for open doors and windows.  You can close most of them, some you may need open to allow fresh air in or, in the terms of your systems, needed service activity.  You may find a need to board up or remove unnecessary services, even the potential for configuring known services with a different port can keep the everyday attacker at bay.  Running scans against your own systems to identify responsive ports, then mapping these to a service, will allow you to  either disable, remove, or update and monitor most if not all activity across your network devices.

Our front line defenses such as firewalls and packet filtering screening routers attempt to analyze packets as they attempt to enter our networks and run them through simple to rigorous screening processes, which have the ability to control traffic flow, and even deny activity completely.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 12: Malware Defenses

0
Posted by ecole on August 12, 2009 – 7:09 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 12 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 12: Malware Defenses

To start the discussion of this control we need a definition: malware is software specifically designed to exploit a system.  Malware is not a bug or weak code that has led to a vulnerability, its sole purpose is to attack and take advantage of systems and other software.

Protection methods have been designed from anti-malware scanners to anti-malware appliances to allow us to reduce or eliminate compromises from malware.  Malware comes in many forms such as viruses, root kits, Trojan horses, and spyware.  Therefore, the protection methods we put in place may be in the form of stacked or layered defenses.

Our users have been and will always be our weakest link.  Malware thrives on the ability to take advantage of our users.  Getting users to utilize the internet to communicate and purchase items has offered our exploitation adversaries opportunities to excel.  Dispersal of attacks is amplified through successful use of unwitting and unknowing users.  Individuals rely on e-mail more and more everyday.  This daily function has presented itself as just another avenue for attackers to take advantage of and even to use the users against themselves.  Through social engineering, attackers contact a user and try to get users to either download and run attachments to the e-mail onto their systems, or follow links embedded within the e-mail and attach to rogue sites, which may execute malicious code.

More and more businesses are succumbing to the requests to use technology within the workspace to the benefit of the users and introducing more risks to operations.  Personal thumb drives and iPods have become common place in businesses and therefore an internal acceptable risk.  These risks need to be reevaluated to ensure our trade secrets are not being silently stolen or malware being introduced.  The greatest risk to a business are insiders, and allowing insiders to bypass security by allowing the introduction of personal technology devices onto our systems takes the control away from our security personnel and places it with the users.

Malware should not be allowed to be installed or run on any system within your business.  Company users require regular training and awareness sessions to enable them to identify and act upon any attempts involving malware.  Because users are our first line of defense, they need to be armed with the knowledge of how to identify and handle a malware incident.

Administrators can proactively protect our networks by keeping the systems up-to-date on patches, correctly configuring our protective devices, and disabling unnecessary services.  Autorun features of our thumb drives and CD / DVD drives should also be disabled.  These features may not allow our anti-virus utilities sufficient time to scan these resources prior to software contained on them to run.

Upon being alerted to a compromise of any level, we should act immediately and isolate the compromised system or subnet.  Actions to investigate and identify the type of attack and level of compromise.  Report our findings to executive levels for awareness and appropriate announcements to ensure company awareness and readiness can be heightened.

Most new and currently deployed systems can be protected quite easily.  All that has to be done is to ensure patches and software are kept up to date.  Prior to placing systems into production and every time a major patch is installed, the system should be tested to ensure no new vulnerabilities have been introduced to the network.  Some updates and patches have the habit of resetting existing software back to factory defaults and, therefore, require intervention to re-enable security settings with company policy.

Autorun features are always on by default and as mentioned earlier, can start applications prior to proper virus scanning techniques being implemented against the device.  This type of activity is known to install backdoors and trojans, which may disable virus and malware detection software.

Awareness of system status and knowing how to check the system status and monitor it are learned traits.  As intuitive as new technology becomes, it fails to ensure we are notified every time a new patch has been installed or a new virus signature available.  Most vendors allow for the automatic update features, but these can circumvent our company policies of testing and evaluation steps should they be implemented on critical systems running legacy applications.

A good testing and evaluation program run at periodic intervals is a valuable way to demonstrate the effectiveness of anti-malware applications and updates.  Tests that target critical systems at critical times and a few not so critical times can identify weaknesses before they become vulnerabilities.  Our teachers always gave us “pop” quizzes to check our preparedness and these periodic assessments provide the same purpose to us.

Tests can use virus test files, such as the EICAR files (found at www.eicar.org) to determine whether anti-virus applications are effectively detecting new malware.

Any time a major refresh is conducted we use common sense in assessing and certifying the new implementation of the devices.  We evaluate interaction of applications, usability and we should be assessing the communication interaction channels opened by the new design.  Malware can be interjected into some of the most common off-the-shelf applications just as easily as an attachment to an e-mail (okay maybe not that easily) and we must prevail on the battlefield, and to prevail on the battlefield we must be prepared to meet all adversaries.

We do this by subjecting our systems periodically to the same rigorous tests they may be subject to in the wild, and even testing our assessment tools to ensure they do as advertised and detect weaknesses by inputting weaknesses into our systems to test them.  Even the most astute and educated teachers recertify to ensure their abilities remain sharp.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Control 11: Account Monitoring and Control

0
Posted by ecole on August 11, 2009 – 2:29 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 11 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Control 11: Account Monitoring and Control

Attackers are aware of the best or most able way of penetrating a network, and the best way is to access our networks with valid accounts.  Eliminating the potential bells and whistles that a perimeter defense may be focusing on and slipping by as a casual user increases an attackers chances at further investigating, collecting, and elevating ones privileges from the inside.

Inactive accounts are still valid accounts . . .

Attackers look for valid accounts with weak or no passwords as viable ways into networks.  The way you protect a network from an account that has been given rights to come in is through auditing certain types of activity and maintaining due diligence.

Dormant accounts, along with inactive accounts, have always been an administrative weakness of any organization.  Maintaining awareness of personnel still employed at a site requires the organization to have and implement good policies, which insure the open communication between entities as to when personnel access rights should be altered or removed. 

IT administrators or duly appointed security personnel, can implement a regular audit program that looks to identify accounts that appear to lie dormant over an extended period of time.  This type of activity can be flagged by monitoring devices and methods to trigger alerts to be acted upon.  The type of alerts are those that generally require a personnel review or the notification of individual supervisors to ensure appropriate access levels are enforced.

Through the enforcement of automated password changes, or monitoring of such, the assurance that accounts must at least require a strong password is a good step.

Tools of the trade . . .

Cain and Hydra are two tools used to crack passwords.  In order for off-line tools such as Cain to crack a password, it must be either provided a hash database from a system, like Windows, or allowed physical access to the network in order to capture traffic and login activity to build its own cache of traffic in which it can target accounts.  What makes this tool so efficient is its ability to utilize very large dictionary databases in its efforts to crack passwords.  Tools such as this one prey on the human nature to be flawed.  A large portion of our users resolve themselves to bend or ignore the rules and utilize weak, or given the choice, no password, and therefore subject our networks to risks.

What can I do?

As indicated during the introduction to this section, the foremost way to ensure accounts are monitored is the identification of accounts that are no longer needed.  Good management policy and communication of personnel changes can ensure appropriate access controls are altered or access removed.

System administrators should rely on either the conductance themselves, or of another security entity in the conductance of regularly scheduled vulnerability assessments.  In addition to these activities, the system administrator should conduct periodic tests of the passwords used by their users.  In order for them to do so, they too will function as attackers and collect the hashed databases, or the shadow and passwd files of Unix systems, and place them on a dedicated test system in an effort to attempt to crack the passwords. 

What if they still get in?

Should passwords be cracked, and most assuredly there will be some, the individuals of these accounts should be notified to review the organization policy and correct the password.  Documented efforts and regular reporting to executives should be conducted as well, to alert them of your diligence, and to keep them aware of potential risks to their systems.

Some industries do follow a practice of disabling and not deleting accounts on individuals who are removed or have left the company.  This action is done to ensure data can be retrieved and eventually access reassigned to appropriate personnel.  Even the disabling of accounts should include the resetting of the passwords to prevent any potential weakness.

Start with a good policy . . . and USE IT!

A good business practice is to incorporate the abilities systems have to automatically log users off after a designated period of inactivity.  This period is typically 15 minutes but can be tailored  to an organizations need.  Logging off may be extreme in everyday operations, so the ability should, at a bare minimum, implement a screen saver action with a password to require users to relog onto the machine upon their return or resumption of duties.

Going through the actions of disabling accounts inactive for a period of inactivity (typically 15 days) may seem an unnecessary action, but this will ensure users notify administrators of long leaves of absence such as a trip or vacation.  The administrators can then monitor these accounts to ensure a compromise is avoided, thus protecting the users and the organization.

Extensive periods of inactivity may be indicators of major personnel changes that have not been reported.  Appropriate measures of resetting passwords, disabling accounts, and the attempt to contact users AND supervisors should be done immediately.  The reason for contacting users AND their respective supervisors is the potential for an individual having been released from duty and possibly being a threat to the company.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.