Sunday, December 6, 2009

Using Certificates for Authentication ? Where to store them ?

Question: 
Has anyone deployed a VPN solution that leverages user certificates for authentication?
We are considering the possibility of leveraging digital certificates as an authentication factor for VPN. Has anyone implemented this or looked at solutions that do this? We are not comfortable with solely relying on a certificate and the security/integrity of the PC as an authentication mechanism. If you are currently using certificates, I would be interested in hearing how you are deploying this.

Answer:
.....,
The short answer is yes.  We did deploy several off-the-shelf certificate based authentication solutions for remote access VPN systems such as Cisco, Check Point, Juniper, Citrix, Nortel.. It is again very possible to deploy similar solutions over SSL VPN solutions (This time easier since browser is the client).   I worked with Entrust as the PKI integration provider.  When using certs, most of the questions/problems are generic PKI related questions (CRLs,  OCSP, identity management etc)


9 out of 10, enterprise shops store the certs on PC or mobile devices since they want to avoid using tokens/smart cards. Using a 3rd party storage is ideal but to be honest smart cards share the fate of PKI for complexity so many solution sets avoid tokens/smart cards, unless the policies mandate certificates.
When smart cards are more expensive/complex (readers, personalization etc) enterprises use USB tokens to store certificates. (Several companies  provide tokens with certificate support, ActivIdentity, Aladdin, Authenex, Entrust, SafeNet (merged with Aladdin) , RSA (RSA has a hybrid token for OTP + certs)).


If you would like to use smart cards as the certificate container, or use the same certs for physical security simultaneously, you can simple take one of the ready to use HSPD-12 Personal Identity Verification (PIV) Card solutions (http://fips201ep.cio.gov/apl.php) so that you can avoid designing all components architecture yourself.


Of course do it yourself path is more fun, technically it is straightforward to integrate certs with any 802.1x based authentication server but as you know it usually gets more complex. We have deployed a complete system for enrollment, biometrics, cards, CMS etc, (took 3+ years)


cheers,
-     - yinal ozkan 

Monday, November 16, 2009

Best way to stop malware from spreading in a large secure network

Question :What's the best way to stop malware from spreading in a large secure network with no internet connectivity and a multi-platform environment?

Even though the secure environment has no internet access and is on a controlled environment, external USB devices have been added to the network and viruses have been introduced. I'm trying to think of the best ways to stop such external threats being added to a secure closed network. I've got a few ideas bouncing around my head as I believe Antivirus software should be deployed on the workstations in case additional methods of malware introduction are given other that USB. The USB ports could be disabled on all workstations and then the external devices could be scanned before adding to the network. But I'm sure there could be other ideas so can someone offer some suggestions?

Answer:There are multiple approaches, but “the” best way will depend on the mix of your devices in your multi-platform environment (if you still have NT4s and ancient slackware linux copies the solutions you are looking at will be different) and your network status. If there is no internet connectivity naturally you should focus more on entry points (intranets, USB, CD, Floppy, Bluetooth, IR, Wi-Fi)

If you want to classify approaches, your solutions can be at 3 levels, host based, network based and hybrid.

1- Host Based:

a. Use a comprehensive “endpoint security” solution that will have

i. Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)

ii. Encryption (file, disk, mail), key/cert management

iii. Firewall

iv. IPS

v. Antivirus (http and SMTP)

vi. Antispam, Phishing, Malware control (http, SMTP, SMS)

vii. URL filtering

viii. Application control

ix. File integrity Monitoring

x. Remote device management (in a secure manner :)

xi. Biometrics/TPM/SSO/802.1x support

b. Lock down the environment. Do not allow end users to modify any system settings. (e.g. use group policies on windows environment, security blanket on Linux etc)

c. Use point solutions start with port control, anti malware, AV, IPS, firewall . Monitor system resource utilization you may kill endpoints by multiple clients

d. Get physical; super glue all USB ports, remove the CD Drives, break IR sensors, turn off the radios.

e. For old unsupported platforms, deploy file integrity monitoring on critical areas (e.g. tripwire)

f. Use a big brother monitoring tool like Raytheon Oakley’s SureView (check with legal first : )

2- Network Based:

a. Use IPS on the network. IPS will alert you on suspicious traffic you that you can take action faster. If the network traffic is encrypted, IPS will not be very helpful. You may consider decrypting traffic but the solution is a topic for another post

b. Use anomaly detection tools. I really like using these tools; they are my most favorite malware detection solutions. They can either sniff traffic over taps or get flow data. Good solutions are Q1 Labs, Mazu (now Riverbed Cascade).. But any netflow tool will help

c. Segment your network with firewalls

d. Do not allow all protocols (who needs IPX, NetBeui, AppleTalk, SNA anyway : )

e. Use ACLs on network devices. Only allow known ports, lock down network for SRC/DST APP based access rules

f. Monitor Airspace… Make sure that nothing flies out /comes in via wi-fi/Bluetooth et al. I can recommend several tools.

3- Hybrid

a. Use Network access control (NAC). You can have all the security in the world until the cable guy plugs-in his laptop to the Ethernet port in the cafeteria.

b. Use an agent-less scanning tool. Compare all hosts, applications vs your approved gold copies. Monitor all malware constantly from remote. My favorite is Promisec. But you can even use Microsoft SMS

c. Never forget the phones, the smartphones, VOIP phones are the new hosts for the virulent outbreaks/pandemic

If you have a specific question please let me know.

Regards,

- Yinal Ozkan

Friday, October 16, 2009

The "Cyber" Word

I got the following e-mail from one of my peers.
==================
From: Chris Camejo
Sent: Sunday, October 04, 2009 2:19 PM
To: ---------------------

Subject: Cyberwords
I saw this “Cybersecurity” article on CNN and the ridiculous overuse of cyberwords is good for a chuckle:
http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/index.html
Apparently the government wants a “cyberczar” and more “cyberexperts” to work as “cyberanalysts” to protect “cybernetworks” from “cyberthreats” and engage in “cyberwarfare” so they can be a an effective “cyberorganization”. Yes, all of those words were really used in the article.
It scares me that there are people making decisions in government who write stuff like that.
-Chris
=====================
I could not agree more.

Every time I see an acronym or a government program that starts with “cyber” prefix I get irritated. I quickly associate the misapplication of the “cyber” prefix with ill-thought, wrong- footed, erroneous information security initiatives – cybersecurity, cyberczar, cybercop, cyberspace and the list goes on…Even my MS Word spell check doesn’t like them. This (using cyber prefix) simply takes the meaning of many serious topics that we are working on by diluting the significance, to the point of serious confusion to everyone except the small number of cyber experts : )

It is also very interesting that only state and federal agencies use “cyber”

The word cyber entered English language in 1991 as “of, relating to, or involving computers or computer networks” according to Merriam-Webster.

The reason I cannot associate cyber is that etymologically it is wrong. Cyber prefix is derived from cybernetics. Cybernetics as a concept in society has been around at least since Plato used it to refer to government. Maybe that is why the government today likes to use it. In modern times, the term became widespread because Norbert Wiener wrote a book called "Cybernetics" in 1948. The study is described as the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (as the nervous system and brain and mechanical-electrical communication systems) Cybernetics is an established interdisciplinary science not a sci-fi flick or an internet buzz word (http://en.wikipedia.org/wiki/Cybernetics) ) The word comes from Greek “kybernetes” pilot, governor (from kybernan to steer, govern) + English –ics.

So what is the relationship between Internet and Cyber? I do not see a real one ..Maybe it is the cyborgs which is a combination of cybernetic + organism.

-yinal

Tuesday, September 15, 2009

Web Application Security Tools

I have been checking tools for a while for web application security engagements. Here is my list for web application scanners, test tools, proxies, source code analyzers, web application firewalls, XML SOA gateways (I will crosscheck methodologies in another post)


Remote Web App Test Tools and test proxies
1- SPI Dynamics WebInspect  - Now HP Webinspect - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__
2- Sanctum then Watchfire AppScan - Now IBM Rational AppScan -  http://www-01.ibm.com/software/awdtools/appscan/
3- Kavado Scando - Now Protegrity - http://www.protegrity.com/DefianceSecuritySuite
4- AppSecInc AppDetective Pro - http://www.appsecinc.com/products/appdetective/index.shtml
5- Cenzic Hailstorm - http://www.cenzic.com/products/software/overview/
6- NT Objectives NTOSpider http://www.ntobjectives.com/products/ntospider.php
7- Acunetix Web Vulnerability Scanner http://www.acunetix.com/vulnerability-scanner/
8- Burp Suite -proxy-  http://www.portswigger.net/
9- Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/about.html
10- Positive Technologies MaxPatrol 7 - http://www.ptsecurity.com/mp_eval.asp
11- NGS Typhon III - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
12- Parasoft http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319#web_iface_penetration
13- Hyperscan -Art of Defense - http://www.artofdefence.com/en/hyperscan/hyperscan.html
14- HP Assessment Management Platform software - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9580_4000_100__
15- nCircle - http://www.ncircle.com/index.php?s=products_webapp360
16- Qualys - Web Application Scanning - http://www.qualys.com/solutions/web_application_scanning/
17- Foundstone - Now McAfee Vulnerability Manager - http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html
18- Nessus - Tenable Security - http://www.tenablesecurity.com/nessus/
19- Syhunt SandCat http://www.syhunt.com/
20- Saint - No Web App Customization - http://www.saintcorporation.com/products/vulnerability_scan/saint/saint_scanner.html
21- MileSCAN Web Security Auditor (WSA) - Paros Proxy - http://www.milescan.com/hk/ , http://www.parosproxy.org/index.shtml
22- N-Stalker Web Application Security Scanner http://www.nstalker.com/products
23- Nikto - Open Source (GPL) web server scanner  http://www.cirt.net/nikto2
24- Canvas (formerly SpikeSecurity) - http://www.immunitysec.com/products-canvas.shtml
25- WebScarab -proxy-  http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
26- Odysseus - proxy- http://www.bindshell.net/tools/odysseus
27- CoreImpact - http://www.coresecurity.com/content/core-impact-overview
28- Metasploit - http://www.metasploit.com/
29- Wikto - http://www.sensepost.com/research/wikto/
30- Proventia Scanner (formerly ISS) -http://www-935.ibm.com/services/us , http://www-935.ibm.com/services2
31- e-Eye Retina Web Scanner http://www.eeye.com/html/products/RetinaWebScanner/index.html
32- SQL Power Injector http://www.sqlpowerinjector.com/
33- Sensepost BiDiBLAH - Security Assessment Power Tools (not sure for Web App features)   http://www.sensepost.com/research/bidiblah/
34- The Security Auditor's Research Assistant (SARA) - http://www-arc.com/sara/
35- Founstone Tools - http://www.foundstone.com/us/resources/freetools.asp
36- Wapiti Web application vulnerability scanner / security auditor - http://wapiti.sourceforge.net/
37- Curl - httptools, not a scanner - http://curl.haxx.se/
38- Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
39- Fiddler Proxy - http://www.fiddler2.com/fiddler2/
40- Pantera - another spikeproxy- http://www.owasp.org/index.php/Pantera
41- Suru - proxy from sensepost - http://www.sensepost.com/research/suru/
42- Charles Proxy - http://www.charlesproxy.com/
43- Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
44- RatPrxoy from Google http://code.google.com/p/ratproxy/
45- JS Proxy - for javascript - http://jscmd.rubyforge.org/
46- OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools



Source Code Analysis
1.Coverity Integrity Server / Prevent -http://www.coverity.com/products/coverity-prevent.html
2.Escher Technologies Eschertech  - http://eschertech.com/
3.Fortify Software Suite (analysis, workbench, metrics & trending console, customization module) http://www.fortify.com/products/fortify-360/vulnerability-detection.jsp
4.Gimple PC and Flexe-Lint C/C++  -http://www.gimpel.com/html/products.htm
5.Grammatech CodeSurfer C/C++ - http://www.grammatech.com/products/codesurfer/overview.html
6.Ounce Labs - Now IBM - http://www.ouncelabs.com/application_security/
7.Parasoft JTest  Parasoft Application Security- Java Static Code Analysis - http://www.parasoft.com/jsp/products/home.jsp?product=Jtest
8.Secure Software CodeAssure Workbench C/C++, Java (Now Fortify)
9.Veracode - http://www.veracode.com/solutions
10.Armorize Codesecure - http://www.armorize.com/?link_id=codesecure
11.Klocwork Insight/Solo http://www.klocwork.com/products/product-comparison-matrix/
12.Hypersource - Art of Defense - http://www.artofdefence.com/en/hypersource/hypersource.html
13. PHP Pixy - http://pixybox.seclab.tuwien.ac.at/pixy/
14. BFBTester: Brute Force Binary Tester - http://bfbtester.sourceforge.net/
15. CROSS (Codenomicon Robust Open Source Software)  -http://www.codenomicon.com/solutions/cross.shtml
16. Flawfinder - C/C++ source code - http://www.dwheeler.com/flawfinder/
17. Gendarme -.NET applications and libraries - http://www.mono-project.com/Gendarme
18. Stanford SecuriBench -open source - http://suif.stanford.edu/~livshits/securibench/
19. OWASP Phoenix Chapter - Another List of Tools : http://www.owasp.org/index.php/Phoenix/Tools




Web Application Firewalls:
I am excluding network firewalls with deep inspection features such as Cisco, Juniper, Check Point, Fortinet

F5- ASM -Application Security Manager - http://www.f5.com/products/big-ip/product-modules/application-security-manager.html
Breach Security - http://www.breach.com/products/
Imperva - SecureSphere -http://www.imperva.com/solutions/web-application-security.html
Cisco ACE Web Application Firewall http://www.cisco.com/en/US/products/ps9586/index.html
White Hat Sentinel (add-on for F5, Imperva, Breach) - http://www.whitehatsec.com/home/services/waf.html
Citrix NetScaler http://www.citrix.com/English/ps2/products/product.asp?contentID=25636
Protegrity WAF - http://www.protegrity.com/WebApplicationFirewall
Fortify Real Time Analyzer RTA - http://www.fortify.com/products/detect/
AQtronix for IIS  - http://www.aqtronix.com/?PageID=99
DenyAll rWeb - http://www.denyall.com/products/rweb_en.html
Applicure DotDefender - http://www.applicure.com/About_dotDefender
Armorlogic Profense - http://www.armorlogic.com/
Bee Ware i-Sentry http://www.bee-ware.net/en/product/i-sentry/
BinarySec (French) http://www.binarysec.com/cms/docs/products/products.html
BugSec WebSniper http://www.bugsec.com/index.php?q=WebSniper
e-Eye SecureIIS http://www.eeye.com/html/products/secureiis/index.html
webscurity web.AppSecure http://www.webscurity.com/products.htm
Phion Airlock http://www.phion.com/INT/products/websecurity/Pages/default.aspx
Radware AppWall http://www.radware.com/Products/ApplicationDelivery/AppWall/default.aspx
Hyperguard - Art of Defense : http://www.artofdefence.com/en/hyperguard/hyperguard.html
Barracuda Web Application Firewall - http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

XML Firewalls
Radware AppXML http://www.radware.com/Products/ApplicationDelivery/AppXML/default.aspx
DataPower (now owned by IBM) - WebSphere DataPower SOA Appliances -http://www-01.ibm.com/software/integration/datapower/
Reactivity, Inc. (acquired by CISCO), The Cisco ACE XML Gateway - http://www.cisco.com/en/US/products/ps7314/index.html
Forum Sentry XML Gateway  - http://www.forumsys.com/products/index.php
Layer 7 Technologies' SecureSpan XML Firewall - http://www.layer7tech.com/main/solutions/firewalling.html
Vordel XML Gateway - http://www.vordel.com/products/vx_gateway/
Dajeil - http://www.dajeil.com/Products.asp
Sarvega (now owned by Intel) Intel SOA Expressway - http://www.intel.com/cd/software/products/asmo-na/eng/373233.htm
Bloombase Spitfire Security Server - http://www.bloombase.com/products/spitfire/index.html
Sonoa http://www.sonoasystems.com/product-matrix#anc-security
inferno - opensource - http://ixmlfirewall.sourceforge.net/
DAXFi - Dynamic XML Firewal - Opensource - http://sourceforge.net/projects/daxfi/

open for feedback,
- yinal ozkan

Saturday, September 12, 2009

RSA Conference Notes (US 2009)

Better late than never...

During the RSA conference (April 2009) organizers had flip cameras for us (where they announced over twitter)
Instead of  typing/blogging my notes, I experienced the "vlogging" which was easy. Here are RSA edited notes from RSA Conference web site:

Part I
Part II
Part III

Sometimes it is positive to see and hear the author, sometimes it is not. But as far as I see we should better not hide behind anonymous posts. I think that we can communicate better with the new gadgets offered us literally at no cost.


cheers,
- yinal

Sunday, August 16, 2009

IT Governance, Risk and Compliance (ITGRC) Tools August 2009

For 2011 list follow this link

Here are the updated links for the IT-GRC vendors, IT-GRC wanna be GRC vendors, and some IT based risk management tool/software providers.

There is still a thin line between IT, Financial and ERP GRC solution providers.

I have noticed that SAP has created its own GRC context where GRC means a lot of other things... SoD- Segregation of Duties, entitlements management, users access/authorization for applications/transactions, audit managment, role management etc.Basically a dull extention of IT audit controls. SAP's Virsa and SUN's Vaau acqusitions are good examples of this trend. That is not GRC -- that is mediocre IT controls audit. The term GRC is used without any consideration. This statement is also valid for the other usual suspects l(Oracle, PeopleSoft, Hyperion, JD Edwards,)

Here is a quick M&A update from last post:
Brabeion is acquired by Archer (Big News)
Controlpath is acquired by Trustwave.
Paisley is acquired by ThomsonReuters
Iconium is acquired by Logicalis
IBM dropped their own suite and working with Modulo
Favored GRC has a new name Highpoint GRC
Achiever is gone
I looked at ACL, Approva,Aveksa,Opentext,SecurityWeaver, Xpandion, Spatiq solutions,, I will be checking these vendors in the future, these solutins tend to manage ERP security only)..


IT-GRC solution Providers:

Agiliance
http://www.agiliance.com/
Archer ( acquired Brabeion)
http://www.archer-tech.com/solutions/index.html
Trustwave GRC
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_control_compliance_suite_9.0-11_2008_14121573.en-us.pdf
Compliance Spectrum
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/home.jsp
NeIQ
http://www.netiq.com/solutions/scm/default.asp
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue/SecureVue_Technology.shtml
CA GRC
http://www.ca-grc.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Logicalis grace (acquired Iconium Assets)
http://www.uk.logicalis.com/business_issues/governance_grace.asp
Lumension (acquired Security-Works)
http://www.lumension.com/landing.spring?contentId=154643
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
BPS
http://www.bpsinc.com/
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley (now Thomson Reuters)
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html Axentis
http://www.axentis.com/offerings/solutions/itgovernance
Methodware
http://www.methodware.com/it-security/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
McAfee Risk and Compliance Manager (formerly McAfee Preventsys),
http://www.mcafee.com/us/local_content/white_papers/dashboard_reporting_it_grc.pdf
Greenlightcorp (SAP GRC)
http://www.greenlightcorp.net/sap_grc_cross_platform.html
Trintech -Financial GRC only
http://www.trintech.com/
SAI global
http://www.saiglobal.com/compliance/grc-software/
SAP
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
eFortresses
http://www.efortresses.com/Compliantz.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/news.asp

There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Casis
http://www.clearpriority.com/ (clearpriority)
Strategic Thought Active Risk Manager
http://www.strategicthought.com/riskmanagement.html
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Acuity Stream
http://www.acuityrm.com/
EAR/Pilar
http://www.ar-tools.com/en/index.html
GStool (mainly German)
https://www.bsi.bund.de/cln_136/EN/topics/ITGrundschutz/ITGrundschutzGSTOOL/itgrundschutzgstool_node.html Sigea GxSGSI (this site is in Spanish only)
http://www.gxsgsi.es/
RA2
http://www.aexis.de/index.php?site=static&staticID=4
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/
ISmart
http://www.biznet.com.tr/english/ismart_info.htm
Resolver
http://www.resolver.ca/
RMStudio
http://www.riskmanagementstudio.com/
RiskConnect
http://www.riskonnect.com/riskonnect_products.html
PTA Risk Assessment Tools and Technology
http://www.ptatechnologies.com/
Avedos Risk2Value
http://www.avedos.com/111-Short-Facts.html
Non-IT Risk Software
http://www.riskworld.com/SOFTWARE/sw5sw001.htm

I still need time to add URL links for the well known risk assessment methodologies. A little bit googling will take you to the right resources if you want to build your won system using a methodology or a framework.
Methodologies for Risk Assessment and Management listed below can be used at IT operations... Endless discussion for quantifying the risks... I like ISO 27000 series to lead, but each case is different.

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

There are also Compliance Management/SIM/SIEM solutions which partially present GRC.
Here are a few links:

Tivoli Security Compliance Manager
http://www-01.ibm.com/software/tivoli/products/security-compliance-mgr/
Novell Compliance Management Platform
http://www.novell.com/products/compliancemanagementplatform/
Easy2comply (formerly Dynasec)
http://www.easy2comply.com/
AlertLogic
http://www.alertlogic.com/
NetForensics
http://www.netforensics.com/compliance/
Arcsight
http://www.arcsight.com/solutions/solutions-compliance/
RSA enVision
http://www.rsa.com/solutions/compliance/datasheets/9373_ISOENV_DS_0408-lowres.pdf
Intellitactics
http://www.intellitactics.com/int/solutions/compliance.asp

Actually all SIM SIEM vendors have a compliance management solution. For their list you can check the following post:
http://security.24kasim.org/2008/12/differentiation-of-log-management.html

Friday, July 31, 2009

PCI Reporting Requirements for Merchants

Facts:
- Check your PCI Merchant levels and validation requirements from the following post: http://security.24kasim.org/2009/06/pci-levels-for-merchants-2009.html

Amex

Level 1-
If compliant, Attestation of Compliance –AOC- (recommended) or exec summary of onsite security assessment report (QSA/internal) annually and quarterly network scan
If not compliant, AOC (recommended) or exec summary of onsite security assessment report and Remediation Plan annually and quarterly network scan and Remediation Plan

Level 2-
Quarterly Network Scans (and Remediation Plan if not compliant)
AOC (Recommended) or Executive Summary
In EU: PCI SAQ

Level 3- Level 4 -
No reporting Required for Amex at L3 and L4

Discover

Level 1 –
Network Merchants:
If compliant Appendix D of PCI DSS requirements and Security Assessment Procedures v1.2 - Attestation of Compliance –AOC-
If not fully compliant must also complete the Action Plan for Nono-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 2:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 3:
Network Merchants:
If compliant Attestation of Compliance –AOC- from applicable SAQ
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form to Discover twice a year

Level 4:
Network Merchants
If compliant Attestation of Compliance –AOC- from applicable SAQ maybe required
If not fully compliant must also complete the Action Plan for Non-Compliant Section of the AOC
Acquired Merchants:
Consult acquirer – Acquirer must submit the Discover Acquirer Network Portfolio Compliance Status Submission Form or Level 4 Merchant Action Plan to Discover twice a year

JCB

JCB has no reporting requirements at this time

MasterCard

Level 1-
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 2-
Acquirers annually register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 3 –
Acquirers register compliant merchants in the MasterCard Registration Program (MRP)
Acquirers report status of all merchants quarterly

Level 4-
No requirements

Visa Inc

Level 1-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 2-
At least a twice a year , a statement of merchant compliance / non-compliance
Annual AOC form
Upon request a copy of Report on Compliance (ROC)

Level 3-
At least a twice a year , a statement of merchant compliance / non-compliance

Level 4-
Set by the acquirer

Visa Europe
Level 1-
Annual statement of merchant compliance
For merchants in progress, quarterly update until compliance confirmed
Upon request a copy of Report on Compliance (ROC) including indication of scan completion

Level 2-
Annual Statement of compliance / non-compliance
For merchants in progress, quarterly update until compliance confirmed

Level 3-
Quarterly statement of compliance / non-compliance for merchants above 20000 transactions/year. Annual statement for merchant below 20000 transactions/year

Level 4:
Annual statement of compliance / non-compliance for merchants processing < 1 million Visa transactions/year.



Service Providers are not merchants so if you are providing card processing for 3rd parties (Payment Service Provider) PSP or if you are a TPP (Third Party Processor) PCI levels, validation and reporting requirements are different. The charts above are for merchants only.

Sunday, June 28, 2009

Clouds and the VPN

Question:
Do I need VPNs in the cloud?

Answer:
There are several questions regarding the necessity of VPNs in the cloud.

I think the first step is to clear the concept of cloud. Currently the word “cloud” is used interchangeably for TelCo service provider transport clouds (Network Clouds) (e.g.MPLS) and Cloud computing web services that provide resizable compute capacity as a cloud (like Amazon EC2).. We can also define private service providers like SaaS providers, managed service providers MSPs) as cloud/utility providers (like force.com from salesforce.com, webroot SaaS). Here are some articles defining cloud and transport options.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
http://mediaproducts.gartner.com/reprints/f5networks/vol3/article4/article4.html


When the necessity of VPNs in the clouds are analyzed, it is obvious that encryption is indeed one of the key pillars of modern information security. And VPNs do provide confidentiality and integrity for data at transit. When cloud networks do transport the data they should provide integrity and confidentiality of data. That being said this does not have to be at layer 3 (IPSEC) or layer 6 (SSL). So focusing on an IPSEC client does not help to address the issue. Confidentiality and integrity services can also be provided via applications themselves. When data is critical you may certainly encrypt data at application layer. (e.g. rights management solutions)

Here is the high level satus for VPNs in the cloud

1- TelCo Network Clouds (Service Provider) – This is the most interesting part. TelCos claim that their shared infrastructure and MPLS VPNs are secure. This is questionable (see article below) but the answer depends on the security needed.
If service provider cloud is not trusted enough you always encrypt at another layer (usually with the application).I personally believe that cloud service provider (TelCos) must be subject to heavier inspection when they are transporting almost all of the intersite traffic. Here are some articles discussing the issue
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rey-up.pdf
http://www.techworld.com/networking/features/index.cfm?featureid=3360

I also do not understand why TelCos are exempt from security regulations. (PCI is a good example) TelCos (and their admins, applications, helpdesk people, servers, cable guys…) do have access to almost all interoffice data traffic when MPLS type of TelCo backbone is used. And when the MPLS cloud is compromised, all clear text (yes even the tunneled ones) will be compromised. Real encryption is rarely used. TelCos have been promoting themselves as secure service providers while promoting layered tunnels as segmentation, but I believe they must seal these claims with 3rd party certifications and allowing encryption friendly (where keys are held by the data custodians) clouds.

2- Cloud Computing providers: These providers addressed encryption at their inception thanks to their security aware generation. Before encryption there are several other questions. Here is my post on generic cloud computing security issues: http://security.24kasim.org/2009/02/cloud-computing-security.html

3- SaaS providers. SSL looks like the king at these providers. Segregation of customer data, and customer driven/controlled encrpytion for data at rest and data at transit is required. For data at transit, SSL is secure enough when proper authentication/cert management is provided.

I am still following the following basic principles when I evaluate a platform. Regardless of the nature of technology, all platforms (clouds and others) should answer properly to following areas of information security:
1- Authentication
2- Authorization
3- Confidentiality
4- Integrity
5- Non-Repudiation

cheers,
- yinal

Monday, June 1, 2009

PCI Levels and Validation Requirements for Merchants 2009

This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:

Facts:

- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic

- Transaction volume is determined by Acquirer

- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)

Amex

Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans


Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand

Action: EU only annual SAQ, Quarterly ASV scans

Level 3- Less than 50000 AMEX transactions/year

Action Quarterly ASV scans (recommended) , EU only SQA (recommended)

Level 4- N/A

Action: None

Discover

Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- Everybody else with Discover card processing

Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended

JCB

Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised

Action: Annual Onsite QSA audit, Quarterly ASV scans

Level 2- Less than 1 Million JCB transactions/year

Action: Annual SAQ, Quarterly ASV scans

Level 3- N/A

Action: none

Level 4- N/A

Action: None

MasterCard

Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- All other Mastercard merchants

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Inc

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 20000-1 Million Visa “e-commerce” transactions/year

Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV

Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Europe

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year

Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions

Level 4- Merchants processing up to 1 Million any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.

I will cover reporting requirements for merchants in another post.

Sunday, April 5, 2009

Securing Legacy Windows Applications

Question:

What are some techniques for securing legacy Windows server applications using virtualization and/or sandboxing?

Answer:

……,

I do come across these legacy applications everyday and you are right they are not going away and we have to deal with them.

VMware and the other virtualization solutions will not make legacy windows applications more secure (or less secure) . They will just virtualize legacy host systems and fill the need for multiple hardware hosts. You may certainly choose to segment hosts via virtualization, if you believe that it is easier to apply high end IPS/FW/Content security systems inline. This is technically possible in several ways,

1- Deploying hypervisor behind security controls

2- Deploying virtualized security appliances in between vm images.

Your options are not that much different on non-vm deployments. Legacy windows systems are tough to secure for the following reasons:

1- They are usually deployed on vulnerable operating systems, the patches are not available for the operating systems.

2- Host based security controls are usually not compatible (HIPS, AV, FW, Logging, Identity Management etc)

3- Ancient communication protocols are used (RPC, older network stacks, clear text non authenticated file transfers etc)

4- Don’t have the developers of the apps at reach, it is not easy to patch application vulnerabilities…

And the list goes on for the reasons that you already know.. Here are practical solutions: 1- Deploy file integrity monitors, registry monitors. These MD5/SHA1 based tools are independent of the OS, they bring some security. You need to identify critical files/filesystems yourself.

2- Migrate user management to new systems if possible (this is usually not possible but try – avoid NT4 domains, allow local admin users only). Migrate old databases/database connectors to new ones if possible (applications stays intact /data moves to a new home, technically to a more secure one)

3- Segment these servers, they will be compromised since they cannot be properly secured. Do not keep them in the same segment with other “decently” secured hosts/applications. If possible use 1 new segment per host. Usually it is difficult to change IP settings so you can use transparent firewalls/IPS at Layer2

4- After segmenting , assume that these legacy segments are untrusted, apply the security controls that you apply to untrusted segments.

5- Run vulnerability assessments continuously, and know your vulnerabilities. Run your action plan based on the findings…Pen test if the stakes are higher.

6- You will probably see buffer overflows, monitor uptime and get curious after unplanned reboots ,systems halts

7- Log everything at network level (not on host or at application level). Allow access at need to know level. Restrict access by any means (IP, client etc).. Make sure that you have audit trail.

8- Have a migration plan, if not make sure that your risk statement includes the risks associated with these hosts.

Good luck, cross your fingers,

cheers,

- yinal ozkan

Productivity Metrics

Question:

What do you think are key productivity metrics for an infrastructure operations group? What according to you are key productivity metrics for running an infrastructure operations group.

Answer:

That is a tough question. I would start with definition of productivity since it is not a generic metric like uptime measurement…

Productivity is a simple measurement of input vs. output. There are several mathematical models but I would recommend staying simple.

The inputs are usual suspects; they are the resources you have: time, people, and money… You may turn each input into another but I would recommend staying with three.

In productivity metrics, my approach is to compare the delta in output for a fixed input. That is why it is slightly different than regular metrics such as plain uptime, or MTTRs.

I like the COBIT classification for the metrics:

Quality Principles: Cost, quality and delivery fulfillment.

Fiduciary Principles: Effectiveness and efficiency of operations, reliability of information, regulatory compliance.

Security requirements: Confidentiality, Integrity, and availability

But it is easy to classify in different ways, the idea is to measure productivity metrics instead of raw metrics (build a baseline for an input and start comparing a baseline of metrics and get an idea on the productivity for certain input)

For the key metrics representation I would go with %#$” (percentage, number, dollar and time,)

The outputs at infrastructure operations to build comparative productivity metrics can be (but not limited to):

Per Role Outputs:

# Last year Level 1 Engineer was closing 8 priority-1 tickets a day this year 20

# Last quarter Level III engineers were completing 2 projects/month, this quarter 1

% Percentage of positive feedbacks per role

Time Based Outputs: Our “Mean Engineering Fix Hours” time was 2 hours now it is 90 minutes..

Time: MTTR/MTBFs baselines

Time: Unplanned downtime baselines

Time: Cycle time provisioning a new infrastructure component was 1 week now it is 3 days

Money based:

$ Per ticket cost was $100 now it is $20

% Percentage of infrastructure costs charged back to business was 50% now 80%

$ Cost of running my team was $x now $y

$ Unplanned downtime impact in $ terms was $x now $y

Quality Based

% Percentage of planned/on time completed change requests – over time/cost

% Percentage of systems compliant with policy requirements – over time/cost

% Percentage of systems with the required OS/patch levels – over time/cost

e.g. Last month our team had 3000 hours 90% of changes were within planned range.

It is easy to deploy custom metrics based on your environment as long as you stay with the productivity focus. You can also build your metrics from the frameworks you are following (PCI, FFIEC, COBIT etc)

Also in reporting you need to explain surges, drops and trend changes that effect productivity metrics.

Yes, it is not an exact science but as it is said “you cannot improve what you cannot measure” . I also recommend Andrew Jaquith’s “Security Metrics” book even if it is security focused.

regards,

- yinal ozkan

Monday, March 23, 2009

Information Security Career Advise

Question:

I have a masters in Network security and working as a Information security and network analyst. I also have a CCNA and trying to figure out if i should head the cisco way to get ccsp/ccnp or get into the ISC2 arena. How are Infosec jobs in the North west region? What are the exact skill set companies are expecting for entry,mid level positions in information security and network administration ?

Answer:

xxxxx,

As usual getting them all is the best but we all know that you need to prioritize. I think with a grad degree you have already made a good investment.

On the policy/information security/risk side CISSP and CISM best practices certifications do help you to speak the same jargon with the industry. When you get these certs, you will naturally acquire the jargon and you may also become a member of ISSA, ISC2 or ISACA to join the social networks that come with these certifications. I also like the CISA certification where you get an official auditor title. These certifications will play nice with your Masters Degree in Network Security. The member websites also provide plenty of frameworks, tools and methodologies to begin with.

Product vendor certifications are different. These certifications usually open the door for entry level positions. For example if you have CCSP, and the position you are applying to is a Cisco shop, you have a higher chance. There is a big gap when you compare vendor certifications with generic security best practice certifications though; vendor certifications are usually very hands on and they do require day to day sharpening of skills- and you cannot do this alone, yourself, away from the vendor, try this path only if

- you like operations and hands-on troubleshooting

- you have a change to use these products in your daily life

- you have a chance to work on complex requirements (for example if you have never worked on a complex dynamic routing environment, your Cisco routing cert is valueless)

Once you become a subject matter expert on a vendor product you may command a higher income, but that is not a work from home and then get certification process.

-

Your main question is about the jobs. In small shops information security and network management are usually merged in 1 group/role... In SoHo operation this is 1 person…. Getting skills in both (best practices and vendor space) will help you to find something faster in SME space. But for the larger >Fortune 1000 shops, usually information security and network operations are segregated, so focusing on one side pays better on larger companies. It is always better to know both, but I rarely seen experts of both sides...

Again, certifications are just 1 component of the hiring decision matrix; experience, work ethic, income expectations, work authorizations, people skills usually play a larger role in hiring decision, but it is correct that certifications may help you to pass the non-IT recruiter screenings.

You should choose the path that makes you happy to work. That will make you successful regardless of the path you choose. If you will enjoy working on security policies at 11pm, if you won’t see the work as “pays the bill” thing, that is the right path for you. If you are ambitious, and you believe you have the bandwidth to get both vendor and best practice certifications just go for them, it is not tough.

The trick is that “job market” can drive you only to a certain point, the rest is dependant on your personal interest and you enthusiasm for the path you choose.

Let me know if you have a specific question,

Regards,

- yinal ozkan

p.s. you may check my previous posts related with this topic:

http://security.24kasim.org/2008/10/it-security-consultant-jr.html

http://security.24kasim.org/2007/08/are-cissp-cisa-and-cism-credentials.html

Saturday, February 28, 2009

Cloud Computing Security

Question:

What are your concerns about cloud computing security?

Answer:

I am not concerned. What we expect from any solution provider is no more different than what we expect from a cloud computing service/infrastructure provider. Can they deliver it? Well,, I do not think they (cloud computing providers)  are worse than incumbent corporate IT security teams in charge today. At the end of the day , cloud computing is going through a similar security management path  that private networks had followed for years (on a different scale :)

 

In the last month, I have seen several posts on several platforms regarding “Cloud Computing Security”. Without getting into the context so many experts delivered whitepapers, articles posts. Here are the concerns in simple English:

1-     Who reaches to my data? Any privacy?

2-     Where is my data?

3-     Can they control outbreaks in a distributed environment?

4-     Can I get through compliance?

5-     Can I or can my peers audit security?

 

On the western front security requirements are same. Cloud computing does not change the requirements of information security, so to simplify the concept, we may claim that the what we expect from cloud computing provider is no more different than what we expect from corporate IT.

 

Who reaches your data in the cloud? – Well that is a question that you must ask before signing the contract, technically it is not worse than what your TelCo providing MPLS; did you ever wonder who taps your data over the WAN? Make sure that the contract terms are in favor of PII and relevant compliance requirements that you are subject to. And do not be contained with sales material from Cloud Computing provider, audit it, (I actually know ways to bypass queries, so hire a good auditor who can accredit cloud computing provider’s claims – e.g. they can say access to data is subject to need to know, but it is usually not the case)

 

Where is my data? – Your data is factually in the cloud, you cannot know; it can be everywhere, but as long as it is secure, your BCP/DR plans are in place, and you are not breaking the law by sending data overseas you should be fine, why do you care, do you see your money when it is in the bank, you worry because it is not in your home safe? (I think this is a bad allegory for today:) Again, audit the claims, put it in the contract.

 

Can they control the outbreaks? Is it a controlled environment? – I can make a bold claim that the cloud computing services have a higher availability than corporate IT services. They are usually redundant in gigantic terms, and they do hire brilliant engineers in bulk (see the providers, google, microsoft, amazon, salesforce ? ).. Things go wrong everywhere, so make sure that you always have an isolated plan b in the cloud, and again put it in the contract and test it, make sure BCP/DR works

 

Can I get through compliance? -  Easily, if it is included in the contract , passing compliance will be easier than ever, my cloud computing provider goes through PCI, HIPAA, SoX, ISO 27001 et al, they pass , I pass, what a wonderful feeling.. Well, if your provider does not offer compliance services, then ask for it, at the end of the day you may not be able to dispatch auditors to 500 data centers (big 4 dream)

 

Can we/peers audit it? – You must, the cloud computing provider must open like an encryption algorithm, remember the old basics security thorugh obscurity is no security at all..Again put it in the contract, do the sampling right (you cannot audit it all, be a pramatist) and audit it.

 

If you have a specific question, I can write the specifics and play the devils advocate,

Regards,

- yinal ozkan