Tuesday, August 26, 2014

Egress Filtering: Are you authorized to leave?

One of the first concerns with protecting a network is stopping outsiders from being able to enter into the internal network.  Of course, this does make sense because we believe that the main threat to our network is external by default.  Over the years we have found this to not be so true and that many threats actually are from internal actors.  While I do believe that blocking external requests that are unwanted is completely necessary for a secure network, we should not overlook how data leaves the network.

There are multiple reasons why data may be leaving the internal network.  Maybe the employees are sending data out to clients with a non-malicious intent.  On the other hand, maybe an employee is trying to steal data, or an external attacker has gained entry and is now trying to ex-filtrate the data for future use.  There are two types of data leaving a network: Acceptable and unacceptable.  The first step is to determine what is acceptable data to leave the network.  This includes not only identifying the category of the data, but also how it is transmitted.  What ports does it use?  Is there a specific destination address or originating address for that data?  Once we can start to identify these items, we can then start to determine what cannot be sent out.

An example of traffic  you may want to block is VPN connections.  While a VPN connection creates a secure channel for safely connecting to a network, it also makes it difficult for the company to determine what data is being transmitted over it.  If an employee or attacker is able to create a VPN to an external source and send company confidential information through it, the company may never be aware it happened.  There are lots of other ways to send data to an outside source, so configuring your network to block these avenues is essential.

Egress filtering is the process of filtering out the data that is being transmitted to the outside of the network.  Typically, non-standard ports will be blocked as a measure to prevent data from leaving.  Malware or a virus that makes its way into the network could try sending data on a random port.  If that is the case, then by blocking all non-essential ports, the malicious software loses its ability to communicate to the outside and possibly helps reduce its impact.  Unfortunately, we are seeing more and more these malicious tools using common ports because they are known to be available. 

Once the company has adopted a solid data classification policy, other constraints like Data Loss Prevention (DLP) can be implemented to help identify data leaving the network.  In addition, network segmentation can also help protect data from being removed from the networks.   We will discuss those topics in future posts.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on twitter or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, July 30, 2014

Logging Like a Lumber Jack

Turn on any news outlet or visit any news site and you will most likely see an announcement of yet another data breach.  On the DTR podcast we discuss breaches in the news during almost every episode.  There is a push to put more of an emphasis on identifying and reacting to a breach or security incident rather than just focusing on preventing the event from happening to begin with.  We want to prevent as much as possible, however the reality is that breaches appear to be inevitible and if that is the case, we should put some focus on properly reacting and identification.

Logging is a key element to any security program.  It provides the capability to see what is currently happening as well as what has happened in the past.  In the event of a breach, the logs become critical in determining what happened, what data may have been effected, etc.

Current Logging...

Over the years I have found that many developers do incorporate logging into their applications, but it is not for security purposes.  Most of the time the logs are strictly for troubleshooting.  This makes sense because that is where a developer focuses their time once an application has been released.  Without debug logs, it can be really difficult to fix a problem.  The issue here is that while this works for debugging, it doesn't really help from a security standpoint.   In the event of a  breach, it is doubtful that a log full of stack traces is going to be the help that is needed to determine what happened.

What Should I Log?

There is no exact formula for what needs to be logged in a system.  There are of course some starting points that are consistent across many platforms.  The following are a few examples of events that should be logged.

  • Failed Authentication Attempts
  • Successful Authentication Attempts
  • Account Lockouts
  • Sensitive Transactions
  • Access of Sensitive Data
  • Application Feature Changes - Logging Disabled/Enabled, System/Application Shutdown
Unfortunately, the hard part comes in when you are trying to determine the key elements to log.  You have to have a solid understanding of your business and what is important to it.  Take the time to identify the key data the application uses, the key transactions that must be recorded, and why you are logging to begin with.  

Don't Forget Monitoring

Logging doesn't do a whole lot of good if there is nothing monitoring it.  All too often we hear of breaches that happened more than a year ago and the Incident Response team shows the evidence from a log file.  If only someone had been looking, it would have been identified much more quickly.  Make sure that you have some method for reviewing the logs regularly.  There are lots of packages available to help with this process.  I know, manually looking at logs all day is not much fun at all.

The monitoring should be more then just looking for attack requests, but have the ability to identify when a brute force attack is happening so an alert can be sent to a technician.  As you spend more time logging and reviewing those logs you will be able to identify more events you want to monitor to help secure the site.

What To Do?

Develop a plan for any items that could appear in the log that are of concern.  Just like any response plan, you want to know what steps to take in the event of a security alert.  For example, brute force attempts may be met with blocking an IP address.  The identification of a compromised server with malware may mean taking that server offline immediately.  Know what procedures exist so proper reactions can be performed as soon as possible.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, July 22, 2014

Policy Gap Analysis: Filling the Gaps

 In today's world, something never seems to be true unless it is written down, and even then it is a guideline.  In the business world there are policies that define how employees should present themselves as well as how company equipment can be used.  The policies are important because they provide a written definition of the individual's responsibilities.  For example, a company may have a policy regarding the use of social media on company owned equipment.  Password complexity is another example of a policy that should be found at most businesses.

When starting a new job, often times the company policies are provided for your review and signature that you have received and understand them.  You are expected to be held to these standards, unfortunately you only see them maybe once a year so you have probably forgotten every little detail.  It is encouraged to be very familiar with the policies for your company.  Many of these may be similar across organizations, however some may be very specific to that company.

As a security consulting firm, Secure Ideas spends a fair amount of time looking at company policies, providing feedback and gap analysis.  It is recommended to get someone that specializes in the topic to review the policies to see if there are any items that just don't work, or that are possibly missing.  For example, if your password policy is still 8 characters with upper, lower, special character and number requirements, it might be a good idea to update that to a more secure standard.

Performing a gap analysis is important because it helps make you aware of the policies that you may need, but are missing.  I haven't been to a company yet that didn't have at least one policy in place.  Often times this starts off slowly and then, if no one is assigned to it, drops off.   Things change rapidly in technology and the policies have to evolve with it.  This change and evolution causes the organization to miss policies that are needed or not update existing ones to take into account the changing environment.

For example, the proliferation of mobile devices requires policies to help identify how those devices can be used at the enterprise, and with its data.  The release of Google Glass and other wearables also adds some new twists to the idea of mobile data or video camera capabilities.  Social media has become so mainstream that many employees need to get access from company computers.   How do they present themselves and how much time they spend on it is very important for the business.  Without a policy stating that you are limited in the time spent on social media, can we assume that we can just not work and play on the computer all day?  It is up for interpretation.

When creating the policies you want them to be clear in their meaning.  I know in the legal world, you want it vague so it covers more, but at the same time that makes it harder to show it is an actual violation.  You don't want to leave it up to the judges.  Make sure that you are thinking of all the things that need to be said to an employee regarding DONT'S with a company computer or on company property and write them down.   Educate the employees on what the policies mean and how they are enforced.

All too often we see companies that have policies that are just assumed and not written down.  This is a bad idea.  You want to have them formalized and distributed so employees understand their rules of engagement with the business.

If you are not sure about that status of your policies, Secure Ideas can perform a gap analysis of your existing policies to help provide recommendations on what could be added to make it more robust. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on Twitter, or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, July 09, 2014

New Data Security Breach Laws in Florida

Since many organizations are collecting what many would consider personal, non-public, information, it is very important that they protect this information since it is considered sensitive.   Almost every state has specific laws around what happens if that information is breached.  Florida just passed a new law that outlines what is considered sensitive information and the thresholds regarding when and what to report to the state.  The full bill can be found at http://laws.flrules.org/2014/189.

Personal Information according to the Florida law is described in summary below:
  • First name or first initial with last name in combination with at least one of:
    • Social Security Number
    • Driver License Number
    • Passport Number
    • Military Number
    • Financial Account Number (Including Credit or Debit Card)  in combination with security code, access code ore password to account
    • Any Medical History
    • Health Insurance Policy Number or Subscriber ID
  • Username  or E-mail Address in combination with:
    • Password
    • Security Question and Answer
Data that is not covered are items made publicly available by the government or data that is protected using encryption, is secured or modified to be unusable. (Interestingly, they don't define "is secured".)

In the event more than 500 instances of this data are breached, the organization is required to provide notice to the state within 30 days of identifying the breach.  There are also many details about what information needs to be provided in that notice within the text of the new law.  One interesting thing that you can be required to provide is a copy of your policies in place regarding breaches.  I don't know if going with "We don't have any" is going to be the right answer here.  If you don't have solid policies in place and ways to show you are performing them, this might be where you want to get started. 

The law replaces the previous one and is broad in its declaration.  It is imperative that businesses pay attention to the laws that exist for their area to ensure that they are meeting the requirements.  It is bad enough to suffer a breach and all the reputation and monetary damage that it brings.  You don't want to add on the fines or other issues that may be involved by not properly reporting the breach when it occurs. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, June 25, 2014

Too Small to Hack: Small Business and Security

If you are paying attention to the news, security is a big topic.  At least that's what CNN and the Wall Street Journal think.  And I would happen to agree. (I may be a bit biased!)  But even with things like Heartbleed and 0-day flaws in IE, we still commonly hear from small businesses that they just aren't focusing on security.

For many, the issue we find is that they don't believe they can afford security.  And in many cases, this has been true. Security testing can be expensive and with the fast-pace of changes in IT and security, companies need to be able to test their security on a regular basis.  This can be overwhelming.

So Secure Ideas has attempted to fix this with the availability of Secure Ideas' Scout!  Secure Ideas Scout is a multi-pronged service that focuses on testing an organization's security in the places that attackers focus - networks, web applications and users.

The first service available is PassiveScout.  PassiveScout is a free service that performs a non-intrusive assessment of the infrastructure running an organization's web application.  PassiveScout then returns a quick report of concerns around the application infrastructure.

The next service is NetworkScout.  NetworkScout focuses on the network services offered either externally to the Internet and/or internally.  Secure Ideas' analysts perform a network security assessment.  But instead of just providing a report that often overwhelms the recipient, Secure Ideas evaluates the findings based on an attacker's perspective.  This allows us to provide a report that explains the risks associated with issues and includes the issues that are important.

WebScout focuses on the web applications that an organization makes use of.  Since these are often the focus of attackers as they often have the most critical data.  WebScout focuses on testing the applications to find various security issues and logic flaws.  As with NetworkScout, Secure Ideas' analysts will evaluate the assessment results to provide a report that focuses on the important issues related to the application.

Finally, Secure Ideas has created UserScout to assess the organization's employees' awareness of security.  Using phishing emails or phone calls, Secure Ideas analysts will assess how responsive an organization's staff are to various social engineering attacks.  Then a report will be generated to allow the organization to focus their training efforts.

All of these services are designed to be affordable to small and medium size businesses.  Organizations can subscribe to one or more of these services and get a handle on their security concerns!

Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at kevin@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, June 10, 2014

What Do You Expect From A PenTest?

There are many reasons that a company has a penetration test performed.  Maybe it is due to regulatory compliance, like HIPAA, or they are just take security seriously.  No matter what the reason is, you want to get the most from a penetration test.  Any of you that have had a good penetration test done know that it is usually not cheap.  If you are going to make the investment, make sure you get as much from the engagement as possible.

So what should you expect from a penetration test?  Many people view a penetration test as an assessment that has a simple, direct goal in mind: How far into my network can you go?  While this is absolutely a necessary part of the assessment, it is only a minor part.  The point of determining how far an attacker can go is to help the target company (client) start to better understand the risk of the vulnerabilities they have. 

Do you just want to know how far someone can get?   What about the details of how they did it?  What about information about what you can do to fix or decrease the risk of it?   Did you think about analyzing how your defensive procedures work during the assessment? 

Secure Ideas does a lot of security consulting and penetration testing for clients.  The part of the job I enjoy the most is talking with the client about what is going on, how their systems are set up and giving them good information to help build up their security program.  Sure, it is great to get Domain Admin on a network, or pull millions of credit card numbers, but that isn't the best part.  Maybe it is the most exhilarating, I won't deny that.

Communication during the engagement is the key to success.  When done properly, the client will understand the weaknesses they have and have some ideas of what they can, or should, be doing to create a better security posture.  Don't expect to just get a report with details of how cool of an attack was just pulled off.  Expect that you will get useful information to help defend your information.  Expect that you will have a better understanding of the security controls that are implemented and how they can be adjusted to provide better protection or monitoring.  Expect that you will have learned something from the experience that makes you more aware of the security risks and how you can mitigate them.

Different tests have different goals and not everything fits into the same mold.  Understand your needs before you start an assessment and make sure that you are getting what you expect.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware or visit the Secure Ideas - Professionally Evil site for services provided.

Thursday, May 22, 2014

Ebay Falls Victim to Breach: Source Forge Updates Password Storage

 It was just recently announced that eBay suffered a breach that led to the compromise of user details including:
  • username
  • encrypted password
  • email address
  • physical address
  • date of birth
  • phone number
 Their announcement indicates that there was no other data (financial or otherwise) that was compromised.  Financial data is believed to be stored separately.  The good news is that they appear to have separation and it was only credentials retrieved.  The bad news is that it is another victim to the loss of credentials.

EBay mentions that the passwords were encrypted, but they do not indicate how they are encrypted.  We have seen a lot of different definitions for encryption and even between valid ones, some techniques are better than others.  Were they hashed, or encrypted?  If hashed, were they salted?  Were there iterations?   We don't get these types of details when a breach like this happens, but the answers to those questions can give an indication of how the passwords may stand up to attacks of brute forcing them.  We can only hope that they were using "Good" techniques for storing passwords.

It is recommended that you change your eBay password and the password for any other site you may use that same password on.  Even with the best password protection out there, once there is a compromise, let's just assume it is cracked.  This may be a good time to go through and update some of your other passwords too. 

Here is a great article on creating stronger passwords: http://www.itbusinessedge.com/slideshows/eight-ways-to-create-stronger-passwords-and-protect-your-accounts.html

In other news, Source Forge has announced that users will have to change their passwords upon next login.  They have stated that they have changed how they store passwords to increase the security of them.  It is great to see a company that is actively looking at their controls and updating them.  Of course, they don't provide any details on how they will be storing and protecting the passwords, so we can only assume that they are doing "Good" protection. 

There is a lot of buzz around password security, and there has been for a while.   I don't see that changing any time soon.  Help raise awareness to others about how to manage passwords securely. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware or visit the Secure Ideas - Professionally Evil site for services provided.