(ISC)2 Blog

URL: http://feeds.feedburner.com/isc2Blog

Updated: 2 hours 56 min ago

Dotted lines in shifting sands

Mon, 05/14/2012 - 22:02

An opinion piece regarding a possible US law change raises fascinating ethical questions about privacy rights. Whereas employers have some interest in what their employees are saying and doing in their personal/non-work time, employees also have reasonable expectations of privacy concerning their private lives:

OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act.

The bill would bar employers from demanding job applicants' Facebook passwords - which recently has become an issue: The ACLU's Maryland branch championed the case of a Baltimore man who says he was told that his prospective bosses needed to make sure he wasn't in a gang.

"We need a federal statute to protect all Americans across the country," Rep. Eliot Engel, D-N.Y., a co-sponsor, wrote on his Web page. "We must draw the line somewhere and define what is private."

Although the opinion piece concerns job applicants, the ethical issue is much wider, for example during employment, in sensitive/trusted positions especially (e.g. any industry segment that routinely conducts intrusive 'positive vetting' - now there's an oxymoron!). It also potentially extends to other insiders (e.g. consultants) and perhaps outsiders (e.g. the marketing department may have legitimate concerns about the brand damage caused by a customer's adverse comments on a semi-private blog), and in the reverse sense too (e.g. shouldn't employees have full access to all emails and personnel records concerning them, even though the employer may consider them private and sensitive?).

My take on this is that 'the line needs to be drawn' but exactly where the line goes depends on the context and the specific situation, making it very difficult to lay down universal rules on this. Notions such as equitability and fairness seem to appy, but good luck if you are trying to define them in formal policies. Making law in this area may be the most awkward and perhaps expensive way of dealing with the issues, but on the other hand there is an inherent imbalance in the power of the individual versus that of the organization, or for that matter the state (e.g. the issue of people being coerced into revealing their passwords and encryption codes 'for reasons of national security'). Legislation may be needed as a backstop against unethical or oppressive organizations.

This may be one of those situations where guidelines, principles and examples are a better way of clarifying the issues and intent than formal policies or laws, leaving the final decisions over the appropriateness or otherwise of potentially intrusive or privacy-threatening demands to those involved. Case studies, for instance, are a good way to get people to think and talk about the issues, making this a good topic for security awareness programs.

Caveat: I am neither a lawyer nor a privacy expert. I'm raising it here to set you thinking about the issues, not show you The Way.

Regards,
Gary

www.NoticeBored.com security awareness
www.ISO27001security.com ISO27k
www.SecurityMetametrics.com security metrics

Security Provisions In Software Development Contracts - Who Pays?

Mon, 05/14/2012 - 19:12

In the last few years, there has been a rise in the number of security vulnerabilities in software and applications which has ultimately led to huge losses in terms of money, trust and morale of the people using the software. Software development companies are always on the edge of their seats to get the software out of production and onto store shelves to stay on top of the game and the market. Vendors aim to have their software developed fast, cheap and qualitatively excellent. But, software which is fast and cheap and won’t have desired quality; software which is qualitatively excellent and needs to be cheap cannot be delivered fast and the one that is fast and of desired quality cannot be cheap.

Software development contracts aim to address all three traits - fast, cheap and quality at the same time. Here when we say quality, we intend to mean that the software has been well tested in terms of functionality, usability and security. Up until now there were very few companies that actually went for a security provision in their contract which implied the company developing the software to have the application or software security tested as well. Based on the provisions made, it was either the developers or the buyer of the software that would bear the ultimate responsibility of the software in case there was a security breach that was reported.

Different companies adopt different course of action in which they want to address the security provision in the software development contract. One may argue that it must the developers’ responsibility to make sure that they software they are putting out and submitting to the original buyer has been tested for security. But, developers have been asked to deliver a product that is complete, does what it is supposed to do and is as per the original design. Having complied to all these, developers would be least bothered of the fact that beyond the natural course of function and operation, the software is vulnerable to attacks which may lead to loss of data or privacy of its customers or both.

On the other hand buyers of the software, who have ordered for the software to be developed, would want to blame the vulnerability onto the developers and come out clean themselves. With design of the software being provided by them, they should be held responsible if the design itself didn’t contain the requisite security provisions that could be put in place by developers at a later stage.

Another facet of this whole discussion is that even though the contract does have the security provision and both parties have adhered to their part of responsibility in making the software secure, there are new methods of attacks that are coming up. With this, even though the software was security initially, new attack vectors may render the software insecure. In this case, what should be the approach? Will the vendor of the software take the blame or will it be the developers who are responsible? Common perception says that as the developers have done their part and delivered secure software, it is the vendor’s responsibility to make sure that the software is resistant to attacks even from new attack vectors. This can only be done by subjecting the software to regular testing which definitely falls under the purview of the vendor.

Something's got to give - fast, cheap, high quality, and secure. Have you seen security provisions in software contracts?

Join the discussion on Intersec

The Ethics of White Hat Hacking

Fri, 05/11/2012 - 15:48

From the early hacker culture that took its form and shape at the Massachusetts Institute of Technology (MIT) during the late 50s and early 60s to the present day groups of hackers, a lot has changed in the world of hacking in terms of ethics, motives, objectives, goals and incentives. Hacking, from what was considered to be a philosophy, a new way of life and a dream has now taken of a more derogatory form which feasts upon the exploitation of known and unknown vulnerabilities for illegal, unlawful financial, moral or political gains (http://en.wikipedia.org/wiki/Hackers:_Heroes_of_the_Computer_Revolution).

Lines have been drawn to differentiate the good from the bad from the ‘shady’ viz., White hat hackers, Black hat hackers and the Grey hat hackers that not only intends to define the nature of business of each but, also attempts to differentiate between the underlying ethics of these groups.

In their initial form, hackers were that breed of ‘intellectual’ people who believed in: free information, openness, the ability of computers for betterment of life, doing good for the community in general. Each of the so called sect of the hacking community was derived from the above mentioned principles and the manner in which they adopted these for either the good of the people or for their own benefits, molded their way into the current times thus making them either the Good, the Bad or the Ugly.

Building on these set of ideal or principles – whatever you may wish to call them – the white hat community came out to be the most ‘pious’ of them all, if I may, which took the initial principles of hacking and used them to bring about a positive change to the world of security. Through their ‘tinkering’ abilities, white hats ensured that they utilized their skills for the betterment of the software, hardware and the computing platform as a whole. Helping vendors fix flaws that were discovered by them rather than using those for unlawful gains is what made this community ethically noble.

White hats, by lawfully discovering a vulnerability and reporting it, not only benefit the vendor of the software, hardware, operating system, etc., they also help build a better and secure infrastructure for day to day users of those systems. Satisfaction of doing something good is one of the main ethics that drives the white hats.

Lately major internet corporations like Google (http://www.itproportal.com/2011/01/14/google-pays-out-14k-rewards-latest-chrome/), Facebook (http://www.itproportal.com/2012/01/05/facebooks-annual-hacker-cup-contest-kicks-off-end-january/) have started shelling out cash prizes for those who help them find vulnerabilities in their platforms. This proves that the ethics followed by the white hat community have been noticed and that co-ordinated disclosure, which ensures that openness of information is achieved, helps these companies stay on top of vulnerabilities which in turn will help the web user community better secure their platforms.

Collaboration is the key and information sharing is what the hackers believe in. White hats achieve these through working with their peers and with the industry to deliver the right information at the right time that proves to be beneficial for all. Coming soon -- how the white hats learn and develop their skills.

Hats off to the white hats!

Join us on Intersec to discuss the ethics of white hat hacking. What do you think? Follow this link.

FedRAMP 3PAO Program – Have we Heard of this Idea Before?

Sat, 04/21/2012 - 22:47

In a packed auditorium in 2006, I recall sitting in the “Red Auditorium” at NIST to participate in a workshop hosted by the Computer Security Division. The goal of the workshop was to discuss the implementation of Phase II of the FISMA Implementation Project. At the time, the Phase read like this:

“The second phase of the FISMA Implementation Project focuses on the development of a program for credentialing public and private sector organizations to provide security assessment services. Security assessment services involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessments may be part of an information system certification and accreditation effort, in support of continuous monitoring of security controls, or for other types of information system security assessments.

Organizations that participate in the credentialing program need to demonstrate competence in the application of the NIST security standards and guidelines and the information security practices consistent with FISMA and OMB requirements. Developing a network of credentialed organizations with demonstrated competence in the provision of security assessment services will give federal agencies and other customers of security assessment services greater confidence in the acquisition and use of such services.”

Although the focus and characteristics of the program may be different, the idea has many similarities. Following the “NIST FISMA Phase II: Workshop of Credentialing Program for Security Assessment Providers”, NIST published, NISTIR 7328, “Security Assessment Provider Requirements and Customer Responsibilities, a document that was intended to supplement the workshop focused, in part, on establishing criteria for the Security Assessment Team capabilities. One of the most important criteria for measurement of a Security Assessment Provider was the composition of the Assessment Team in regards to the Knowledge, Skills, and Abilities (KSAs). The references referred to the Federal Information Systems Controls Audit Manual (FISCAM), the 1999 version which has been superseded in 2009. FISCAM defined KSAs as follows:

Knowledge is the foundation upon which skills and abilities are built. Knowledge is an organized body of information, facts, principles, or procedures which, if applied, makes adequate performance of a job possible.
A skill is the proficient manual, verbal, or mental manipulation of people, ideas, or things. A skill is demonstrable and implies a degree of proficiency.
An ability is the power to perform a job function while applying or using the essential knowledge. Abilities are evidenced through activities or behaviors required to do a job.

In the above list, the 3PAO program focused an effort on ensuring the Third Party Assessment Provider Organization (3PAO):

Maintained knowledge, understanding, and competency in the application of the FedRAMP program security assessment standards, guidelines, and requirements;
Maintained knowledge, understanding, and competency in the application and assessment of cloud-based information system-related technologies and practices.
Maintained knowledge and understanding in the use of supporting NIST publications/ programs
Maintained instructions, procedures, methods, worksheets, etc., relevant to the work of security assessment of cloud-based information systems that are consistent with the FedRAMP program requirements, and supporting NIST publications/programs.
Selected assessment team personnel that collectively have the relevant knowledge, skills, and abilities for conduct of the given security assessment.
Prepared a security assessment plan for each assessment consistent with the FedRAMP program requirements.
Reviewed the assessment plan with the cloud service provider to ensure that the security assessment plan is appropriate for the assessment; and that all necessary cloud provider information, documentation, data, artifacts, personnel, etc., for the security assessment is (or will be) available.
Conducted the security assessment, following the security assessment plan.
Prepared a security assessment report consistent with the FedRAMP program requirements.

Of the requirements detailed in the 3PAO Application (above), one in particular, the selection of the assessment team personnel, was left for the Cloud Service Provider and/or the 3PAO to ensure was addressed as part of their hiring practices for the Assessment Team. This requirement focused on ensuring the security assessors had the relevant knowledge, skills, and abilities for conducting the given security assessment of the cloud service.

Placing a focus on knowledge, as we recall from earlier in this article, is the “foundation upon which skills and abilities are built”. This specific attribute of an assessor requires more than pure security knowledge, but also a supplemental knowledge of cloud computing. Previously, I have written two articles on the Cloud Security Alliance, Certification of Cloud Knowledge (CCSK).

In March 2011, I sent an email to David McClure (Associate Administrator GSA's Office of Citizen Services and Innovative Technologies) noting a similar need for a program focused on the qualifications of third party assessors.

"In reading an article published in the Government Computer News today (http://gcn.com/Articles/2011/03/23/FedRAMP-myths-GSA-McClure.aspx?p=1), a series of 7 specific areas where noted as being focus areas for government improvement of FedRAMP. Specifically #2 ("More guidance on third-party assessors' independence"), something I believe should be expanded to address additionally is the qualifications of the independent assessors. Unlike the PCI Council (PCI DSS) Qualified Security Assessor (QSA) designation for approved companies and providers (https://www.pcisecuritystandards.org/approved_companies_providers/index.php) that can validate a companies adherence to PCI DSS, a qualification is needed for a Cloud Security Assessor that understands cloud-specific security risks (e.g., Cloud Security Alliance's Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/certifyme.html) and adherence to the FedRAMP requirements such the application of the NIST 800 series - the RMF and NIST SP 800-53 security controls (e.g., the (ISC)2 Certified Authorization Professional (https://www.isc2.org/cap/Default.aspx)).

I have specifically highlighted the necessity for criteria to be established for independent assessors on FedRAMP.net (http://www.fedramp.net/selecting-an-independent-third-party-assessor) to include some additional credential that would adequately address some measure of knowledge both about security in general and secuity specific aspects of cloud computing environments which would enable reports submitted to the government to be valuable in facilitating a "credible, risk-based decision" as necessary to properly authorize a cloud service to operate under the auspice of the FedRAMP program."

Here, the knowledge is not necessarily focused on mastering the CCSK exam, but rather understanding the material to ensure the knowledge created provides a foundation for supporting the skills and abilities many successful auditors/assessors/inspectors already have working within traditional IT environments. The CCSK provides the 3PAO with the knowledge to support federal agencies in the adoption of secure cloud solutions with confidence. The CSA has developed a partner training (see sources below) that is structured and delivered through a comprehensive training program geared to ensure instructors provide a consistent and high quality training atmosphere.

1ECG provides classes in the Washington D.C. area. Please visit http://www.cloudsecuritytraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

Counter eCrime Operations Summit, AMTSO, CARO meetings

Tue, 04/17/2012 - 10:11

Apologies for including content that I've already used elsewhere, but I know that these are events that will interest some readers of this blog.

Most urgently: the CeCOS cybercrime summit in Prague, 25-27 April.

This year's theme is Containing the Global Cybercrime Threat, and APWG aims to "gather global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort."

Key presentations will include:

    * Toward a Universal eCrime Taxonomy for Industry and Law Enforcement; by Iain Swaine, Ensequrity.
    * Budapest Convention on Cybercrime: Transborder Law Enforcement Access to Data; by Alexander Seger, Director of the Data Protection and Cybercrime Division of the Council of Europe.
    * Adventures in Cybercrime Event Data Sharing; by Pat Cain, AWPG Resident Research Fellow.

Additional presentations about industrial policy at CeCOS VI will investigate policies that complicate the work of exploited brand holders and responders including the domain name system (DNS) registration process that is abused by phishers as part of their phishing campaigns.

AGENDA
http://apwg.org/events/2012_cecos.html#agenda

CONFERENCE REGISTRATION:
http://secure.lenos.com/lenos/antiphishing/cecos2012/

CONTACTS
APWG: Foy Shiver, +1 404-434-7282. fshiver@apwg.org

I'm also going to put in a word for the CARO workshop in May, perhaps the most important malware-related event of the year for bona fide researchers, and the AMTSO workshop following hard on its heels at the same venue, and of equal importance to any researcher with an interest in security product testing.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Apologies for including content that I

Tue, 04/17/2012 - 10:11

Apologies for including content that I've already used elsewhere, but I know that these are events that will interest some readers of this blog.

Most urgently: the CeCOS cybercrime summit in Prague, 25-27 April.

Key presentations will include:

AGENDA
http://apwg.org/events/2012_cecos.html#agenda

CONFERENCE REGISTRATION:
http://secure.lenos.com/lenos/antiphishing/cecos2012/

CONTACTS
APWG: Foy Shiver, +1 404-434-7282. fshiver@apwg.org

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Security Breach in CA Networks -Comodo, DigiNotar, GlobalSign

Wed, 04/04/2012 - 14:58

by Ravi Mandalia Executive Summary

Since March, 2011 more and more Cyber attacks are surfacing across the globe with damaging consequences both for the companies that faced the attacks and for the customers whose details were stolen. One such attack was on Sony’s PlayStation Network that resulted into breach of personal details of nearly 70 Million customers.

Some of the other cyber attacks of 2011 are RSA, Lockheed Martin, Gmail accounts of U.S. politicians, CitiGroup, IMF, etc.

Considering that the above attacks are particularly high profile and are more or less detached from our day to day activities, finally joining the list of above high profile hacks are security breach of networks of Comodo CA, DigiNotar CA and GlobalSign CA.

Attacks that were carried out in almost all of the above cases relied on the most basic of attack vectors that comprised of a combination of Phishing attacks for compromising username/password along with SQL injection, XSS (Cross Site Scripting) and penetration of network by exploiting known vulnerabilities.

The CA hacks were more or less on the same lines when we talk of attack vectors, but after the successful hack, the hacker managed to create fake certificates for sites such as www.google.com, mail.yahoo.com, login.live.com, etc. giving hacker(s) the capability of sniffing into traffic of thousands of users through man-in-the-middle attacks. This breach led to bankruptcy of DigiNotar.

Investigations carried out in most of the hacks points to the fact the almost all companies: a) Failed to regularly maintain all their servers, applications, network equipments with latest updates; b) Failed to carry out regular code review of the web applications on their web servers; c) Failed in Due Care and Due Diligence activities.

Overview

Over the last six months, there have been instances of breach in security of networks of many Certifying Authorities. Comodo, DigiNotar, DigiSign & StartCom are some of those CAs. Hacker(s) have been reported of exploiting common vulnerabilities within poorly maintained servers & firewalls. The hacker(s) have also been reported to have used advanced attack methods to penetrate the HSM (Hardware Security Manager) with only one single open port. Through this document, I intend to highlight the fact about the need for regular maintenance of network equipments, servers as well as need for regular monitoring and awareness to the fact that even proprietary software/hardware such as HSM is not out of reach of determined hackers.

Finding out network information of Certifying Authorities is particularly easy because most of their actives are more or less online. Gaining access to Certifying Authorities networks may be considered harder because, they, in most cases will have fortified networks with latest in hardware as well as software security measures in place. Physical access to such networks is not needed because, again as advised earlier, most of the activities are online and the information systems would be more or less interconnected.

Comodo

Comodo is a well known company in the web security arena whereby it provides services and solutions that cater for creating online trust. SSL Certificates, Code Signing Certificates, Email security certificates, etc. are some of the products provided by Comodo.

On March 23rd, Comodo revealed that they have suffered a cyber attack which has resulted into a breach of their network. The disclosure came about 8 days after the actual hack (15th March, 2011) was carried out.

The hacker who has claimed responsibility of the attack is ComodoHacker, through his pastebin account.

Comodo Verdict on the Attack

According to Comodo, one of their RA in South Africa (InstantSSL.it) suffered an attack that resulted into the breach of the account of that particular RA on 15th March, 2011. The RA account was then used to fraudulently issue 9 certificates across 7 different domains. Some of these domains were mail.google.com, login.yahoo.com, www.google.com, login.live.com, addons.mozilla.org, login.skype.com.

Comodo claims that there was neither a breach in security of their main CA infrastructure nor their HSM or private keys. Other RAs haven’t been compromised either.

Hackers Standpoint

ComodoHacker claims that he managed to gain complete access to the RA network and reverse engineered the DLL (TrustDll.dll) that took care of signing of certification requests. As it seems, the DLL file was coded into C# and the code has been uploaded onto the hackers PasteBin account.

Username and passwords were hardcoded into the DLL file which led the hacker straight to the APIs used for signing of certificates. The hacker generated his own CSR (Certificate Signing Requests) and signed them through the use of the signing APIs he already had access to and managed to fabricate fake certificates for the above mentioned CAs.

Further, the hacker claims that after gaining access to the network of GlobalTrust and has uploaded one database table onto his pastebin account. The hacker also claims that he had access to the RDP of GlobalTrust server for two full days with complete administrator access. He also mentions that he was able to wipe two complete backups of the CA data from LG based backup systems.

Attack Surface

Combining information from both Comodo CA and the hacker, it comes to light that:

Partner network was hacked into.
RDP access was open for EVERYONE which definitely is not a good practice.
Username/Passwords were hard coded into DLL files.
Language which can be easily decompiled i.e. C# was used to create something as important as DLL files.

No forensic investigation report has been released from Comodo as of now.

Damage

Having access to fake certificates can enable anyone to carry out successful man-in-the-middle attacks and passwords and other important data can be sniffed effectively nullifying all the protection provided by SSL Certificates.

What can we learn?

The things that we may learn out of this attack are:

Partners should be made aware about the need for security in their own networks.
Code review of our important sites.
Remote Desktop Connections should be either disabled of limited to a few specific IPs only.

Where does Comodo Stand?

Comodo is still operational as it claims that its main CA network wasn’t breached.

DigiNotar

DigiNotar, a subsidiary of Vasco, based in Netherlands hosts multiple Certifying Authorities ranging from CA for SSL certificates to Government accredited certificates, etc.

It came to light on August 29th, 2011 that there was a certificate lurking in the open web space for *.google.com, which indicated that effectively all the sub-domains of Google, to the likes of mail.google.com, docs.google.com, code.google.com, a total of 26 were affected by this fake certificate.

The attacker, who goes by the pseudonym comodohacker, took the responsibility of the attack and claimed that he had access to a total of 500+ fake certificates. He had managed to extract certificates for google.com, Mozilla.com, Microsoft updates, etc.

Attack Surface

According to the hacker, there was a series of sophisticated hacks that he used to get into the network of DigiNotar atleast 4-5 layers deep wherein the equipments didn’t have any direct connection to the internet whatsoever.

According to the investigation company, Fox-IT which investigated the hack attack on DigiNotar, there were many network loopholes present, namely:

No anti-virus software on many servers.
Anti-virus definitions were not up-to-date.
All CA servers were part of a single domain which effectively meant that a single domain administrator account compromise opened the door to all servers.
Famous tools such as Cain-n-Able were used to carry out attack along with some specialized scripts.
Servers were not patched appropriately and many were missing updates completely.
Intrusion Prevention System was in place but was not able to block the attacks.
Password used for administrator account was not strong enough and could have been guessed through brute-force attack.
No central logging mechanism and no proper review mechanism in place.

Startling facts are disclosed here and they point to the fact that despite being a company linked with a high profile parent, the logical security was at a complete lapse.

Damage

Effectively, having access to these certificates and diverting users’ traffic to hosts that would be hosting sites with these fake certificates, successful man-in-the-middle attacks can be carried out. Only having fake certificates doesn’t have that great an impact, but the mere lapse in security cannot be sidelined and a note should be taken that hacking attempts of this sort are lurking in the wild and effective countermeasures should be in place to nullify such attacks.

What can we learn?

The things that we may learn out of this attack are:

Need for regular review of traffic hitting the perimeter of the network through firewall log analysis.
Need for regular review of Windows system logs through event viewer.
Need for application of windows patches without any delay whatsoever.
Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
Complete segregation of network at least virtually if not possible physically.

Where does DigiNotar Stand?

DigiNotar has filed for bankruptcy as on September 20th, 2011.

GlobalSign

ComodoHacker, the hacker behind Comodo and DigiNotar hacks, claims through his PasteBin account that he has access to GlobalSign network as well and he soon shall start creating fake SSL certificates but, hasn’t declared anything further in this regards.

GlobalSign, after a brief investigation, reported that no major hack has been discovered beyond the fact that one of their Webserver had been hacked and they have taken necessary precautionary measures to prevent reoccurrence of such attacks.

The webserver, according to GlobalSign, was a standalone server without any capabilities linked with issuing of certificates.

ComodoHacker hasn’t released any further information as yet.

What can we learn?

The things that we may learn out of this standalone webserver hack:

Code review of applications residing onto the webserver.
Security of the webserver itself needs to be reviewed and server needs to be hardened.
Regular maintenance (updates, logging, auditing) of security equipments for atleast the perimeter network.
Complete segregation of network at least virtually if not possible physically to limit the attack surface.

References

Comodo Hacker PasteBin Account - http://pastebin.com/u/ComodoHacker

Trend Micro Blog - http://blog.trendmicro.com/diginotar-iranians-the-real-target/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+Anti-MalwareBlog+%28Trend+Micro+Malware+Blog

The Register - http://www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/ and http://www.theregister.co.uk/2011/09/20/diginotar_bankrupt/

Networking4All - http://www.networking4all.com/en/ssl+certificates/ssl+news/time-line+for+the+diginotar+hack/

DigiNotar Investigation Public Report - http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf

GNS Magazine - http://www.gsnmagazine.com/node/22773?c=cyber_security

Comodo - http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Business Insider - http://www.businessinsider.com/imf-cyber-attacked-hackers-sony-rsa-lockheed-martin-epsilon-michaels-2011-6#email-marketing-firm-epsilon-was-hacked-to-obtain-emails-for-spear-phishing-campaigns-1

EU organizations below par on infosec

Tue, 04/03/2012 - 01:29

A study into the information security practices of 600 mid-sized European businesses by PwC and Iron Mountain paints a disappointing picture of their state of maturity. Their overall score comes out at 40.6 on a scale ranging from 0 (dreadful) to 100 (excellent). 40.6 is somewhat below the pass-mark of 50.

In my experience performing IT audits against ISO/IEC 27002, average scores have been up around 60 to 70%, although these are for large organizations in industries that take information security seriously (financial services, defence, aerospace, pharmaceuticals and hi tech/engineering). For starters, they employed me to do their IT audits!

The Pwc/Iron Mountain study appears to have been based on a ticklist approach: the report appendix lists 34 topics under the question-stem "Which of the following does your organization have in place?", implying that respondents simply ticked off the ones that apply - things such as a corporate risk register and an employee exit process. It's a simple method that partially compensates for the lack of detail by surveying many organizations at once, although as a metric it is crucially dependent on the wording of the specific questions.

There are no surprises in the study's three recommendations: (1) make information security a boardroom issue; (2) change the workplace culture through security awareness; and (3) put security policies and procedures in place. Many of us have been promoting these for years. Unfortunately, the study didn't address the issue of why these are not already near-universal practices. Why isn't information security on every board's agenda already? Why is security awareness still seen by many organizations as a once-a-year thing, if ever? Why do so many managers evidently not appreciate the need for clarity around security policies and processes?

I'm reminded at this point of the N-whys method, pioneered for Kaizen and the Toyota Production System. The method is brilliantly simple: ask why something occurs, then explore the response with another why, and carry on asking why to get to the root cause - or rather causes since, if done well, the method reveals an extensive root system of causative factors rather than a single root cause.

For example here's one possible line of reasoning using N-whys:

Why isn't information security on every board's agenda already? Because there are too many other pressing demands on the board's valuable time.
Why are there too many other pressing demands on the board's valuable time? Because information security is just one of many strategic/governance/compliance/risk management issues.
Why is information security just one of many strategic/governance/compliance/risk management issues? Because it is diffuse and ill-defined.
Why is information security diffuse and ill-defined? Because many people are confused between IT security and information security.
Why are many people confused between IT security and information security? Because general news coverage and business reporting does not draw a distinction.
Why doesn't general news coverage and business reporting does draw a distinction between IT security and information security? Because hacking, privacy and malware incidents make effective headlines, whereas information security is mostly unglamorous and humdrum.
Why is information security mostly unglamorous and humdrum? Because the information security profession does a poor job at explaining and justifying its existence.
Why does the information security profession do a poor job ... OK, enough already, you get the idea.

I'm certain you would have followed a different path from the initial why, and in fact I would probably take a different route every time through the same analysis, quite deliberately because I get bored so easily! As a brainstorming technique, however, I suspect a diverse group of people would soon converge on a common set of causative factors, along with some uniques that might prove interesting in themselves. PwC/Iron Mountain evidently homed-in on three key factors, and that's fair enough, but I encourage you to take a look at the survey's findings, draw your own conclusions, and see what you would recommend. Seriously, it's not hard to come up with many more than three, and it's an interesting exercise in its own right.

For bonus marks, run this as a workshop with a collection of business managers and GRC specialists, and in so doing make a great start on recommendation 2!

Gary Hinson

Practice Safe Computing

Mon, 04/02/2012 - 19:42

by F. Gary Alu

What is the first thing we should check when we turn on our computer? That’s a question I always pose to the kids when I present the (ISC)2 Safe and Secure Online Program. If your answer is Facebook or Email, you have a problem. Of course having a look at your anti-virus application is the place to start. Is it running? Are the databases current? (by current I mean no older than 24 hours). Even the best anti-virus (AV) solution will do one little good if it is not running because the subscription has expired or if the databases are days or even weeks old.

There is really no good excuse for not having a good anti-virus and anti-malware application installed and running on your computer.   Nearly every major vendor has a free version, not to be confused with a “trial version”. The trial version permits full-unlicensed use for a brief period, typically 30 days, at the end of which the user is required to purchase the licensed version. I point this out because I can’t tell you how many times I have come across users who did not really understand that the trail version actually quits working. There are several free solutions available today, Microsoft Security Essentials for the Windows platform comes to mind. In my neck of the woods, Cox provides free McAfee to its subscribers.

Hold up! Still not time to dive into our e-mail. After we have verified our AV system is working we need to check for updates to our operating system and installed applications. The immediate application of security updates is very important! Always make certain you have a good backup before you apply any patch or install any new software. Understand that security updates for our applications are just as important as the security updates for our operating systems. This includes not only our productivity suites, e.g. word processing, spreadsheets, etc., but other applications we tend to take for granted, such as Adobe Flash and Adobe Reader (PDF files). These should all be set to automatically download updates when they are available and prompt us to install.

Good to go? Well almost. We are now confident that our desktop and applications are safe and happy we must deal with what’s behind door number one, the Internet. A click of the mouse and we have the whole world at our fingertips. We need to wonder, does the whole world now have us at their fingertips as well?

Let’s start with our connection to the Internet. I must say that the cable providers have really come a long way from the days where we paid for service and they dropped in a digital subscriber line (DSL) or cable modem and told us to “plug your computer here”. They learned hard lessons from exploits like the Melissa macro virus of the 90’s or the Slammer Worm in 2003. Critters like these cause significant disruption for users and the Internet service providers (ISP). The sales people are now much more knowledgeable and aware. They ask the right questions, such as “do you have a DSL/Cable Router”? If you do not have one they offer to sell you one or they recommend one and where to buy one. The router connects directly to the cable modem and not our computer. We connect to the router, either via WiFi or Ethernet cable. This router is also our “Firewall” and it hides our private systems and keeps the “Internet fingertips” out of our stuff.

Nearly there! I would be remiss if I did not mention online shopping. I am writing this article two weeks before Christmas and eCommerce is in full swing. It is easy, convenient, and definitely saves us money. There are, however, some serious pitfalls and we need to understand and be aware so we do not fall victim to social engineering exploits like phishing, virus hoaxes and other confidence games that are always present on the Internet.    We are going to shop, that’s a given, so how do we protect our identity and our money? My best advice for a first step is work with your bank. When an identity is stolen or a debit or credit card is compromised the banks suffer losses and they don’t like it either.

I never use a debit card, as a debit card, to make a purchase anywhere, online or in person. Always run it as a credit card! My bank recommended we setup a separate account to be used only for online purchases. I move money into this account when I need it, i.e. replenish my Starbucks card; make a purchase from Amazon, etc. If my account is compromised am an only at risk of losing the small amount in that account and not my entire checking account. There are of course requirements and agreements between my bank and myself and these will differ from bank to bank.   This does limit the liability for both of us so it is a win-win all around.

If you would like to view more information about securing Facebook or protecting your computer system, please visit http://cyberexchange.isc2.org/safe-secure.aspx

Selecting a 3PAO with assessors that have the Certificate of Cloud Security Knowledge (CCSK)

Sun, 04/01/2012 - 12:30

The CCSK is NOT meant to be a substitute for other certifications in information security, audit and governance. The CCSK augments other credentialing programs like the CISSP, CAP, CSSLP, etc. However, the CCSK does provide a valuable selector for organizations such as federal agencies, cloud service providers (CSPs), and even cloud customers seeking to evaluate the qualifications of potential assessors such as those included in the U.S. Government’s Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) program when conducting their own due diligence.

Per FedRAMP Program Management Office (PMO) - FedRAMP.gov FAQ:

What is a 3PAO? A 3PAO is an organization that performs initial and periodic assessment of security and privacy controls deployed in cloud information systems.
When is a 3PAO required? CSPs that go through FedRAMP must use a 3PAO to provide an independent verification and validation of the security implementations required by FedRAMP. FedRAMP provisional authorizations must include an assessment by a FedRAMP accredited 3PAO to ensure a consistent assessment process.

The CCSK is not a guarantee but does offer one source to ensure that the assessor has the essential knowledge of cloud computing and security/risk management “best practices” as be applied within a cloud environment (across all of the different deployment and service models, and derivatives).

The FedRAMP PMO 3PAO limits the application of measurement to a response of six (6) key areas as applied to a SaaS environment within a private, public, hybrid, or community deployment model categorized as Moderate-Impact to determine the technical competence and capability of the 3PAO. The six areas include:

methodology
documentation of 9 controls: (i) account management, (ii) remote access, (iii) auditable events, (iv) configuration settings, (v) information system backup, (vi) incident handling, (vii) vulnerability scanning, (viii) transmission confidentiality, and (viiii) flaw remediation in a sample security plan
development of a security assessment plan (SAP)
documented evidence of a simulated execution of the assessment procedures in the SAP,
a report documenting the output of the execution of the SAP
critical success factors

Although a broad coverage of the application of the NIST standards and guidance, it does not specifically highlight the qualification of the individuals that will be hired by the 3PAO to conduct the assessment on the CSP. This is where the CCSK provides a useful tool for a CSP when selecting a 3PAO for their assessment RFP. By establishing minimum personnel requirements such as the CCSK with other credentials like the CISSP, CAP, CSSLP, etc., the CSP could have some level of assurance that the assessor conducting the assessment has evidence of cloud security knowledge.

As I wrote in my section of FedRAMP.net on selecting an independent third party assessor,

“The criteria of an independent assessor(s) or assessment team within the Cloud should include a mix of skills and proficiencies…”

“…a key criteria that should be included as part of the selection criterion when identifying qualified and “capable” independent assessors or members of an assessment team is certifications that establish a baseline of cloud security knowledge.”[1]

However, the CCSK is not only valuable to CSP, but also the 3PAO. As an important hiring criterion for 3PAOs seeking to find qualified candidates, the CCSK can be used as part of the candidate evaluation/selection criteria in jobs announcements. It is important to note that not all candidates will score the same or achieve the same level of cloud security knowledge when taking the CCSK, but at minimum, the CCSK does establish that a candidate has at least a core understanding of a broad range of topics covering the security of cloud computing environments.

As quoted by Stuart Lisk, Senior Manager, Product Management and Marketing at Hubspan in 2010 when the exam was still in the early stages:

“You might think this is just one more pay-for-play certificate to add to your wall. However, when you further examine what it takes to pass this certification, you quickly realize the CSA has ensured this is no cakewalk.”[2]

Sources:
[1] http://www.fedramp.net/selecting-an-independent-third-party-assessor
[2] http://www.hubspan.com/cloud-security/cloud-security-test-makes-hubspan-techies-certifiable/

To learn more about the CCSK, please visit: Cloud Security Alliance. To schedule a class nearest you: https://cloudsecurityalliance.org/education/training/class-schedule.

1ECG will be holding classes in the Washington D.C. area starting April 1, 2012. Please visit http://www.ccsktraining.com/training-schedule to find a class to meet your schedule.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

IT's stranglehold loosens another notch

Fri, 03/30/2012 - 05:47

The popularity of portable computing, BYOD and cloud computing services is forcing some IT departments onto the back foot, as business people are gradually regaining control of their own destinies.

Perhaps I'm showing my age here but the current power-play reminds me of the upsurge of "Personal Computing" two decades back and "End User Computing" well over a decade ago, not to mention "Networking" and even "Internetworking" before them both. The very terms seem anachronistic these days and for current generations of IT professionals the issues must be puzzling, but I distinctly recall the consternation these IT revolutions caused the well-established IT management hierarchies of the day.

What actually happened, in fact, was that most IT departments evolved to deal with and then embrace the new challenges and opportunities that arose. The worst of the old-fashioned green-screen dinosaurs in IT management were gradually sidelined and then put out to pasture. One or two senior IT people were no doubt reminded that IT is a support function for the business which pays their wages and funds their budgets. I dare say 'the tail wagging the dog' was mentioned once or twice, in heated terms.

So, coming back to portable computing, BYOD and clouds, I firmly predict that we will once again see a spectrum of responses between and within various IT departments: on one end stands those who feel (or rather claim) these are dangerous, inherently risky technological developments, and at the other end are those who excitedly promote the business benefits and opportunities, barely even acknowledging the associated risks.

Both extremes have their issues, in fact: resisting the inevitable move towards greater flexibility and more cost-effective IT could hardly be called supporting the business. At the same time, wholeheartedly adopting new technologies without a care for the novel risks they create could be deemed reckless. The go-gettem trailblazers may reap the benefits of early adoption, but those who watch carefully and follow when the time is just right stand to reap even greater benefits with less in the way of avoidable costs.

In other words, this is yet another strategic issue, a facet of corporate governance.

Look out for the political games and maneuvers in your organization this time around, and take note for this will surely not be the last time that technological innovation threatens the status quo. Perhaps next time, you will be in a position to influence it as it happens, maybe even drive things in a way that best suits the organization.

Remember, "Resistance is useless".

Regards,

Gary Hinson

NoticeBored security awareness

(ISC)²®Foundation Honors Founder and Legend Harold F. “Hal” Tipton with Memorial Scholarship

Thu, 03/29/2012 - 15:50

By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²

I suppose it’s only natural to think about carrying on tradition and looking to the next generation after the initial reflection period has subsided when someone passes away. What innovations and new ideas will the next generation bring forth? Who will step up and follow in a great leader’s footsteps? What can I do to help?

With the recent passing of one of (ISC)2’s Founders and industry luminary Hal Tipton, many in the (ISC)² family felt the desire to carry on his legacy in a way that would honor his lifelong role as a mentor to so many and provide a pathway for the next generation. This desire culminated in the formation of the new (ISC)2 Foundation’s Harold F. Tipton Memorial Scholarship Fund. Hal’s passion and dedication to the very best practice of information security forged a pathway of excellence for the information security profession, and this new Memorial Scholarship Fund is (ISC)2’s contribution to encourage the next generation of aspiring young professionals to begin and embrace a successful journey to a career in this highly rewarding field.

I had the honor of making the first contribution to the Harold F. Tipton Memorial Scholarship Fund because I want to see Hal’s legacy live on through bright young scholars. I gained a sense of satisfaction in knowing that I have contributed to a resource that will hopefully spark a lifelong pursuit of this noble profession. I was also compelled to honor Hal for the notoriety I often received from those mistaking me for him because of our surnames – I’ve been asked to sign books, take photos, and have received glowing compliments at numerous events around the world by being mistaken for Hal.

In all seriousness, part of (ISC)2’s core mission is to fill the pipeline of the next generation of information security professionals, and my donation, as a certified member of (ISC)2, exemplifies my commitment to this vocation. I challenge you to ask yourself what you can do to help the next generation succeed in this industry. I appeal to you as a member of the information security community to continue Hal’s legacy and to help generate the next generation of security professionals by donating to the (ISC)2 Foundation’s Harold F. Tipton Memorial Scholarship Fund today. Hal’s imprint on the information security industry is certainly a colorful, lasting one, and I’ve seen first-hand the unparalleled level of respect and admiration everyone had for him. I sincerely believe that this scholarship is a small tribute to a larger than life figure.

Hord (not Hal) Tipton

And yes – your donation to the (ISC)² Foundation, a 501 (c) 3 charitable trust, is tax deductible in the U.S. and certain other countries. Please contact Julie Peeler, (ISC)² Foundation Director, at jpeeler@isc2.org for more information.

So what is the Certificate of Cloud Security Knowledge (CCSK) anyway?

Sun, 03/25/2012 - 17:37

In July 28, 2010, the Cloud Security Alliance (CSA), with support from many within the industry, launched “the industry’s first user certification program for secure cloud computing.” Since the initial set of early adopters, which include over 80 professionals across the world with different backgrounds and specialties, the CCSK has continued to show broad acceptance and adoption.

I have tried below to capture some of the most commons questions that come to mind:

How much does the CCSK exam cost? $295 (includes two test tokens)
How much does the training cost? As low as $695 (CCSK Basic) and $1195 (CCSK Plus). In both training options, a CCSK exam token is included.
Is the study material free? Yes – see the CCSK Prep Guide (see http://cloudsecurityalliance.org/CCSK-prep.pdf)
So why take CCSK training? Because the CCSK is Not So Simple (in 2011, the pass rate was reported to be around 53 percent – and that is with two attempts).
Who offers CCSK training? CSA has a trained cadre of certified trainers that offer training globally.
How does the CSA certify trainers? The CSA has an extensive training partner program that begins with either first taking the CCSK or attending a 3-day course of CCSK Plus + Train-the-Trainer. But there is more, the trainer must all pass a very extensive one-on-one instructor exam that tests not only the application of the material in the training and the CCSK, but also the ability to apply this material in a practical setting. In either case, all trainers must have successful passed the CCSK exam.
So why are there two options (CCSK-Basic and CCSK-Plus) for the CCSK training? The CCSK Basic is really meant to provide the fundamentals of the CSA Security Guide and the ENISA Cloud Computing Risk Assessment. The Plus includes an additional day that is focused on applying the knowledge in real cloud environments: public and private.
How reputable is the CCSK? The CCSK Board is backed by a diverse group of cloud security experts from around the world.
Should employers be looking for the CCSK? Yes, the CCSK is a valuable measurement of a candidates’ knowledge and competency in cloud security best practices. However, the CCSK is NOT a substitute for other certifications in information security, audit and governance. The CCSK augments other credentialing programs like the CISSP, CAP, CSSLP, etc.
What is the CCSK examination like? It is a web-based, timed, multiple choice examination consisting of 50 questions in a 60 minute time period. The candidate must answer 80 percent correctly to pass.
Is it open book? Like any examination taken at home and over the web (yes). But the depth of the questions included in the CCSK exam are really meant to be based on a practical demonstration of knowledge in cloud security issues and best practices. As stated by Jim Reavis, Executive Director and Co-founder of the Cloud Security Alliance, “we wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected.”
Who is the CCSK for? The CCSK is for a broad array of professionals. Since the CCSK covers a wide range of topics such as architecture, governance, legal, compliance and audit, and information management and data security, narrowing the landscape would underscore the holistic viewpoint of the CCSK and security related issues in the adoption of cloud services. In general, the CCSK would be beneficial for the Consumer, Provider, and Auditor.

Sources for learning more about the CCSK, CCSK Training, and the CCSK Exam:

•    Official CCSK Prep Guide
•    Cloud Security Alliance Approved Training Partners
•    CCSK FAQ
•    Overview of the CSA’s Certificate of Cloud Security Knowledge (CCSK) Exam
•    Top 5 Certification for 2012
•    Data Security Report: Taking control of the Cloud
•    TechAmerica and the Cloud Security Alliance Join Forces to Expand Cloud Offerings to Members
•    Cloud Security Knowledge 101
•    What about cloud security certifications for cloud providers?
•    Selecting an Independent Third Party Assessor (3PAO)
•    CCSKTraining.com

Memories of Hal Tipton

Tue, 03/20/2012 - 13:57

I'd like to take this opportunity to pass along some memories of our good friend Hal Tipton.

From John O'Leary, CISSP

Hal Tipton was not only one of the founding fathers of (ISC)2, he was a unique individual - one of a kind. Once he latched onto an idea or a task, he stayed with it through thick and thin, never letting go or letting up, and continually improving whatever he was dealing with. Hal was an early and consistent supporter of the professionalization of our strange career choice, and his unstinting belief in and support for Information Security as a profession has helped not just (ISC)2, but large numbers of people who might not even know of Hal.

Yet for all the accomplishments and all the dedication, one of the things that was most noticeable and always stood out about Hal was his comportment as a true gentleman. He personified the dignity that so many in our field strive for.

Thanks, Hal, for all you did and all you were.

From Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP

I met Hal when he was Chairman of the Board of Directors for (ISC)2 and I was new to Information Security. At this meeting, Hal agreed to autograph my rather well worn copy of the Handbook of Information Security for me. I don't think he understood what a difference that made to me.

Hal had the patience to sit and talk to me about my career in Security. During our conversation, Hal provided an insight into a world that I would eventually join.

Over the years, I was given the opportunity to work with Hal on various committees with (ISC)2 and that brought a smile to my face as Hal always could see the bright side of things. Hal was a joy to be with and a joy to work with. He always amazed me with his knowledge of the security industry. Besides his security knowledge, Hal remembered your family and always asked about them when he would see you, something a lot of us forget to do.

A few years ago, I had the Honor of Awarding the Harold F. Tipton award to someone and I could only think of all the work that Hal had done to improve our industry and again I smiled for the man that had become a friend and a mentor.

Hal worked so tiredlessly for the Information Security profession and (ISC)2, making both of them what they are today.

My heart is heavy and my thoughts are with Hal's family in this time of sorrow. But I will pull out my autographed copy of the Handbook and smile as I remember his words of wisdom.

Anonymous attacks against the DNS Root Servers. What's true and what's not?

Tue, 03/20/2012 - 03:08

It's widely known by now, that the Internet group called "Anonymous" is targeting an amplification attack against the DNS Root Servers. Much has been said about it and different people have different opinions.

Here's mine.

To get to my point of view, I would like to present some background information.

DNS Architecture

The DNS name structure is shaped somewhat like a pyramid; The DNS architecture is based on a top down implementation,where the following can be considered members

This concept of a hierarchical authority is easier to understand if we examine a sample DNS name space and discuss the issues involved in assigning names within it. Naturally, we will want to start at the top of the name hierarchy, with the root domain. To start off the name space we must create top-level domains (TLDs) within the root. Now, each of these must be unique, so one authority must manage the creation of all TLDs. This in turn means that the authority that controls the root domain controls the entire name space.

On this way, the DNS structure is based on:

Root: This is the conceptual top of the DNS name structure. The root domain in DNS contains the entire structure or references to the Top Level Domain (TLD) referred by a query.
TLD Root: This is the root server for any specific TLD (.com, .br, .fr, etc)

Domain Authoritative: A server responsible to map any ip address into a known "human format" names for any specific object in a domain. It consists of a domain and all the domains and objects within it. All authoritatives must connect together to the root (at some level).

The figure below, explains it:

Knowing it, it's easier to figure out why Anonymous is targeting the top level Root DNS Servers. By succeeding on taking down the top of DNS pyramid, they can prevent any DNS queries that needs to be forward to the DNS Root infrastructure to be timed-out and them the Internet will be unavailable.

But how they're planning to do it?

DNS Amplification Attacks

As we know, the DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.
Ideally, a recursive name server should only accept queries from a local, or authorized clients, but unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data.Recursive name servers can be induced to participate in DDoS attacks in a number of ways.
A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed address queries to an Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example,high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of a large volume spoofed queries without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5.This amplification effect has been used in DNS based attacks for some time.

A visual explanation of an DNS Amplification attacks is in the picture below:

So, we can assume it's easy to shut down the DNS System?

Of.Course.Not.

DNS Resilience

The DNS Root Sever Infrastructure is deployed globally and is divided into 13 zones (A-M) each zone has a unique IPV4 and possibly also a IPV6 (not all zones). The total number of servers of all zones is around 256 servers.

Each zone is independent from the others, so we can assume that each one implements it's own defense mechanisms, but we can assume that probably they all have:

DDOS Detector and Mitigator;
Firewalls (traditional)
DNS Application Firewalls (layer 7 firewall)
Intrusion Prevention Systems (IPS)
Load Balancers
DNS Servers

(I'm assuming this configuration because this is a common DNS Farm topology deployed at Tier1 Telcos).

Also, for high availability, all root servers sites makes use of anycast as their routing mechanism.

Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.

Anycast is usually implemented by using BGP to simultaneously announce the same destination IP address range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address. For this reason, anycast is generally used as a way to provide high availability and load balancing for stateless services such as access to replicated data; for example, DNS service is a distributed service over multiple geographically dispersed servers.

So, multiple sites running multiple servers under the same zone share a unique IP Address using a smart routing protocol that provides resilience and high-availability, correct?

Correct.

So, how Anonymous claims that they'll be able to shutdown the root servers?

Let's take a look at some architectural gaps and possible attack vectors.

Attack Scenarios and effects

Anycast is a stateless methodology to route packets around the Internet, of course it allows a fast way to route packets but also it doesn't track failures. As stated earlier, anycast offers the nearest path for datagrams to reach an IP address geographically dispersed. On the DNS case, all servers in the same zone.

We can now, dig into some scenarios:

Let's imagine that a given DNS site in a given DNS zone is successfully shutdown by Anonymous (only the DNS Service) but the network path is still available. In this case, the route will not be removed from the BGP routing advertisement database and users under certain locations will not be able to reach that specifically root server IP address even if other sites in the some zone are online.

This is a much better situation than shutting down a whole DNS zone (that could prevent entire world regions from reach their designated root servers) but is still a problem.

We can also imagine that not all the root servers are online at all times. This could reduce the response capabilities of the DNS root servers and make the infrastructure more susceptible to DDOS attacks.

And, DNS is all about latency, so a root server site operating at critical performance levels could drop queries and create a "domino effect" where people will start having a lot of "timeout" messages when trying to use Internet Services.

It is it? If one fails, some people will be completely out of the Internet?

More or less.

Reducing Attack Effects

There's a lot of possibilities that can reduce or even mitigate the chanche of people being unable to access the Internet, even in a very unlikely scenario of a DNS root server zone shutdown.

Time To Live - DNS domains (like youtube.com, google.com and all others) have ttl (time-to-live) parameters that dictates how much time a zone record can kept in a dns server cache, so it can reply directly it's users before going out to the Internet to get answers every time. This feature, of course can help people to continue accessing the Internet for a period (depending on each domain configuration) before the ttl expires, in a situation where the root server isn't available (and this gives some time for the admins to solve a shutdown situation.
DNS Cache - DNS Cache maintains large online (in-memory) database of dns information, this is used to avoid the DNS Resolver to going to the internet every time to get the same information over and over. Some DNS Caches allow the administrators to setup their own TTL's for existing stored domains continuously answering queries without touching a root server. Again, this is helpful in a root server failure situation.
A lot of backbone - The root servers are deployed on strategic places and have a lot of available bandwidth to use. Hard to shut them down just by bandwidth saturation.
Anycast - It provides resilience for the DNS root server zones.

And there's nothing we can do about the attack?

Sure, there's some techniques that can be deployed to prevent this to happen.

Mitigation Strategies

For Root servers administrators (They already know it):

Deploy Access Rules in a peering router/firewall to prevent DNS traffic where the root server ip is the source address.
Deploy Application Aware Firewalls for the DNS protocol. Those firewalls can track and block invalid RR's, same source-destination ip address and several other DNS anomalies.
Deploy denial of service detection/mitigation tools.
Apply anti-spoofing techniques.

For DNS Administrators (Many already know it):

To implement full source address validation on their networks. If no network could spoof the root server IP source addresses on queries, then reflection attacks upon the root server infrastructure could not work.
To verify of their DNS resolvers are configured in a "Open Resolver" way, what means that they will answer any query from any server, even if it's not an original dns client.
To deploy DNS Application Firewalls;

For Users (some might know it):

Look for possible infections (running an AntiVirus and anti-malware engines) to try to detect and clean it;
Deploy a personal firewall that can block non solicited incoming sessions;
If you volunteered to have your PC used in the attack, you still have time to rethink it.

Ok, and there's something else?

Yes, here's my two final cents.

Conclusion

Anonymous is known to not advertise their targets earlier, so this is a quite unique situation where they declared their targets with weeks in advance. Curious, isn't it?
Also, there's a lot of techniques that prevents Amplification/Spoofed Attacks to be sucessful, so why to insist on it?
It's certain that Anonymous is developing a new DDOS Tool (new Low Orbit Ion Cannon?). And if it is, how it works?
Could all this advertisiment around the Amplification Attack just a decoy for something different? An DNS exploit, per example? Time will tell.
Even if a DDOS attack against the root servers come to be well suceeded, Anonymous shall keep it for days to really affect the Internet.
I don't see how an attack against the root servers will be sucessful. Let me just say that "there are better targets" if you're trying to shut down the Internet.

And let's wait for March'31.

Best Regards!

References:

Anycast - http://en.wikipedia.org/wiki/Anycast

How Anonymous plans to use DNS as a wepon - http://arstechnica.com/business/news/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon.ars/2

Strategies for fight DDOS attacks - http://www.cyberwarzone.com/cyberwarfare/10-strategies-fight-anonymous-ddos-attacks

Root Severs Info - http://www.root-servers.org/

In memory of Mr. Harold F. Tipton

Mon, 03/19/2012 - 17:51

It is with a heavy heart that I write this entry. As many of you likely already know, we lost a great information security warrior on Friday. At the age of 89, Mr. Harold F. Tipton, a founder of (ISC)², keeper of the (ISC)² CBK and mentor to thousands, passed away. He played many distinguished roles:

CBK Chair or co-chair for all (ISC)² certifications

Past President of (ISC)²

Chief Instructor for (ISC)²

Ambassador for (ISC)²

U.S. Navy Fighter Pilot

Typical of Hal, he worked until the day he went into the hospital. This kind of dedication inspired thousands of people around the world. Below are some things people who knew him well have said about him. If you knew Hal and would like to share your story, please add a comment here or follow the conversation on InterSeC. Or, click here to listen to Mr. Tipton’s reflections on the profession.

From Dr. Corey Schou, CSSLP, Fellow of (ISC)², Creator of the (ISC)² CBK, member, (ISC)² Board of Directors

I met Hal when we were first forming (ISC)². I had to make a presentation to the Board of Directors of ISSA; he was the chair/president. They had agreed to cooperate with the creation of the CBK; however, Hal wanted the whole board to hear from the individuals forming the consortium. It was a daunting meeting – his reputation preceded him. When I first saw him, all I could think of was Admiral Bull Halsley. Hal made it easy. With his encouragement and guidance from the chair, the agreement was struck. All members of the original consortium were on board.

I got to know Hal much better over the years; he was always willing to pitch in on all sorts of projects. He visited my campus several times and contributed to the NIST and CNSS projects we were working on in addition to (ISC)². It was marvelous to watch him work with my students. He was gentle but insisted that they get it right before he would let them rest. About 20 years ago, one of my students went to work for a major semi-conductor firm in the IT area. The security manager kept arguing about how some access control should be implemented. Finally, my young friend called Hal and asked the question – Hal told him he was a little busy but a day or two later he sent a letter – explaining why the security manager had it wrong. The former student merely framed the letter and hung it on the wall in his cube. When the argument continued, all he had to say was, “Hal said…” and point at the framed letter.

Many years later, I received a phone call from a good friend to see if I could come to a meeting in Chicago. Although I was in the middle of a long trip, I said, “for you”, I will go through Chicago. I had been tricked into coming to an award ceremony. I was taken aback when I was told I had been given the first Tipton Award. I was absolutely humbled by the honor from my peers – BUT to receive the award named after one of the absolute greats in the certification of computer security professionals.

Hal and I received the award at the same time. There will always be a special kinship. I will miss the all too infrequent phone calls.

From Peter, Andrej, Markus, Sandro and Richard, for the (ISC)² Chapter Switzerland and Rainer, Arne, Guenter, Hubertus for the (ISC)² Chapter Germany

We just received the news that Hal Tipton passed away this morning.

We would like to share our condolences on this occasion. The entire profession is indebted to Hal for his work on the CISSP CBK. He was an original and deep thinker, an enterprising individual and at the same time an easygoing person with a great sense of humor.

Some of us had the pleasure of working with Hal on several occasions, and it was always a pleasure, an experience - and great fun.

Our thoughts go out to Hal's family and friends, many of who are in (ISC)².

From Kevin Henry, CISSP-ISSEP, CISA, CISM, CBCI, CRISC, CSWAE, (ISC)² Authorized Instructor, former Head of Educational Services for (ISC)², and he served as the former Co-chair of the CBK committees with Hal:

Perhaps the greatest tribute we can give a person

Is the measure of the impact they have had on lives around them

The way they affected and encouraged their friends

Touched and influenced their family

And made the world a better place

There are no words to be said that can express our grief

The passing of a great man – a pioneer and warrior and a servant

One that gave his life and time

Expended his passion

And laughed at so many things

He was indeed the Grand Gentleman of Information Security

Setting a standard that none other can attain

Of nobility, grace and selfless work

Hal was a man of his era

That defined the world of information security

Saw it borne from the ashes of the past

And embraced the opportunities of the present

Working tirelessly and unceasingly Hal sought to build an industry

That would provide real value

Through many years of instructor development

Course program management and quality assurance

Hal set the standards of excellence and completeness that was needed

What was the course without Hal questioning the content

What was an instructor without Hal demanding perfection

What is information security without Hal leading the way

Hal bore many slights and criticisms and yet was not discouraged

He worked in silence and determination – with a mind to make a difference every day

And do what he could

2012 a New Era for (ISC)²®’s Arsenal of Certification Exams

Mon, 03/05/2012 - 14:53

2012 a New Era for (ISC)²®’s Arsenal of Certification Exams

By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²

2012 marks a new era for (ISC)2. This year, the last of our arsenal of certification exams will be transitioned from paper-based to computer-based testing (CBT). Beginning June 1, 2012, candidates around the globe will be able to register to take the CISSP, CISSP concentrations and the SSCP certification exams via CBT, with the ability to sit for an exam as early as the next day. Not only will this important final step in the testing transition process create a better user experience for a larger pool of candidates and greater global exam accessibility, it will also allow (ISC)2 to realize its vision to fill the pipeline of the next generation of qualified information security professionals.

Our pilot program in Latin America for CISSP and SSCP exams via CBT has proven successful, with the exam being offered in English, Brazilian Portuguese and Spanish, and the SSCP examination offered via CBT in English and Spanish. (ISC)2 certification exams via CBT are currently offered and will be offered in the future in the following languages accordingly:

Credential

Date Available

Geographic Availability

Languages

CAP

Available Now

Worldwide

English

CISSP

Available Now

Latin America

Brazilian Portuguese

English

Spanish

CSSLP

Available Now

Worldwide

English

SSCP

Available Now

Latin America

Brazilian Portuguese

English

Future Release Dates

Credential

Date Available

Geographic Availability

Languages

CISSP

June 1st, 2012

Worldwide

Brazilian Portuguese

Chinese

English

French

German

Japanese

Korean

Spanish

ISSAP

June 1st, 2012

Worldwide

English

ISSEP

June 1st, 2012

Worldwide

English

ISSMP

June 1st, 2012

Worldwide

English

SSCP

June 1st, 2012

Worldwide

Brazilian Portuguese

English

Indonesian

Spanish

All (ISC)² credential exams will be offered globally at approved Pearson VUE testing centers. For the convenience of its candidates, (ISC)² continues to expand its list of approved testing center locations within Pearson VUE’s extensive testing network, which includes more than 275 Pearson VUE-owned and -operated Pearson Professional Centers, the Pearson VUE Authorized Test Center Select network, and Pearson VUE Authorized Test Centers located on U.S. military installations around the world.

Beginning September 1, 2012, (ISC)2 will no longer offer paper-based testing (PBT) for any of its certification exams except for candidates located in areas outside of a 75-mile radius from an approved testing center and on a case-by-case basis. August 24, 2012 is the last day candidates can register to sit for regularly scheduled PBT exams occurring through August 31, 2012.

This transition changes the entire structure of our organization and aligns with what we’ve seen in most aspects of our lives – everything is going digital! From our methods of communication to paying bills to visiting the doctor, we have become technologically reliant to fulfill most of our daily tasks. As the leading information security certification and education body worldwide, it’s vital that (ISC)2 remains as current in our exam delivery methods as we do in our exam content.

(ISC)²’s transition to computer-based testing is an important investment in the future of its certification programs. This transition provides numerous benefits to candidates, members and the information security community, including:

Fair and precise evaluation of a candidate’s competency
Rapid turnaround of exam results
More choices as to when and where to take the exam
Easier registration
Fortified exam security

Years of long days and nights full of intense analysis and testing have brought us to this point. This transition has certainly been a long-fathomed goal for the organization and I’m proud to see it come to fruition. I look forward to your comments and feedback as the organization moves toward an all-encompassing digitized testing format throughout 2012.

Secured by SSL Not Enough

Mon, 02/27/2012 - 20:45

You are on the internet and you are looking to purchase the latest smart phone online. So you start off doing a search in Google. So you get a list of maybe three potential web sites selling the brand you are looking for. So now you have to decide which one to use. You check prices etc? You have an IT security background so you know the checks you have to make before you submit any personnel details. You check that the web site has an organisation and a domain validated SSL certificate, you check the key size, you check it has been signed by a well known Certificate Authority. After you check all of these you become confident everything is as it should be and that your info is secure.

Should you be that confident?

In my opinion the perception that once a website is secured with a valid SSL certificate that customers can safely enter their details is seriously flawed. It is based on a trust model. I trust the external Certificate Authority so I trust any certificate that is issued by it. Does the external Certificate Authority do proper checks to verify that the company in question has deployed their certificates properly? Does the company protect the certificates private keys etc. An Certificate Authority does not perform these checks. The external CA will verify the identity of the company and that they own the domain in question. They will dictate how big the key size is etc. But they do not have any input in to how their certificate is deployed on the company’s servers.

Most online retailers will advertise that their web sites are secure as they use 128 or 256 bit encryption and they might even display a seal from an external certificate Authority confirming that their site is secure. The main issue I have with this is yes you can see that the information between the browser and the company is encrypted, you have no idea what happens after you data enters the company’s network. You do not know where the SSL end point is. The Certificate Authority that provides the secure by SSL seal also does not know what happens your data after it enters the company’s network. The SSL end point could be just inside the DMZ. The data could then be stored as clear text anywhere on the company’s network. Customers might not even know there is an issue until the company gets hacked a few years later.

Also a small online retailer might use a hosting company for its website. The hosting company might organise an SSL certificate on behalf of the company. In this scenario the SSL end point is with the hosting company. The customer has no assurance that this data is securely transmitted to the intended company. Also they have no assurance that the hosting company is not keeping their details.

I think if company's want to provide proper assurance to their customers that the online service that they provide is secure they have to get the whole transaction from where the customer inputs their data to where the information ends up on the company's network validated by a third party. The company could publish this report on the sites.

Conor Roantree CISSP, CISA

Android, Malware and Rehabilitation

Mon, 02/06/2012 - 23:20

For a good while, Google seemed to be in denial on the subject of Android malware. Aggressively so, in the case of Chris di Bona, who announced that "...virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself." Well, let's leave aside the fact that neither Cisco's IOS nor Apple's iOS are noted for their support of 3rd-party anti-virus applications, the transient irritation of some of us who spend considerable time trying to counter security misinformation, and the fact that the purveyors of Android security software (free or for-fee) seem to have found plenty of malicious activity to try (with varying degrees of success) to counter.

Well, Google has moved on. Let's not get too hung up on the fact that Hiroshi Lockheimer's bullish assertion that

"between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market"

doesn't sit very well with di Bona's

"No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels."

In fact, the mainstream AV industry has managed to raise at least two reasonably hearty cheers for Google's announcement that it has taken notice of some of the many calls for an app-screening model closer to Apple's iGadget App Store: one from my ESET colleague Cameron Camp ("Google responds to Android app Market security with stronger scanning measures") and one from Sophos' Vanya Svajcer ("Is Google Bouncer going to bounce all malware from the Android Market?") Well, we're evidently a forgiving bunch, on the whole. But let's hope that no-one is thinking "job done!" Cameron remarks that:

"With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done."

While Vanja goes into some detail on the limitations of the approach, and continues:

"To truly protect devices, we need a local bouncer. Not one like today's anti-malware apps, with poor stamina and no weapons. Only with Google anti-malware API Android protection products will be fully armed and prepared to fight."

But, given the tension between Android and the AV industry, perhaps it's better if I point to a more neutral resource: ENISA, the European Network and Information Security Agency, has already undertaken some serious security-focused analysis of the app store delivery phenomenon using STRIDE threat modelling and Attack Trees, expanded into an excellent review of the "five lines of defence against malware" that they believe apply in this market sector. With news breaking even now on MSNBC of a further wave of "fake malware-laden apps", it's to be hoped that Google has not only seen it, but read up to and past section 5.2, and will not assume that Bouncer app review is enough...

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

PKI and Importance of Security Policy

Thu, 02/02/2012 - 21:45

For this example let us presume that the business has stipulated that users must use digital certificates to authenticate to their application. One of the main functions of a CA is to verify the identity of the entity requesting a new certificate. If how this verification occurs is not covered in a security policy and the CA issues certificates to whoever requests them there is a risk that a rogue employee will obtain a certificate. Also a PKI is based on a trust model. How will the business have confidence in the identity of the entity presenting the certificate when it becomes wildly known that there is no proper validation process in place to verify the identity of the certificate owner? I know that the application has to be configured to accept the certificate but the rogue employee is already half way there by obtaining a client side certificate.
Another example of how a lack of a PKI policy can be a disservice to your organisation is where a service owner requires a user or an application to present a Client Side digital certificate to authenticate to their service. We will use the certificate example above. In most scenarios an application will make three basic checks before authenticating the end user or service. It will check that the certificate has not expired, it will check that the common name (CN) is allowed to authenticate, and it will check the identity of the CN by verifying it has an entry for the issuer CN in its trust store. You might have applications that can check more fields but the example I have given you is considered the bare minimum. For this example let us presume that the application that is being configured to use Client Side certificates for authentication is not controlled by security policy. Let us say for example the developer leaves out the check for the CN of the user presenting the certificate. It only checks that the certificate has not expired and that it is issued by a trusted CA. The end result of this any certificate (with the right key usages) that has been signed by My Root CA can authenticate to this service. This would give the business a false sense of security in relation to who can access this service. You could argue that how an application is configured to authenticate certificates should be part of an application security checklist and if so this checklist should be at least referenced in the PKI security policy.
Other things that should be considered in your security policy would be minimum key length, key usages, enhanced key usages etc. This is by no means complete as the main aim of this blog is to demonstrate the importance of having a PKI security policy so that you can provide assurance to the business that the services that the PKI is supposed to secure does just that.
I hope you found this blog interesting. As this is my very first time writing a blog for anything I would be grateful for any feedback that will help me make my next one better. Thank you for reading this far.

Find Us On...

Main menu

(ISC)2 Blog

Dotted lines in shifting sands

Security Provisions In Software Development Contracts - Who Pays?

The Ethics of White Hat Hacking

FedRAMP 3PAO Program – Have we Heard of this Idea Before?

Counter eCrime Operations Summit, AMTSO, CARO meetings

Apologies for including content that I

Security Breach in CA Networks -Comodo, DigiNotar, GlobalSign

EU organizations below par on infosec

Practice Safe Computing

Selecting a 3PAO with assessors that have the Certificate of Cloud Security Knowledge (CCSK)

IT's stranglehold loosens another notch

(ISC)²®Foundation Honors Founder and Legend Harold F. “Hal” Tipton with Memorial Scholarship

So what is the Certificate of Cloud Security Knowledge (CCSK) anyway?

Memories of Hal Tipton

Anonymous attacks against the DNS Root Servers. What's true and what's not?

In memory of Mr. Harold F. Tipton

2012 a New Era for (ISC)²®’s Arsenal of Certification Exams

Secured by SSL Not Enough

Android, Malware and Rehabilitation

PKI and Importance of Security Policy