Information Security Short Takes

Database Admin Hacking his Ex Firm - Is It All His Fault?

noreply@blogger.com (Bozidar Spirovski) — Sat, 21 Nov 2009 18:05:00 +0000

Data Breaches has just published information about a Former GEXA employee pl eads guilty to computer intrusion

According to the article, here is what happened

Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System (GEMS) database. While connected to the GEXA Energy computer network, Kim recklessly caused damage by, among other things, issuing various Oracle database commands which created a new data table in the GEMS production database which, when copied to the GEMS staging database, caused the automated script to fail thus impairing the availability of data.
As a result of the Kim’s intrusion into their protected computer system, GEXA Energy incurred a loss of at least $100,000, the costs associated with troubleshooting, securing and repairing the GEXA Energy computer network and the GEMS database. Kim was indicted in June 2009.

We quite agree that the access of the former employee is illegal, and he did probably cause a lot of sleepless nights for the admins, security officers and a lot of stress for the GEXA management.

But GEXA blames the ex-DBA for some wrong reasons. Let us break down the stated loss amount of $100,000:

Troubleshooting the issue - the problems were actually caused once the production system was copied into staging, so it is quite probable that the production was not impaired - at least not in any significant way. So troubleshooting was a couple of man-days, and by any salary standards could not cost more then $4,000
Securing the computer network and GEXA systems and network- the incident was caused by the inadequate levels of security measures on the procedural, network and database levels. So any costs incurred by GEXA to beef up and revise security would have to be spent, regardless of the incident. In my opinion, these costs should be incurred by the GEXA Information Security Officer, the Head of Internal Audit, the HR Officer and the last external auditor of the computer systems.
Repairing the GEXA GEMS database and computer network - this part was mostly a witch hunt for rootkits, trojans and breach of integrity - one that has to be performed after any breach. This part is really the only segment that the Ex-DBA should be accountable for.

In conclusion, GEXA did suffer a lot of grief from this incident, and we commend them on the success in identifying the attacker.

But in reality, the incident is caused by a HUGE lack in security procedures and controls, items for which people at GEXA are accountable for. So a deep look inward is also in order.

Talkback and comments are most welcome

Related posts
San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible
Control Delegated Responsibility

HTTPS Data Exposure - GET vs POST

noreply@blogger.com (Bozidar Spirovski) — Thu, 19 Nov 2009 15:56:00 +0000

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS.

URL arguments refer to arguments in the URL for GET or POST (e.g. foo.com?arg1=something).
Body arguments refer to data communicated via POST paramaters in the HTTP request body.

NOTE: This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.

A quick conclusion: The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
Web Site that is not that easy to hack - Part 1 HOWTO
Tutorial - Secure Web Based Job Application

How to Trust Cloud Computing

noreply@blogger.com (Bozidar Spirovski) — Tue, 17 Nov 2009 19:11:00 +0000

Cloud Computing is becoming more and more the buzzword of every conference, meeting and article. Yet it is still in it's inception, and there are multitude of issues and problems. Cloud services are springing up like mushrooms after rain, and all the big players want a piece of the pie.

Dark Reading discusses Quelling 7 Cloud Computing Fears in which it touches the issue of trust and security. The author recommends that the cloud computing providers be proactive in gaining the trust of their users and potential users.

How do we decide when we trust the cloud?
Here are the mechanisms by which we can approach the level of trust that we have in our infrastructure for the cloud. But bear in mind, that each approach can have it's own pitfall!

Encryption - Most readers will immediately start to think about encryption. Yes, it is a good idea, but is it enough? In encryption, regardless of the algorithm used, you are always dependent on the actual implementation of the algorithm. If the implementation is flawed, there can be back doors into your data. And you can't control or check the implementation - it's in the cloud
Certification to Security Standards - A logical industry choice - if you are certified to a security standard, you are all good and well. But tread very lightly and be very careful about this: most security standards are quite flexible - you can choose to certify only a subset of your operations. So a security certificate of the data transfer subsystem won't do you much good when you are using the cloud for storing your customer database - the data storage and processing subsystem may not even be up to the security level of your home PC!
Compensating Penalties (Contractual and via Litigation) - You can try to define penalties for breach of security within the service contract. But the cloud provider will limit such penalties to a limit which may be far below what you estimate to be your financial impact, and simply refuse to offer the service if you insist on full penalties. And unless you have an army of international lawyers on your payroll, don't even try to go into litigation - you'll end up loosing even more money in the trial.
Insurance - Transferring the financial impact of the failure can be an elegant solution. But the insurance company will start asking the same questions about trusting the cloud provider and can quite easily deliver a significant premium charge on your insurance.

Conclusion
There is no magic wand that will make the users suddenly increase their trust in the cloud computing services. But agreeing on a common standard for what is required to be met in terms of Confidentiality and Integrity is a step in the right direction.

We recommend that the minimal requirement should be:

Always insist on the cloud provider having a valid Security Standard Certificate which covers the entire scope of services that you plan on using.
Contractual penalties should be in place for everything that can be quantified. This means that you'll even need to quantify loss of every byte of data.
If possible based on the cloud computing service that you use, encryption should be implemented for the data stored/processed in the cloud.

Talkback and comments are most welcome

Related posts
Cloud Computing - Premature murder of the datacenter
Datacenter Physical Security Blueprint

IT Risks vs. Information Risks

noreply@blogger.com (Bozidar Spirovski) — Mon, 16 Nov 2009 19:19:00 +0000

As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks. You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly.

Here are my high level definitions:

IT Risks - The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation.
Information Risks - The probability that information/data can be exploited and the likely damage from the exploitation.

While these may seem similar to the layman, they should clearly be viewed and positioned differently by the Information Security professional. Here's why:

IT Risks should have a focus on technology, while
Information Risks should not have a focus on technology

By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks. Knowing who owns what always increases your chances of being successful. IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business. Information Risks should accordingly land more so on the business side. When I say "land" from a responsibility standpoint, I mean from a custodianship standpoint, not who is ultimately (final review /approval) accountable. The business is always ultimately accountable for managing risks.

By leveraging these two definitions, not only are you able to better delineate responsibility, it ensures that vulnerabilities in non-technology related areas are more effectively addressed through the lens of "Information Risk". For example, if one solely focuses on IT Risks related to privacy breach you can too often over look the many vulnerabilities related to privacy risk on things like supervisors approving inappropriate access to personal information or poor physical security to offices containing personal information.

You may encounter different terminology for the above two risks. Don't get hung up in terminology. You can call these two things anything you want. Some call IT Risks -(Technology Risks), some call Information Risks - (Data Risks), some even call Information Risks - (IT Risks). Just know that one of these deals with the risk associated with technology being exploited, which of course can have an impact on information, but also on a lot of other things. The other is focused solely on the information and data, and should not be solely tied to technology factors.

This is a guest post by Mark Brooks, a consultant and leader in the field of global information risk, security, and compliance.

The original text is published on IT Security Blo g. Mitigating Risks. Enabling Business Strategies

Role of Information Security Manager
Template - Corporate Information Security Policy
Risk Assessment with Microsoft Threat Assessment & Modeling
Example Risk Assessment of Exchange 2007 with MS TAM

Information Security and Strategy Carnival - issue #5

noreply@blogger.com (Bozidar Spirovski) — Sun, 15 Nov 2009 14:08:00 +0000

For the fifth issue of the Information Security and Strategy Carnival, I am pleased to present the following texts:

Dan Cornell over at Denim Group posts a great article on 13 Things a Web Application Attacker Won't Tell You as well as 5 More Things a Web Application Attacker Won't Tell You

John P Mello at AllSpammedUp has a take on benefits of spamming social networks in Why social networking spam reaps more rewards than email

Roger Halbheer from Microsoft discusses Why it pays to be secure – Chapter 4 – I want to learn!

Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot com

Related posts
Information Security and Strategy Carnival - Issue #1
Information Security and Strategy Carnival - Issue #2
Information Security and Strategy Carnival - Issue #3
Information Security and Strategy Carnival - Issue #4

OWASP Publishes Top 10 Web App Security Risks for 2010

noreply@blogger.com (Bozidar Spirovski) — Sat, 14 Nov 2009 07:44:00 +0000

Last night the OWASP project published the 2010 issue of their Top 10 Web Application Security Risks. The list is still in Release Candidate status, so it may change. The difference from the previous lists according to the statement by OWASP

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities. At the conference will be the debut of the release candidate of the new Top 10, which will open up a 60 day comment period.

As a summary, the top 10 risks to your Web Apps are:

Injection flaws
Cross Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery (CSRF)
Security Misconfiguration
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Insufficient Transport Layer Protection

It is evident that OWASP hasn't invented the wheel all over again, and that this list has already been discussed for years. Yet it still falls on deaf ear for many developers - even large development companies.

You can download the full list document here, with detailed explanation of each risk.

Talkback and comments are most welcome

Related posts
SANS Announced Top 25 Programming Errors

Analysis of Windows Security Logs with MS Log Parser

noreply@blogger.com (Bozidar Spirovski) — Thu, 12 Nov 2009 19:10:00 +0000

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.

For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.

The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.

Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.

Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:

SELECT * FROM SECURITY - simple dump all data from the security log
SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003

After you create the query, choose the apropriate category, then click the 'Generate' button to execute the query. You can also graph the results by choosing the Chart->Visible option.

Conclusion
Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.

Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt

Role of Information Security Manager

noreply@blogger.com (Bozidar Spirovski) — Tue, 10 Nov 2009 18:35:00 +0000

As the Information Security Manager you will take responsibility for developing, maintaining monitoring compliance of all information security policy and procedures.

The successful Information Security Manager will perform

security risk analysis and risk management,
perform security tests
manage internal audits on information security processes, controls and systems.

You will take responsibility for developing and maintaining the organization's project disaster recovery and business continuity plans for information systems and monitors changes in legislation and accreditation standards that affect information security.

You will provide guidance and consultation on projects for IT Security related risks and issues.

The successful Information Security Manager must be qualified to Degree level in a numerate subject (e.g. Computer Science, maths, engineering) and possess professional level Information Security Certification such as CISA/CISM/CISSP/SSCP. Will possess a minimum of 5 years experience in Information Security Management and be well versed with ISO 27001 accreditation.

This is a guest post by Venu Potumudi, an Information Security Manager. The orignal text is published on Making of ISM

Reminder Tutorial - Enable Auditing on Windows 7

noreply@blogger.com (Bozidar Spirovski) — Sun, 08 Nov 2009 21:11:00 +0000

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

Open the Control Panel.
In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:

Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

200 Posts on Shortinfosec

noreply@blogger.com (Bozidar Spirovski) — Sun, 08 Nov 2009 20:38:00 +0000

We are celebrating the 200 posts on Shortinfosec

Here are some statistics:

Active for 1 year and 9 monts - Shortinfosec started on 15 February 2008
200 original posts written
60,151 visits since it's active
3 changes of design http://web.archive.org/web/20080407232903/http://www.shortinfosec.net/
2 periods of author's inactivity (very bad form!)

Keep reading, a lot of new content will be arriving soon!

Digital Forensics Framework - A Perspective Forensics Tool

noreply@blogger.com (Bozidar Spirovski) — Sat, 07 Nov 2009 22:22:00 +0000

After Helix Forensic went commercial, the open source Computer Forensics is missing a tool that integrates required forensic techniques as well as Helix did.

The tool
A group which calls themselves ArxSys have developed a Python based Forensic Analysis Tool, which they call Digital Forensics Framework (DFF).

DFF can be installed on Linux and Windows, and is functional even under Windows 7. The general architecture of the tool is to create a central contained program in which different forensic functions can be added as building blocks to create a fully integrated forensic environment.
In comparison, most current open source tools are merely wrappers for a whole myriad of standalone tools.
While this architecture is a visionary one, it's strength is also it' weakness: all functions need to be written for this framework, which will slow down development of the DFF as a full solution. At it's current state of development, DFF can handle disk dumps in FAT, but not NTFS nor memory dumps.

Another very important drawback is that DFF has no functionality for Forensic Acquisition, so the forensic investigator still needs additional tools.

Conclusion
Digital Forensics Framework is still a very 'young' product. It is focusing only on forensic analysis, with no initiative on forensic acquisition and documentation. The strong sides of the product are the flexibility and ease with which new python scripts can be added.
At this moment, it's not the first choice for a Forensic Investigators tool-chest, but we will follow on the development of the product.

Talback and comments are most welcome

Related posts
Tutorial - Computer Forensics Process for Beginners
Tutorial - Computer Forensics Evidence Collection
Competition - Computer Forensic Investigation

Example Risk Assessment of Exchange 2007 with MS TAM

noreply@blogger.com (Bozidar Spirovski) — Thu, 05 Nov 2009 20:29:00 +0000

In our previous post, we discussed the process of risk assessment assisted with Microsoft Threat Analysis and Modeling. While that post was purely theoretical, we are following up with a sample risk assessment of an IT service - Exchange 2007 infrastructure.

The Assessment is based on the prototype design of Microsoft Exchange Infrastructure, and all Exchange roles are treated as separate component/server. An Active Directory domain controller is added to the infrastructure since Exchange is integrated with it. Also, we added a Mailbox database role, just as an example that we can dissect the roles to the depth that we need.

The elements
The analysis contains the following components. Add them to the appropriate container within the MS TAM
User roles

Exchange Admins - all administrators of the infrastructure
Exchange Users - users of all Exchange services
Exchange OWA Users - users of Online Web Access (webmail users)
External mail users - users of other mail servers on the internet

Components with Service Roles

Mailbox Server with Mailbox Server Service Role
Hub Transport Server with Hub Transport Service Role
Edge Transport Server with Edge Transport Service Role
Client Access Server with Client Access Service Role
Mailbox Database with Mailbox Database Service Role
AD Domain Controller with Domain Controller Service Role

External dependencies

External Mail Servers

Data
The data processed within this infrastructure is the following

E-mail message - the main target, the incoming and outgoing e-mail messages.
Exchange address - your e-mail address
Exchange Configuration - All Exchange Roles Configuration - Stored within Domain Controller
Login Credentials - username/password

Use cases
We have limited the use cases to the most basic and essential activities within this infrastructure. For each use case you will need to include the necessary calls to make it functional.

Receive External E-mail
Read E-mail Via POP3 /IMAP/OWA
Send E-mail To Exchange User
Exchange Admins Manages Exchange Accounts
Send E-mail to External Address

Also, the assessment has additional relevancies

Component utilizes Power Supply - The component is susceptible to power failures
Component utilizes Communication Links - The component is dependent on functional LAN/WAN links to perform it's function
Component utilizes Disk Capacity - The component stores data, and relies on disk storage, thus it can lose data of the disk fails, or it's capacity is filled.
Component is a Physical Object - Component is a Physical Object and can be physically accessed, stolen or tampered with, or ultimately, it can fail

The analysis
After setting up these elements, you click the Tools->Generate Threats. Choose Generate Threats based on all of your calls, and use Intelligent Append.
The resulting set of risks can be confusing, since they are autogenerated and have generic names. You will need to read through them, and possibly merge one or more into one, since they can be addressing the same risk.

After you have finished the filtering, you need to define Probablity and Impact of the risk, and select the Risk Response as well as countermeasures from the offered set. This task is very time consuming and often difficult. You should always employ the assistance of a subject matter expert which can give you valuable input.

When you do this for every risk, you have finished the risk assessment The Report As we pointed out in the previous post, the most useful report template for risk analysis does not exist in the predefined reports, but can be downloaded here.
The final risk analysis report for this infrastructure can be downloaded here.
Also, you may benefit from the Comprehensive Report, which is included in the templates of MS TAM.

Conclusion
We hope that this example will help you to in the everyday use of MS TAM as a risk assessment tool.
We are also publishing the entire ACE Threat Model file of this example for download and use.
Please do not hesitate to contact Shortinfosec if you have any questions or issues

Talkback and comments are most welcome

Related posts
Risk Assessment with Microsoft Threat Assessment & Modeling
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Risk Assessment with Microsoft Threat Assessment & Modeling

noreply@blogger.com (Bozidar Spirovski) — Tue, 03 Nov 2009 20:36:00 +0000

Every organization has some form of Information Security Risk assessment. Some perform a formal risk assessment, others simply use their practical experience. Whatever method is chosen, it always help to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The tool
There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice. Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The process
Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis

Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
External Dependencies – Any external elements including data, components or roles from other processes or systems
Use Cases – the steps involved in operating the system/performing the process
Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component
Threats - the assessed threats to the system. This component will be used to generate and assess the risks

The process consists of the steps/phases

Step 0 – Before starting anything, know your system/process/company. You will need to simulate and configure all relevant elements of the assessed system/process/company.
Step 1 – Define Roles - Define the logical groups of users involved in the system/process/company that is assessed
Step 2 – Define Components and Data - These are the building blocks of the system/process. Data traverses components and is accessed by users and components
Step 3 – Update and Define Relevancies - Create or update relevant attributes that define behavior of a component. For instance, a relevancy is that a component uses power supply, therefore it is susceptible to the risk of power failure. Add new relevancies for your specific components
Step 4 – Update attacks - Attacks are methods of misusing relevancies. Update the current attacks with specific ones - if you have them. If you have created new relevancies, create the attacks that compromise them. For each attack, include countermeasures that mitigate this attack. For instance, if the attack is power supply brownout, one possible countermeasure is an in-line UPS that acts as a voltage stabilizer.
Step 5 – Define Use Cases and Calls- The Use cases are the steps in the process, or the way a system is operated/used. Without the use cases, the risk assessment cannot be performed. For instance, one use case for a mail server system is the reception of an e-mail from an external mail server (from the Internet).
Step 6 – Model Risks - After you have modeled your system, generate the Threats, and analyze them one by one to assess frequency and impact, and define countermeasures from the offered possibilities. At the end of the process, the finalized threats are the risks to your system.

NOTE: It’s very important to be very meticulous about the relevancies – the attributes of the components. Choosing well in this step allows good modeling of attacks and the more automated risk model is created

The results
After completing the process, the end result is the report set. The MS TAM has a predefined set of reports. Since MS TAM is primarily targeted at software development, the generic reports may be found to be lacking. The most useful report is the comprehensive report, which includes nearly all information. But it is still lacking a report which summarizes the risk assessment parameters:

Impact
Probability
Risk Rating
Risk Response
Countermeasures

To address this, Shortinfosec has created a custom report for MS TAM 2.1 which can be downloaded here. Just place the file in the MS_TAM_INSTALL_FOLDER\Graphics\Reports\Custom and choose Custom Reports, risk_report.xslt

Conclusion
MS Threat Assessment and Modeling 2.1.2 may not be the best tool for Risk Assessment. It may not match your Risk assessment methodology to the letter, nor does it deliver the final result out of the box. But unless you have a better tool, it is very usable, since it controls the process, and with MS TAM you will always follow the mindset of risks, threats and impact.
And of course, until you have a better product, use the one that is readily available!

If anyone encounters a problem or has a question with using MS TAM, just leave a comment, or send me an e-mail

Talkback and comments are most welcome

Related posts
Example Risk Assessment of Exchange 2007 with MS TAM
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Nessus vs Retina - Vulnerability Scanning Tools Evaluation

noreply@blogger.com (Bozidar Spirovski) — Fri, 30 Oct 2009 19:10:00 +0000

We have mentioned our favorite vulnerability scanning tools in this blog. But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.
UPDATE: After the constructive input from Michael A. in the comments, we have reworked the test for Nessus, to achieve more comparable results.

The Test Environment
The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

Nessus server and client were installed and updated to the latest plugins.
Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools. The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled. The DVL was started with the following services, with default settings and content as included in the distro.

MySQL
HTTP
IPP Printer sharing which was active by default

The Scanning Process
Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated. NOTE: Since Retina does not have WebApplication Analysis, Nessus was run twice, once with WebApplications disabled, and once with WebApplication enabled in order to do a meaningful performance comparison.
Performance

The Nessus scanner without WebApplication scan took 8 minutes to complete the scan
The Nessus scanner with WebApplication scan took 67 minutes to complete the scan
The Retina scanner took 38 minutes to complete the scan

Results

Both scanners failed to identify the target operating system

The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP's. On a repeat scan, it regenerated the same results.
You can download the full report of the Nessus Scan Here
The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
You can download the full report of the Retina Scan Here
The Nessus Scanner running the WebApplication Scanning repeated the previous results and additionally it identified a significant number of WebApp vulnerabilites, and collected information from HTTP through web mirroring.
You can download the full report of the Nessus Scan with WebApplication Scanning Here

Conclusions
Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

Nessus missed the IPP port every time
Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, without WebApplication Scan Nessus performed much faster then Retina. On the other hand, with active WebApplication Scan, Nessus was much slower then Retina.
In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test. One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins because

Retina manifested erroneous results on repeat scans,
The Nessus package includes a WebApplication scanning module, which in eEye products needs to be purchased as a separate application

Talkback and comments are most welcome

Related posts
System Hardening Process Checklist
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach

New Version of Microsoft Baseline Security Analyzer

noreply@blogger.com (Bozidar Spirovski) — Wed, 28 Oct 2009 21:13:00 +0000

Our Microsoft Baseline Security Analyzer scanner has just reported that a new version (2.1.1) is available. It can be downloaded from the following URL
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en

We were disappointed to see that the 2.1 version did not work properly on Windows 7 - it just reported that the computer is not a Windows NT/2000/XP/2003 computer.

The 2.1.1 does not provide any new major functionality, but now it is fully compatible with the current version of Windows.

You can download the baseline that we did on our demo Windows 7 laptop here

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
WMI Scanning - Excellent Security Tool
Example - Bypassing WiFi MAC Address Restriction

Windows 7 Full Disk Encryption with Truecrypt

noreply@blogger.com (Bozidar Spirovski) — Mon, 26 Oct 2009 18:30:00 +0000

After the TrueCrypt Full Disk Encryption Review and the 5 rules to Protecting Information on your Laptop, we are following up with a practical test of full disk encryption of Windows 7.

Shortinfosec is a great promoter of full disk encryption of laptop hard drives, and we have been using Windows 7 for several months now. On 21 Oct 2009, Truecrypt published the version 6.3 which has full support for Windows 7. Of course, why go for an open source product instead of the native BitLocker? Well, Microsoft with it's product strategy includes BitLocker only in Ultimate and Enterprise versions of Windows 7!

Can someone say 'huge security misstep' - especially for the Windows 7 Pro users?

Encryption
Naturally, Shortinfosec started with a full disk encryption test on a laptop. The laptop has the following configuration.

2.1 Ghz Core2Duo CPU
3 GB of RAM
320 GB of disk drive
NVIDIA graphics
Windows 7 Pro 32 bit operating system

The process is the same as already described in TrueCrypt Full Disk Encryption Review. The installation of the TrueCrypt is so generic that even the most inexperienced users should have no problems whatsoever.

The actual encryption is lasts between 6-7 hours. After it finishes, you have an encrypted system drive. If absolutely necessary, you may even use the computer while the drive is being encrypted, but you won't be very productive.

Performance test
The laptop had a passmark test run before and after the encryption. We focused on CPU and HDD performance, since these areas are impacted when using an encrypted file system.

The test results are presented on the following screenshots. The overall performance of the Test Laptop is marginally better for the non-encrypted disk clone. The disk drive is most impacted on the random read/write test.

The results in red color are before the encryption
The results in green color are after the encryption

Conclusion
Encrypting the entire hard drive of Windows 7 may not seem to be a natural choice, but the product strategy of MS opens up an opportunity for products like Truecrypt.

Encrypting the entire hard drive will cause performance reduction of the disk subsystem, but the performance reduction on our system is so minute that it is just ignored by everyone.

Talkback and comments are most welcome

Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB

Tutorial - Free Auditing of Active Directory for Information Security

noreply@blogger.com (Bozidar Spirovski) — Sun, 25 Oct 2009 17:56:00 +0000

Active Directory within a large organization goes through a lot of changes throughout the day. There are a lot of possibilities for error, creation of accounts with high privileges or missing the disabling task on an employee leaving the company.

Information Security Teams need fast and easily readable auditing, possibly with automation.

The tool
While there are several excellent products that perform this function, auditing of Active Directory can become a costly endeavor. NetWrix has a free version of their Active Directory Change Reporter. It can be installed on any computer that is a member of the domain. Here is a screenshot of the configuration screen:

The process
The auditing is performed by taking a 'snapshot' of the Active Directory Domain state at scheduled intervals. This snapshot is stored in a directory, and can be used to create HTML reports of the changes that happened between two 'snapshots'. There is even an automated reporting which will deliver report on changes to the directory at predefined schedules.

The report clearly displays what objects have been added, removed or modified within the Active Directory Domain. Ofcourse, additional history like who made the change and when can be obtained via the commercial version, but even in the free version it produces a nice set of information.

Here is a screenshot of the report

Conclusion
While the Free version of NetWrix is far in functionality from the big players, it provides an clear and automated reporting. It is a good choice to start with the free version, and prepare for purchasing a commercial tool by learning from it and noting which functionalities you require that this tool does not deliver.

Talkback and comments are most welcome

Related posts
Controlling Firefox Through Active Directory

Evaluation of Security Information Event Management Systems

noreply@blogger.com (Bozidar Spirovski) — Wed, 01 Jul 2009 19:39:00 +0000

Evaluating Security Information Event Management (SIEM) solutions come in a lot of different flavours. The industry is not yet mature, and the competitors are pushing their own solutions, based on their background and capabilities. In general, they will all present more or less the following configuration model for the SIEM implementation.

But other then the generic model, a lot of things are different. So, in order to sift through the multitude of solutions, the buyer needs to ask the real questions. Here are some of the key questions that need to be taken into consideration:

Is it possible to place an agent on the server machines - Certain SIEM solutions do not properly support remote collection of OS or application logs so they need a server side agent to do the job. On the other hand, most business critical systems are tightly controlled and do not allow for additional resident programs to be installed on the system for the risk of possible performance or reliability issues
Are there any custom applications that generate logs that needs to be collected by the SIEM? - The organization may require that the SIEM also collects and parses such logs, but proper parsing ability needs to be verified with a large sample of logs during a proof of concept run.
Is there any international standard or regulation that is mandating the SIEM solution - whatever standard needs to be met has a set of predefined controlling reports that confirm compliance to the standard. You need to confirm that the SIEM solution can produce the needed reports.
How long will you need to keep logs and conclusions online and offline? - data retention is key to such a massive collection of information. Typically, a SIEM system needs to be able to archive all historical events to external data storage, and preferably, the archival process should include an integrity control (MD5 or SHA1 hash) that guarantee that the logs haven't been tampered with while in archive.
What type of processing and alerting is required?-

Proper answers to these questions will most likely eliminate the non-acceptable solutions, and will ease the evaluation process of the qualifying shortlist.

Talkback and comments are most welcome

Related posts
Real Benefit of Security Information Event Management

Real Benefit of Security Information Event Management

noreply@blogger.com (Bozidar Spirovski) — Sun, 21 Jun 2009 08:34:00 +0000

Security Information Event Management is the echoing buzzword in most industries these days. Banking, Telecommunications, Power and Energy - anyone and everyone is under internal audit and regulator scrutiny to implement a Security Information Event Management system.
But most Security Information Event Management implementations are rushed and placed only to shut up the auditors and to go on as usual. Since it's a compliance requirement, the Security Information Event Management salespeople very rarely address whether the customer makes proper use of the solution, and whether this solution brings benefits to the company.

The common issue
SIEM is a Security Officer tool, but since it tightly integrates with IT equipment, the SIEM implementation is usually left to IT departments. The issue with this is that IT will approach the implementation from a purely technical aspect: how to properly connect the IT equipment to the SIEM system.

Once the SIEM system is collecting audit logs and events from all required IT elements, the job is done. At most, a retention policy and archiving is also done by IT, and the story ends there.

The real benefit
Any SIEM system is simply a large database collecting massive amounts of events. But if one does not use these events, the system is placed there just as a form, and brings only costs to the company. Here is what you'll need to set-up to achieve benefits of a SIEM system

Choosing what is most important to be alerted about - While some automated alerts and analysis are available within all SIEM systems, the generic alerts are rarely well matched to a company. For example, a generic alert may be triggered by consecutive failed attempts followed by a successful logon, but may not be triggered on a configuration change of a firewall. The first event was merely an employee trying to remember his password, and the config change of the firewall just opened up your network to some attack
Alerting the proper person/team - The alerting means nothing if the alert does not arrive to the proper person to react in the fastest possible time. A 'transaction log is full' means little to a network admin just as SYN flood may mean absolutely nothing to the DBA. And both will mean not too much to the head of the department, if one chooses to send all alerts to the manager.
Creating and using the proper reports - Some SIEM systems come bundled with reports, other sell the reports as packages. But the vanilla flavour reports may not always be useful to the organization, so the correct report definition should be prepared and implemented during the SIEM implementation. This way the company will know that these reports are to their specification, and even more, that the data needed for this report is collected by the SIEM system.

Talkback and comments are most welcome

Shortinfosec ReBoot

noreply@blogger.com (Bozidar Spirovski) — Wed, 10 Jun 2009 20:19:00 +0000

I have taken a sabbatical from blogging to rest and focus on other issues. This period is now finished, and Shortinfosec will continue with the regular posts!

5 biggest mistakes of information security

noreply@blogger.com (Bozidar Spirovski) — Wed, 22 Apr 2009 13:38:00 +0000

Does your information security implementation suffer from mistakes in approach? Everyone is focused on information security, and security is a constant addition into every corporate mission statement. And yet in nearly every security implementation there is a recurring range of mistakes in information security. Here are the most common five

Focusing primarily on perimeter security - Put in firewalls and other firewalls behind those firewalls, and some IPS in the middle, and set them all up to defend the Internet link of the corporation. And that's it, no need to do anything else. Sounds familiar? Defending the perimeter is important, but it's not the only point of security strengthening. A successful attack does not try to punch a hole through the thickest wall - it finds a way to bypass such walls. Security needs to be layered and focused at properly protecting information storing and processing resources.
Relying on hard coded elements - whether it be a hostname, an IP address or a username/password pair, hard coded elements in a file open a gaping hole in security. Anyone managing to read or disassemble the file has access to a nice set of information very useful to attack. Always rely on user input elements or single sign-on instead of hard coded elements.
Trusting people - Any casino owner will tell you the grim truth - 30% of employees are out to steal from you. This is true in any industry, and by the way, you can never know which are included in the 30%. Therefore, implicit trust and saying "he/she can never do us harm, the loyalty is too great" will only land you in trouble. Always enforce security rules and policies for every process and employee.
Relying on an issue being fixed in the "other element" - "This will be fixed in the program", or "This will be fixed in the database". Finding an issue and hoping that someone else will fix it is stupid to say the least. Address the issue immediately, for noone else will!
Improper discarding of documentation - Hundreds of thousands of confidential documents are thrown into the garbage every day - even whole laptops which are for some reason not functioning properly. This act of simple neglect of unnecessary information is the nicest (and most legal) way of information and identity theft. Institute simple procedures for information destruction, ranging from paper up to malfunctioning hard drives. The technical resources needed for this are inexpensive and plentiful!

Do you have an example of mistakes? Add it in the comments!!!
Talkback and comments are most welcome

Related posts
3 Things no book about hacking will ever tell you
5 SLA Nonsense Examples - Always Read the Fine Print

SUN Purchase Analysis

noreply@blogger.com (Bozidar Spirovski) — Mon, 20 Apr 2009 21:41:00 +0000

Oracle owns Sun. It moved to acquire the failing giant ahead of IBM and now it has access to a great amount of installed base of Sun servers. But what will Oracle do with a hardware company, and what will remain of it after Larry Ellison is done with Sun?

Hardware - Oracle has it's R&D focused on databases, and to some extent on underlying operating systems. But Oracle does not want to meddle with expensive chip research just to maintain the SPARC platform. So servers division will go on sale to HP, IBM, EMC, Dell or some venture capital firm - lock, stock and barrel.
Solaris - A wonderful OS, leader in many platforms. Oracle will want to make it's DBMS one-click installable on an empty machine, so Solaris for Intel will probably be the weapon of choice for this move. But in the process, Solaris will become an embedded
MySQL - a possible casualty of the RDBMS war - Oracle will need to position this product carefully, to be less competitive with Oracle RDBMS and more competitive to embedded databases and free competition. If Oracle cannot do this, they'll most probably let MySQL die of age by simply not developing it any further.
Consulting division - Some will be cut-off, some will become Oracle consulting and integration, to take even more off the high-margin integration consulting business
Open source initiatives - THE BEST PLACE for developer breeding. If Oracle retained any smarts, it will maintain the strong support to open source, but steer it towards Oracle as development platform.
JAVA - The weapon of mass destruction for Oracle - Just like open source initiatives, excpect that Java will continue to flourish - simply because Oracle wants more and more software that will use their databases.

In any case, things won't be the same. It is sad to see another one of the high quality system giants go.

Related posts
HP partners with Sun - Anybody remember Digital?

5 Minute Security Assessment

noreply@blogger.com (Bozidar Spirovski) — Wed, 15 Apr 2009 18:51:00 +0000

A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best 'OK, but could be better'.

For all these reasons, as well as some egoistic ones which won't be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.

While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.

Assessment instructions
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.

Assessment questions

Do we have a firewall active at all ingress points of the network? Yes - 5 points, No - 0 points
Does our team control all firewalls? Yes - 5 points, No - 0 points
Do we have the following basic technical policies in place? Add 1 point for each policy in place

password complexity
password retention
password history
logon hours
controlled registry editing

Does everyone in the organization have their own individual and unique username for all activities? Yes - 5 points, No - 0 points
Do we have logon/logoff auditing active on all servers and stations? Yes - 5 points, No - 0 points
Do we have a testing environment for patches, new versions and new software before it is rolled out into production? Yes - 5 points, No - 0 points
Do we have written procedures for regulating the above questions as process? Add 1 point for each procedure in place

Assessment results

30-36 points - Very good security posture - You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
20-30 points - Acceptable security posture - You are lacking in written procedures and change management, but basic technical security is at a good level - you need to work harder on formalization
10-20 points - Basic security posture - Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
0-10 points - Disaster waiting to happen - So you have firewalls? Really? And maybe you've even plugged them in? Hire a good security expert - after firing your current one and start getting somewhere

Talkback and comments are most welcome

Related posts
Quick and Basic Security Assessment for Databases
WMI Scanning - Excellent Security Tool
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

3 Things no book about hacking will ever tell you

noreply@blogger.com (Bozidar Spirovski) — Mon, 13 Apr 2009 11:23:00 +0000

There are tons of books which 'teach' you on how to become a hacker. Some boast to make you a hacker in XX number of days, or brag about being authored by the greatest experts in the field, or some other commercial mumbo-jumbo.

But is there any great wisdom in those books? No, and they are not even good at teaching technology.

Here is what hacking books will NEVER tell you:

Being a hacker requires a HUGE amount of learning - All hacking books tell you that you need a lot programming knowledge, a lot of TCP/IP knowledge, and some of them will try to cover the basics. So look around you, these guys are usually the 'gurus' at this and that company, and have a much nicer title - usually it's infrastructure architect, chief designer or something along those lines. And these guys became that by working overtime, nighttime, at home, over weekends, missed vacations and built systems from the ground up. It took a lot of dedication and a whole lot of time to reach that kind of knowledge.
Being a hacker is very rarely (if ever) a glamorous thing - Most hacking activities are not legal, therefore the prominent or established hacker has to watch his/hers back, remain undercover and rarely trust anyone. Even if you employ your skills for patriotic or political goals, you'll be a hero somewhere, but an enemy elsewhere. Oh, and noone will ever make a movie of your achievements and exploits!!!
There are few people which earn a legal salary as hackers - hackers are usually hired to do 'dirty' jobs, or at least jobs of questionable legality. So apart from earning money, these jobs leave the hacker always looking over his/her shoulder for investigators or the police. If you are thinking about penetration testing, think again - hackers are not hired outright for such jobs since penetration testing consent requires an enormous amount of trust in the pen-tester. These jobs are mostly landed by 'white-hat' pen-testers with excellent public track record.

On the other hand, if you maintain your learining and studying to be a hacker, you will build excellent technical expertise. Focusing your skills not as a hacker, but as a technical expert will bring you a good name, a lot of conferences where you'll do presentations and a lot of contacts in the expert field of IT.

Talkback and comments are most welcome

Portrait of Hackers

Hunting for hackers - Google fraud style

Cloud Backup - A gamble on several levels

noreply@blogger.com (Bozidar Spirovski) — Wed, 08 Apr 2009 07:21:00 +0000

Online or cloud backup was one of the buzz words of cloud computing, and was actually leading the wave in terms of commercial implementation. Hewlett-Packard had it's Upline service, Yahoo had it's Briefcase, IBackup is going strong. But the market for online backup is still quite volitile.

For instance, HP has decided to shut down Upline, without much explanation to the customers. It went down on March 31, 2009. Oh, by the way, Yahoo closed shop at Briefcase on March 30, just a day earlier!

In the meantime, the big players are repositioning: EMC purchased Mozy - an online backup startup, and is pushing the service strong. And there are still new players on the field - COMODO has just announced their online backup service. And we are hearing that Symantec is also going into the online backup business!

With all these events, several questions regarding the entire Online Backup solution surface from the murky deep

Who uses whose infrastructure? - the simultaneous closing of two major services (HP Upline and Yahoo Briefcase) may be a simple coincidence. But, on the other hand, it is a 'cloud' service, thus one service may outsource it's physical storage to another vendor. This leads to all kinds of unanswered questions like

Who else has access to the backed-up data?
Is the advertised availability actually achievable?
Can we loose the backed-up data if the outsourced provider fails financially?

Is your online backup actually safe? - While technical security measures can be implemented and documented, corporate decisions fall way outside of the scope of the service. And corporate decisions may include layoffs, selling of assets, closing of divisions, even selling of the entire company. And in such conditions, the service provider's employees could care less about some Joe Average's online photo collection or sales reports
Can you define a long term data retention policy and rely on online backup to meet it? - HP is a HUGE company. And it failed to deliver a long-running service. One may discuss that HP is primarily a hardware vendor, but nevertheless, as a large company is always interested to present itself as a serious long-term partner. And yet, it closed it's service. So, who can tell what will happen to the other Online Backup service providers?
Which service provider is the right choice for Online Backup? - Again, HP and Yahoo are large, and closed up shop. Other service providers are all over the place: From start-ups, through venture capital funded firms up to large players who purchased smaller ones. Which one will prove to be the best, and which one will actually deliver on the promise

There are no definite answers to these questions. But in a time of economic instability, the services and service providers can find themselves in all kinds of trouble , relying on online back-up without a second option feels a lot like gambling. And gambling on technical, financial and business level.

Talkback and comments are most welcome

Related posts
3 Rules to Prevent Backup Headaches
Cloud Computing - Premature murder of the datacenter
Know the Difference - Backup vs. Archive
Security Concerns Cloud “Cloud Computing”