Information Security Short Takes

OWASP Publishes Top 10 Web App Security Risks for 2010

noreply@blogger.com (Bozidar Spirovski) — Sat, 14 Nov 2009 07:44:00 +0000

Last night the OWASP project published the 2010 issue of their Top 10 Web Application Security Risks. The list is still in Release Candidate status, so it may change. The difference from the previous lists according to the statement by OWASP

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities. At the conference will be the debut of the release candidate of the new Top 10, which will open up a 60 day comment period.

As a summary, the top 10 risks to your Web Apps are:

Injection flaws
Cross Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery (CSRF)
Security Misconfiguration
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Insufficient Transport Layer Protection

It is evident that OWASP hasn't invented the wheel all over again, and that this list has already been discussed for years. Yet it still falls on deaf ear for many developers - even large development companies.

You can download the full list document here, with detailed explanation of each risk.

Talkback and comments are most welcome

Related posts
SANS Announced Top 25 Programming Errors

Analysis of Windows Security Logs with MS Log Parser

noreply@blogger.com (Bozidar Spirovski) — Thu, 12 Nov 2009 19:10:00 +0000

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.

For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.

The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.

Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.

Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:

SELECT * FROM SECURITY - simple dump all data from the security log
SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003

After you create the query, choose the apropriate category, then click the 'Generate' button to execute the query. You can also graph the results by choosing the Chart->Visible option.

Conclusion
Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.

Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt

Role of Information Security Manager

noreply@blogger.com (Bozidar Spirovski) — Tue, 10 Nov 2009 18:35:00 +0000

As the Information Security Manager you will take responsibility for developing, maintaining monitoring compliance of all information security policy and procedures.

The successful Information Security Manager will perform

security risk analysis and risk management,
perform security tests
manage internal audits on information security processes, controls and systems.

You will take responsibility for developing and maintaining the organization's project disaster recovery and business continuity plans for information systems and monitors changes in legislation and accreditation standards that affect information security.

You will provide guidance and consultation on projects for IT Security related risks and issues.

The successful Information Security Manager must be qualified to Degree level in a numerate subject (e.g. Computer Science, maths, engineering) and possess professional level Information Security Certification such as CISA/CISM/CISSP/SSCP. Will possess a minimum of 5 years experience in Information Security Management and be well versed with ISO 27001 accreditation.

This is a guest post by Venu Potumudi, an Information Security Manager. The orignal text is published on Making of ISM

Reminder Tutorial - Enable Auditing on Windows 7

noreply@blogger.com (Bozidar Spirovski) — Sun, 08 Nov 2009 21:11:00 +0000

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

Open the Control Panel.
In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:

Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

200 Posts on Shortinfosec

noreply@blogger.com (Bozidar Spirovski) — Sun, 08 Nov 2009 20:38:00 +0000

We are celebrating the 200 posts on Shortinfosec

Here are some statistics:

Active for 1 year and 9 monts - Shortinfosec started on 15 February 2008
200 original posts written
60,151 visits since it's active
3 changes of design http://web.archive.org/web/20080407232903/http://www.shortinfosec.net/
2 periods of author's inactivity (very bad form!)

Keep reading, a lot of new content will be arriving soon!

Digital Forensics Framework - A Perspective Forensics Tool

noreply@blogger.com (Bozidar Spirovski) — Sat, 07 Nov 2009 22:22:00 +0000

After Helix Forensic went commercial, the open source Computer Forensics is missing a tool that integrates required forensic techniques as well as Helix did.

The tool
A group which calls themselves ArxSys have developed a Python based Forensic Analysis Tool, which they call Digital Forensics Framework (DFF).

DFF can be installed on Linux and Windows, and is functional even under Windows 7. The general architecture of the tool is to create a central contained program in which different forensic functions can be added as building blocks to create a fully integrated forensic environment.
In comparison, most current open source tools are merely wrappers for a whole myriad of standalone tools.
While this architecture is a visionary one, it's strength is also it' weakness: all functions need to be written for this framework, which will slow down development of the DFF as a full solution. At it's current state of development, DFF can handle disk dumps in FAT, but not NTFS nor memory dumps.

Another very important drawback is that DFF has no functionality for Forensic Acquisition, so the forensic investigator still needs additional tools.

Conclusion
Digital Forensics Framework is still a very 'young' product. It is focusing only on forensic analysis, with no initiative on forensic acquisition and documentation. The strong sides of the product are the flexibility and ease with which new python scripts can be added.
At this moment, it's not the first choice for a Forensic Investigators tool-chest, but we will follow on the development of the product.

Talback and comments are most welcome

Related posts
Tutorial - Computer Forensics Process for Beginners
Tutorial - Computer Forensics Evidence Collection
Competition - Computer Forensic Investigation

Example Risk Assessment of Exchange 2007 with MS TAM

noreply@blogger.com (Bozidar Spirovski) — Thu, 05 Nov 2009 20:29:00 +0000

In our previous post, we discussed the process of risk assessment assisted with Microsoft Threat Analysis and Modeling. While that post was purely theoretical, we are following up with a sample risk assessment of an IT service - Exchange 2007 infrastructure.

The Assessment is based on the prototype design of Microsoft Exchange Infrastructure, and all Exchange roles are treated as separate component/server. An Active Directory domain controller is added to the infrastructure since Exchange is integrated with it. Also, we added a Mailbox database role, just as an example that we can dissect the roles to the depth that we need.

The elements
The analysis contains the following components. Add them to the appropriate container within the MS TAM
User roles

Exchange Admins - all administrators of the infrastructure
Exchange Users - users of all Exchange services
Exchange OWA Users - users of Online Web Access (webmail users)
External mail users - users of other mail servers on the internet

Components with Service Roles

Mailbox Server with Mailbox Server Service Role
Hub Transport Server with Hub Transport Service Role
Edge Transport Server with Edge Transport Service Role
Client Access Server with Client Access Service Role
Mailbox Database with Mailbox Database Service Role
AD Domain Controller with Domain Controller Service Role

External dependencies

External Mail Servers

Data
The data processed within this infrastructure is the following

E-mail message - the main target, the incoming and outgoing e-mail messages.
Exchange address - your e-mail address
Exchange Configuration - All Exchange Roles Configuration - Stored within Domain Controller
Login Credentials - username/password

Use cases
We have limited the use cases to the most basic and essential activities within this infrastructure. For each use case you will need to include the necessary calls to make it functional.

Receive External E-mail
Read E-mail Via POP3 /IMAP/OWA
Send E-mail To Exchange User
Exchange Admins Manages Exchange Accounts
Send E-mail to External Address

Also, the assessment has additional relevancies

Component utilizes Power Supply - The component is susceptible to power failures
Component utilizes Communication Links - The component is dependent on functional LAN/WAN links to perform it's function
Component utilizes Disk Capacity - The component stores data, and relies on disk storage, thus it can lose data of the disk fails, or it's capacity is filled.
Component is a Physical Object - Component is a Physical Object and can be physically accessed, stolen or tampered with, or ultimately, it can fail

The analysis
After setting up these elements, you click the Tools->Generate Threats. Choose Generate Threats based on all of your calls, and use Intelligent Append.
The resulting set of risks can be confusing, since they are autogenerated and have generic names. You will need to read through them, and possibly merge one or more into one, since they can be addressing the same risk.

After you have finished the filtering, you need to define Probablity and Impact of the risk, and select the Risk Response as well as countermeasures from the offered set. This task is very time consuming and often difficult. You should always employ the assistance of a subject matter expert which can give you valuable input.

When you do this for every risk, you have finished the risk assessment The Report As we pointed out in the previous post, the most useful report template for risk analysis does not exist in the predefined reports, but can be downloaded here.
The final risk analysis report for this infrastructure can be downloaded here.
Also, you may benefit from the Comprehensive Report, which is included in the templates of MS TAM.

Conclusion
We hope that this example will help you to in the everyday use of MS TAM as a risk assessment tool.
We are also publishing the entire ACE Threat Model file of this example for download and use.
Please do not hesitate to contact Shortinfosec if you have any questions or issues

Talkback and comments are most welcome

Related posts
Risk Assessment with Microsoft Threat Assessment & Modeling
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Risk Assessment with Microsoft Threat Assessment & Modeling

noreply@blogger.com (Bozidar Spirovski) — Tue, 03 Nov 2009 20:36:00 +0000

Every organization has some form of Information Security Risk assessment. Some perform a formal risk assessment, others simply use their practical experience. Whatever method is chosen, it always help to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The tool
There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice. Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The process
Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis

Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
External Dependencies – Any external elements including data, components or roles from other processes or systems
Use Cases – the steps involved in operating the system/performing the process
Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component
Threats - the assessed threats to the system. This component will be used to generate and assess the risks

The process consists of the steps/phases

Step 0 – Before starting anything, know your system/process/company. You will need to simulate and configure all relevant elements of the assessed system/process/company.
Step 1 – Define Roles - Define the logical groups of users involved in the system/process/company that is assessed
Step 2 – Define Components and Data - These are the building blocks of the system/process. Data traverses components and is accessed by users and components
Step 3 – Update and Define Relevancies - Create or update relevant attributes that define behavior of a component. For instance, a relevancy is that a component uses power supply, therefore it is susceptible to the risk of power failure. Add new relevancies for your specific components
Step 4 – Update attacks - Attacks are methods of misusing relevancies. Update the current attacks with specific ones - if you have them. If you have created new relevancies, create the attacks that compromise them. For each attack, include countermeasures that mitigate this attack. For instance, if the attack is power supply brownout, one possible countermeasure is an in-line UPS that acts as a voltage stabilizer.
Step 5 – Define Use Cases and Calls- The Use cases are the steps in the process, or the way a system is operated/used. Without the use cases, the risk assessment cannot be performed. For instance, one use case for a mail server system is the reception of an e-mail from an external mail server (from the Internet).
Step 6 – Model Risks - After you have modeled your system, generate the Threats, and analyze them one by one to assess frequency and impact, and define countermeasures from the offered possibilities. At the end of the process, the finalized threats are the risks to your system.

NOTE: It’s very important to be very meticulous about the relevancies – the attributes of the components. Choosing well in this step allows good modeling of attacks and the more automated risk model is created

The results
After completing the process, the end result is the report set. The MS TAM has a predefined set of reports. Since MS TAM is primarily targeted at software development, the generic reports may be found to be lacking. The most useful report is the comprehensive report, which includes nearly all information. But it is still lacking a report which summarizes the risk assessment parameters:

Impact
Probability
Risk Rating
Risk Response
Countermeasures

To address this, Shortinfosec has created a custom report for MS TAM 2.1 which can be downloaded here. Just place the file in the MS_TAM_INSTALL_FOLDER\Graphics\Reports\Custom and choose Custom Reports, risk_report.xslt

Conclusion
MS Threat Assessment and Modeling 2.1.2 may not be the best tool for Risk Assessment. It may not match your Risk assessment methodology to the letter, nor does it deliver the final result out of the box. But unless you have a better tool, it is very usable, since it controls the process, and with MS TAM you will always follow the mindset of risks, threats and impact.
And of course, until you have a better product, use the one that is readily available!

If anyone encounters a problem or has a question with using MS TAM, just leave a comment, or send me an e-mail

Talkback and comments are most welcome

Related posts
Example Risk Assessment of Exchange 2007 with MS TAM
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Nessus vs Retina - Vulnerability Scanning Tools Evaluation

noreply@blogger.com (Bozidar Spirovski) — Fri, 30 Oct 2009 19:10:00 +0000

We have mentioned our favorite vulnerability scanning tools in this blog. But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.
UPDATE: After the constructive input from Michael A. in the comments, we have reworked the test for Nessus, to achieve more comparable results.

The Test Environment
The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

Nessus server and client were installed and updated to the latest plugins.
Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools. The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled. The DVL was started with the following services, with default settings and content as included in the distro.

MySQL
HTTP
IPP Printer sharing which was active by default

The Scanning Process
Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated. NOTE: Since Retina does not have WebApplication Analysis, Nessus was run twice, once with WebApplications disabled, and once with WebApplication enabled in order to do a meaningful performance comparison.
Performance

The Nessus scanner without WebApplication scan took 8 minutes to complete the scan
The Nessus scanner with WebApplication scan took 67 minutes to complete the scan
The Retina scanner took 38 minutes to complete the scan

Results

Both scanners failed to identify the target operating system

The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP's. On a repeat scan, it regenerated the same results.
You can download the full report of the Nessus Scan Here
The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
You can download the full report of the Retina Scan Here
The Nessus Scanner running the WebApplication Scanning repeated the previous results and additionally it identified a significant number of WebApp vulnerabilites, and collected information from HTTP through web mirroring.
You can download the full report of the Nessus Scan with WebApplication Scanning Here

Conclusions
Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

Nessus missed the IPP port every time
Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, without WebApplication Scan Nessus performed much faster then Retina. On the other hand, with active WebApplication Scan, Nessus was much slower then Retina.
In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test. One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins because

Retina manifested erroneous results on repeat scans,
The Nessus package includes a WebApplication scanning module, which in eEye products needs to be purchased as a separate application

Talkback and comments are most welcome

Related posts
System Hardening Process Checklist
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach

New Version of Microsoft Baseline Security Analyzer

noreply@blogger.com (Bozidar Spirovski) — Wed, 28 Oct 2009 21:13:00 +0000

Our Microsoft Baseline Security Analyzer scanner has just reported that a new version (2.1.1) is available. It can be downloaded from the following URL
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en

We were disappointed to see that the 2.1 version did not work properly on Windows 7 - it just reported that the computer is not a Windows NT/2000/XP/2003 computer.

The 2.1.1 does not provide any new major functionality, but now it is fully compatible with the current version of Windows.

You can download the baseline that we did on our demo Windows 7 laptop here

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
WMI Scanning - Excellent Security Tool
Example - Bypassing WiFi MAC Address Restriction

Windows 7 Full Disk Encryption with Truecrypt

noreply@blogger.com (Bozidar Spirovski) — Mon, 26 Oct 2009 18:30:00 +0000

After the TrueCrypt Full Disk Encryption Review and the 5 rules to Protecting Information on your Laptop, we are following up with a practical test of full disk encryption of Windows 7.

Shortinfosec is a great promoter of full disk encryption of laptop hard drives, and we have been using Windows 7 for several months now. On 21 Oct 2009, Truecrypt published the version 6.3 which has full support for Windows 7. Of course, why go for an open source product instead of the native BitLocker? Well, Microsoft with it's product strategy includes BitLocker only in Ultimate and Enterprise versions of Windows 7!

Can someone say 'huge security misstep' - especially for the Windows 7 Pro users?

Encryption
Naturally, Shortinfosec started with a full disk encryption test on a laptop. The laptop has the following configuration.

2.1 Ghz Core2Duo CPU
3 GB of RAM
320 GB of disk drive
NVIDIA graphics
Windows 7 Pro 32 bit operating system

The process is the same as already described in TrueCrypt Full Disk Encryption Review. The installation of the TrueCrypt is so generic that even the most inexperienced users should have no problems whatsoever.

The actual encryption is lasts between 6-7 hours. After it finishes, you have an encrypted system drive. If absolutely necessary, you may even use the computer while the drive is being encrypted, but you won't be very productive.

Performance test
The laptop had a passmark test run before and after the encryption. We focused on CPU and HDD performance, since these areas are impacted when using an encrypted file system.

The test results are presented on the following screenshots. The overall performance of the Test Laptop is marginally better for the non-encrypted disk clone. The disk drive is most impacted on the random read/write test.

The results in red color are before the encryption
The results in green color are after the encryption

Conclusion
Encrypting the entire hard drive of Windows 7 may not seem to be a natural choice, but the product strategy of MS opens up an opportunity for products like Truecrypt.

Encrypting the entire hard drive will cause performance reduction of the disk subsystem, but the performance reduction on our system is so minute that it is just ignored by everyone.

Talkback and comments are most welcome

Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB

Tutorial - Free Auditing of Active Directory for Information Security

noreply@blogger.com (Bozidar Spirovski) — Sun, 25 Oct 2009 17:56:00 +0000

Active Directory within a large organization goes through a lot of changes throughout the day. There are a lot of possibilities for error, creation of accounts with high privileges or missing the disabling task on an employee leaving the company.

Information Security Teams need fast and easily readable auditing, possibly with automation.

The tool
While there are several excellent products that perform this function, auditing of Active Directory can become a costly endeavor. NetWrix has a free version of their Active Directory Change Reporter. It can be installed on any computer that is a member of the domain. Here is a screenshot of the configuration screen:

The process
The auditing is performed by taking a 'snapshot' of the Active Directory Domain state at scheduled intervals. This snapshot is stored in a directory, and can be used to create HTML reports of the changes that happened between two 'snapshots'. There is even an automated reporting which will deliver report on changes to the directory at predefined schedules.

The report clearly displays what objects have been added, removed or modified within the Active Directory Domain. Ofcourse, additional history like who made the change and when can be obtained via the commercial version, but even in the free version it produces a nice set of information.

Here is a screenshot of the report

Conclusion
While the Free version of NetWrix is far in functionality from the big players, it provides an clear and automated reporting. It is a good choice to start with the free version, and prepare for purchasing a commercial tool by learning from it and noting which functionalities you require that this tool does not deliver.

Talkback and comments are most welcome

Related posts
Controlling Firefox Through Active Directory

Evaluation of Security Information Event Management Systems

noreply@blogger.com (Bozidar Spirovski) — Wed, 01 Jul 2009 19:39:00 +0000

Evaluating Security Information Event Management (SIEM) solutions come in a lot of different flavours. The industry is not yet mature, and the competitors are pushing their own solutions, based on their background and capabilities. In general, they will all present more or less the following configuration model for the SIEM implementation.

But other then the generic model, a lot of things are different. So, in order to sift through the multitude of solutions, the buyer needs to ask the real questions. Here are some of the key questions that need to be taken into consideration:

Is it possible to place an agent on the server machines - Certain SIEM solutions do not properly support remote collection of OS or application logs so they need a server side agent to do the job. On the other hand, most business critical systems are tightly controlled and do not allow for additional resident programs to be installed on the system for the risk of possible performance or reliability issues
Are there any custom applications that generate logs that needs to be collected by the SIEM? - The organization may require that the SIEM also collects and parses such logs, but proper parsing ability needs to be verified with a large sample of logs during a proof of concept run.
Is there any international standard or regulation that is mandating the SIEM solution - whatever standard needs to be met has a set of predefined controlling reports that confirm compliance to the standard. You need to confirm that the SIEM solution can produce the needed reports.
How long will you need to keep logs and conclusions online and offline? - data retention is key to such a massive collection of information. Typically, a SIEM system needs to be able to archive all historical events to external data storage, and preferably, the archival process should include an integrity control (MD5 or SHA1 hash) that guarantee that the logs haven't been tampered with while in archive.
What type of processing and alerting is required?-

Proper answers to these questions will most likely eliminate the non-acceptable solutions, and will ease the evaluation process of the qualifying shortlist.

Talkback and comments are most welcome

Related posts
Real Benefit of Security Information Event Management

Real Benefit of Security Information Event Management

noreply@blogger.com (Bozidar Spirovski) — Sun, 21 Jun 2009 08:34:00 +0000

Security Information Event Management is the echoing buzzword in most industries these days. Banking, Telecommunications, Power and Energy - anyone and everyone is under internal audit and regulator scrutiny to implement a Security Information Event Management system.
But most Security Information Event Management implementations are rushed and placed only to shut up the auditors and to go on as usual. Since it's a compliance requirement, the Security Information Event Management salespeople very rarely address whether the customer makes proper use of the solution, and whether this solution brings benefits to the company.

The common issue
SIEM is a Security Officer tool, but since it tightly integrates with IT equipment, the SIEM implementation is usually left to IT departments. The issue with this is that IT will approach the implementation from a purely technical aspect: how to properly connect the IT equipment to the SIEM system.

Once the SIEM system is collecting audit logs and events from all required IT elements, the job is done. At most, a retention policy and archiving is also done by IT, and the story ends there.

The real benefit
Any SIEM system is simply a large database collecting massive amounts of events. But if one does not use these events, the system is placed there just as a form, and brings only costs to the company. Here is what you'll need to set-up to achieve benefits of a SIEM system

Choosing what is most important to be alerted about - While some automated alerts and analysis are available within all SIEM systems, the generic alerts are rarely well matched to a company. For example, a generic alert may be triggered by consecutive failed attempts followed by a successful logon, but may not be triggered on a configuration change of a firewall. The first event was merely an employee trying to remember his password, and the config change of the firewall just opened up your network to some attack
Alerting the proper person/team - The alerting means nothing if the alert does not arrive to the proper person to react in the fastest possible time. A 'transaction log is full' means little to a network admin just as SYN flood may mean absolutely nothing to the DBA. And both will mean not too much to the head of the department, if one chooses to send all alerts to the manager.
Creating and using the proper reports - Some SIEM systems come bundled with reports, other sell the reports as packages. But the vanilla flavour reports may not always be useful to the organization, so the correct report definition should be prepared and implemented during the SIEM implementation. This way the company will know that these reports are to their specification, and even more, that the data needed for this report is collected by the SIEM system.

Talkback and comments are most welcome

Shortinfosec ReBoot

noreply@blogger.com (Bozidar Spirovski) — Wed, 10 Jun 2009 20:19:00 +0000

I have taken a sabbatical from blogging to rest and focus on other issues. This period is now finished, and Shortinfosec will continue with the regular posts!

5 biggest mistakes of information security

noreply@blogger.com (Bozidar Spirovski) — Wed, 22 Apr 2009 13:38:00 +0000

Does your information security implementation suffer from mistakes in approach? Everyone is focused on information security, and security is a constant addition into every corporate mission statement. And yet in nearly every security implementation there is a recurring range of mistakes in information security. Here are the most common five

Focusing primarily on perimeter security - Put in firewalls and other firewalls behind those firewalls, and some IPS in the middle, and set them all up to defend the Internet link of the corporation. And that's it, no need to do anything else. Sounds familiar? Defending the perimeter is important, but it's not the only point of security strengthening. A successful attack does not try to punch a hole through the thickest wall - it finds a way to bypass such walls. Security needs to be layered and focused at properly protecting information storing and processing resources.
Relying on hard coded elements - whether it be a hostname, an IP address or a username/password pair, hard coded elements in a file open a gaping hole in security. Anyone managing to read or disassemble the file has access to a nice set of information very useful to attack. Always rely on user input elements or single sign-on instead of hard coded elements.
Trusting people - Any casino owner will tell you the grim truth - 30% of employees are out to steal from you. This is true in any industry, and by the way, you can never know which are included in the 30%. Therefore, implicit trust and saying "he/she can never do us harm, the loyalty is too great" will only land you in trouble. Always enforce security rules and policies for every process and employee.
Relying on an issue being fixed in the "other element" - "This will be fixed in the program", or "This will be fixed in the database". Finding an issue and hoping that someone else will fix it is stupid to say the least. Address the issue immediately, for noone else will!
Improper discarding of documentation - Hundreds of thousands of confidential documents are thrown into the garbage every day - even whole laptops which are for some reason not functioning properly. This act of simple neglect of unnecessary information is the nicest (and most legal) way of information and identity theft. Institute simple procedures for information destruction, ranging from paper up to malfunctioning hard drives. The technical resources needed for this are inexpensive and plentiful!

Do you have an example of mistakes? Add it in the comments!!!
Talkback and comments are most welcome

Related posts
3 Things no book about hacking will ever tell you
5 SLA Nonsense Examples - Always Read the Fine Print

SUN Purchase Analysis

noreply@blogger.com (Bozidar Spirovski) — Mon, 20 Apr 2009 21:41:00 +0000

Oracle owns Sun. It moved to acquire the failing giant ahead of IBM and now it has access to a great amount of installed base of Sun servers. But what will Oracle do with a hardware company, and what will remain of it after Larry Ellison is done with Sun?

Hardware - Oracle has it's R&D focused on databases, and to some extent on underlying operating systems. But Oracle does not want to meddle with expensive chip research just to maintain the SPARC platform. So servers division will go on sale to HP, IBM, EMC, Dell or some venture capital firm - lock, stock and barrel.
Solaris - A wonderful OS, leader in many platforms. Oracle will want to make it's DBMS one-click installable on an empty machine, so Solaris for Intel will probably be the weapon of choice for this move. But in the process, Solaris will become an embedded
MySQL - a possible casualty of the RDBMS war - Oracle will need to position this product carefully, to be less competitive with Oracle RDBMS and more competitive to embedded databases and free competition. If Oracle cannot do this, they'll most probably let MySQL die of age by simply not developing it any further.
Consulting division - Some will be cut-off, some will become Oracle consulting and integration, to take even more off the high-margin integration consulting business
Open source initiatives - THE BEST PLACE for developer breeding. If Oracle retained any smarts, it will maintain the strong support to open source, but steer it towards Oracle as development platform.
JAVA - The weapon of mass destruction for Oracle - Just like open source initiatives, excpect that Java will continue to flourish - simply because Oracle wants more and more software that will use their databases.

In any case, things won't be the same. It is sad to see another one of the high quality system giants go.

Related posts
HP partners with Sun - Anybody remember Digital?

5 Minute Security Assessment

noreply@blogger.com (Bozidar Spirovski) — Wed, 15 Apr 2009 18:51:00 +0000

A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best 'OK, but could be better'.

For all these reasons, as well as some egoistic ones which won't be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.

While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.

Assessment instructions
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.

Assessment questions

Do we have a firewall active at all ingress points of the network? Yes - 5 points, No - 0 points
Does our team control all firewalls? Yes - 5 points, No - 0 points
Do we have the following basic technical policies in place? Add 1 point for each policy in place

password complexity
password retention
password history
logon hours
controlled registry editing

Does everyone in the organization have their own individual and unique username for all activities? Yes - 5 points, No - 0 points
Do we have logon/logoff auditing active on all servers and stations? Yes - 5 points, No - 0 points
Do we have a testing environment for patches, new versions and new software before it is rolled out into production? Yes - 5 points, No - 0 points
Do we have written procedures for regulating the above questions as process? Add 1 point for each procedure in place

Assessment results

30-36 points - Very good security posture - You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
20-30 points - Acceptable security posture - You are lacking in written procedures and change management, but basic technical security is at a good level - you need to work harder on formalization
10-20 points - Basic security posture - Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
0-10 points - Disaster waiting to happen - So you have firewalls? Really? And maybe you've even plugged them in? Hire a good security expert - after firing your current one and start getting somewhere

Talkback and comments are most welcome

Related posts
Quick and Basic Security Assessment for Databases
WMI Scanning - Excellent Security Tool
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

3 Things no book about hacking will ever tell you

noreply@blogger.com (Bozidar Spirovski) — Mon, 13 Apr 2009 11:23:00 +0000

There are tons of books which 'teach' you on how to become a hacker. Some boast to make you a hacker in XX number of days, or brag about being authored by the greatest experts in the field, or some other commercial mumbo-jumbo.

But is there any great wisdom in those books? No, and they are not even good at teaching technology.

Here is what hacking books will NEVER tell you:

Being a hacker requires a HUGE amount of learning - All hacking books tell you that you need a lot programming knowledge, a lot of TCP/IP knowledge, and some of them will try to cover the basics. So look around you, these guys are usually the 'gurus' at this and that company, and have a much nicer title - usually it's infrastructure architect, chief designer or something along those lines. And these guys became that by working overtime, nighttime, at home, over weekends, missed vacations and built systems from the ground up. It took a lot of dedication and a whole lot of time to reach that kind of knowledge.
Being a hacker is very rarely (if ever) a glamorous thing - Most hacking activities are not legal, therefore the prominent or established hacker has to watch his/hers back, remain undercover and rarely trust anyone. Even if you employ your skills for patriotic or political goals, you'll be a hero somewhere, but an enemy elsewhere. Oh, and noone will ever make a movie of your achievements and exploits!!!
There are few people which earn a legal salary as hackers - hackers are usually hired to do 'dirty' jobs, or at least jobs of questionable legality. So apart from earning money, these jobs leave the hacker always looking over his/her shoulder for investigators or the police. If you are thinking about penetration testing, think again - hackers are not hired outright for such jobs since penetration testing consent requires an enormous amount of trust in the pen-tester. These jobs are mostly landed by 'white-hat' pen-testers with excellent public track record.

On the other hand, if you maintain your learining and studying to be a hacker, you will build excellent technical expertise. Focusing your skills not as a hacker, but as a technical expert will bring you a good name, a lot of conferences where you'll do presentations and a lot of contacts in the expert field of IT.

Talkback and comments are most welcome

Portrait of Hackers

Hunting for hackers - Google fraud style

Cloud Backup - A gamble on several levels

noreply@blogger.com (Bozidar Spirovski) — Wed, 08 Apr 2009 07:21:00 +0000

Online or cloud backup was one of the buzz words of cloud computing, and was actually leading the wave in terms of commercial implementation. Hewlett-Packard had it's Upline service, Yahoo had it's Briefcase, IBackup is going strong. But the market for online backup is still quite volitile.

For instance, HP has decided to shut down Upline, without much explanation to the customers. It went down on March 31, 2009. Oh, by the way, Yahoo closed shop at Briefcase on March 30, just a day earlier!

In the meantime, the big players are repositioning: EMC purchased Mozy - an online backup startup, and is pushing the service strong. And there are still new players on the field - COMODO has just announced their online backup service. And we are hearing that Symantec is also going into the online backup business!

With all these events, several questions regarding the entire Online Backup solution surface from the murky deep

Who uses whose infrastructure? - the simultaneous closing of two major services (HP Upline and Yahoo Briefcase) may be a simple coincidence. But, on the other hand, it is a 'cloud' service, thus one service may outsource it's physical storage to another vendor. This leads to all kinds of unanswered questions like

Who else has access to the backed-up data?
Is the advertised availability actually achievable?
Can we loose the backed-up data if the outsourced provider fails financially?

Is your online backup actually safe? - While technical security measures can be implemented and documented, corporate decisions fall way outside of the scope of the service. And corporate decisions may include layoffs, selling of assets, closing of divisions, even selling of the entire company. And in such conditions, the service provider's employees could care less about some Joe Average's online photo collection or sales reports
Can you define a long term data retention policy and rely on online backup to meet it? - HP is a HUGE company. And it failed to deliver a long-running service. One may discuss that HP is primarily a hardware vendor, but nevertheless, as a large company is always interested to present itself as a serious long-term partner. And yet, it closed it's service. So, who can tell what will happen to the other Online Backup service providers?
Which service provider is the right choice for Online Backup? - Again, HP and Yahoo are large, and closed up shop. Other service providers are all over the place: From start-ups, through venture capital funded firms up to large players who purchased smaller ones. Which one will prove to be the best, and which one will actually deliver on the promise

There are no definite answers to these questions. But in a time of economic instability, the services and service providers can find themselves in all kinds of trouble , relying on online back-up without a second option feels a lot like gambling. And gambling on technical, financial and business level.

Talkback and comments are most welcome

Related posts
3 Rules to Prevent Backup Headaches
Cloud Computing - Premature murder of the datacenter
Know the Difference - Backup vs. Archive
Security Concerns Cloud “Cloud Computing”

Shortinfosec is Acquired

noreply@blogger.com (Bozidar Spirovski) — Wed, 01 Apr 2009 06:04:00 +0000

Yesterday, after a month of negotiations, G-M Venture Investment Fund purchased the Shortinfosec blog.

The price of the entire deal is $100,000 US.

The blog was purchased in it's entirety, with all text copyright going to G-M Venture, and including the physical assets of Shortinfosec:

3 Backtrack DVDs
3 Helix Forensic CDs
1 Noname Pentium 4 Desktop PC
23 VmWare virtual machines with labs
1 250 GB Truecrypt encrypted Hard drive with lost password

Under the terms and conditions, the purchase amount will be paid in cash, in Zimbabwean dollars. The previous Shortinfosec owners are eagerly awaiting the tanker load of cash to close the deal.

According to G-M official, to minimize the risk of being short in the payment due to the inflation of the Zimbabwean dollar, they have sent three tankers of cash. Whatever is left after the transaction will be used as landfill mass in a nearby harbor.

And ofcourse, Happy April Fools day!!!

Quick and Basic Security Assessment for Databases

noreply@blogger.com (Bozidar Spirovski) — Sun, 29 Mar 2009 19:44:00 +0000

When preparing a database solution, one must always make sure that the security of the database is up to specification. The first step in proper securing of the database is a security posture assessment.

While there are a lot of tools that will do this for you, Imperva has a free tool named Scuba that will do very basic but very fast database security posture assessment.

To use Scuba, just download and extract the zip file to a folder. Input the DBMS connection parameters, test the connection and press Go.

After Scuba finishes the assessment, it produces an XML report. To review it in a human readable form, choose the level of detail from the report templates (Summary, Assessment with details, Assessment without details) and generate the HTML.

Here is a screenshot of the generated assessment report

The level of the report quality is basic, but it will point you in the right direction by sifting through the well known attack methods and vulnerabilities. One must not rely simply on this tool for database security, and should employ other relevant tools.

User warning: Since the tool comes with NO DOCUMENTATION, here are several warnings and tips that will ease your usage

Since Scuba is a Java based tool, it requires JRE to work. Also, in order to connect to MS SQL RDBMS, you must have a Microsoft SQL Server JDBC Driver installed.
The error messages are logged but there is no user friendly message when an error occurs. In order to debug possible problems, look for the 'scuba-error.txt' file and read through the Java exceptions recorded.
The 'scuba-error.txt' file is appended, so the last error in the file is the one that hit you. For easier debugging, delete the scuba-error.txt after each session to limit the errors from the current session only.

Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
SQL Server Bulk Import - BCP HOW TO
3 Rules to Prevent Backup Headaches

Creating BackTrack4 Pentest Virtual Machine

noreply@blogger.com (Bozidar Spirovski) — Sun, 22 Mar 2009 20:02:00 +0000

BackTrack4 is an excellent Penetration Testing Distro, but in the LiveCD version it is quite crippled:

There is no possibility to install additional software
There is no possibility to create custom scripts
All attacks need to start from scratch

In order to alleviate this issue, there are several options. My most flexible solution is to create a VMware virtual machine with the installation. Since BackTrack4 has no installer included, here is a brief tutorial with the scripts included.

Preparation
Create a Virtual Machine as Custom Linux, and Choose Ubuntu as the assumed Host Operating System
Choose a SCSI Hard Disk of at least 5GB (We recommend 8GB)
Boot the Virtual Machine from the BackTrack DVD

Creation of Partitions
After booting, log-on and partition the SCSI Hard Drive (/dev/sda)
Create 2 primary partitions, one for BackTrack, Linux - type 83 with at least 4 GB space, and one Linux Swap - type 82 of 512MB

fdisk /dev/sda

After creating the partition table, format the BackTrack partition

mkfs /dev/sda1

After formatting, mount the partition

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1/

Copy the BackTrack Data
Create the copying script in the root's home directory

cd
vi create_bt_disk

Paste the following text in the VI editor and save it

list=`cd /;ls -l|awk {'print $8'}`
for i in $list
do
if [ "$i" = 'mnt' -o "$i" = 'proc' -o "$i" = 'sys' ];then i='root';fi
echo $i
cp -pR /$i /mnt/sda1
done
mkdir /mnt/sda1/sys
mkdir /mnt/sda1/proc
mkdir /mnt/sda1/mnt
echo 'Done'

Make the script executable and run it

chmod 755 create_bt_disk
./create_bt_disk

Finishing Touches
After the script finishes, change the root directory to the disk drive in order to make the disk bootable

mount --bind /dev/ /mnt/sda1/dev/
mount -t proc proc /mnt/sda1/proc/
chroot /mnt/sda1

Run LILO to write info to the MBR of /dev/sda. NOTE: The default lilo.conf works with disk /dev/sda and partition /dev/sda1. If you have a different disk configuration, you need to change the /etc/lilo.conf appropriately before running LILO

lilo -v

All done. Just reboot and remove the BackTrack DVD

reboot

We hope that this tutorial eases your use of the BackTrack suite.

Talkback and comments are most welcome

Related posts
BackTrack 4 Penetration Test Distro - First Glance

BlogTipz hack - The BlogTipz editor response

noreply@blogger.com (Bozidar Spirovski) — Fri, 20 Mar 2009 19:38:00 +0000

We received the reply from the editor of BlogTipz.

From the info, it seems that the hack on BlogTipz is merely a target of opportunity.

The hack method is probably not related to error of WordPress, but the editor of BlogTipz does not reveal the actual attack method.

At any rate, blog masters everywhere need to maintain blog security high on their list of priorities

Here is the reply in full

Yes, I was going to possibly write a post on the blog, because I was not aware of it (it could have been up for 12+ hours). They simply changed the login name and password and injected in a new index (main) page, so it was rather simple to recover (within an hour).

I will be securing WordPress even more form this day forward to prevent it form happening on other sites. I was using a current version of WordPress. The attacker was called "North-Africa Security Team" and appears to be one of the most popular hackers in terms of results (~14 million).

If you need any further information, please inform me. I will be informing readers about this soon.

And, thanks for informing your readers about this.

Talkback and comments are most welcome

Related posts
Blogtipz Hacked

Blogtipz Hacked

noreply@blogger.com (Bozidar Spirovski) — Wed, 18 Mar 2009 19:36:00 +0000

Today, blogtipz.com - a good internet blogging site got hacked. The attack is a simple defacement attack, and the signed culprits are Dr.0rYX|Cr3W-Dz.

Here is a screenshot of the hacked version of the blogtipz.com site

With the little information available, the most probable attack vector is a vulnerability in the implemented version of Wordpress. We are including two screenshots of the original (google cached and after the defacement was fixed)

We have submitted the following questions to the editor of Blogtipz

1. Did you get threatened by the hacker teams that hacked the page?
2. How much time did it take for you to recover from the hack?
3. Did you discover the attack vector, and would you share it?
4. Is your Wordpress now patched against such attacks?
5. Any message on your side for the readership?

As soon as response is back, we'll post the response.

Talkback and comments are most welcome