JACADIS Thought

My 14 year old son texts me sometimes while I am working.  He knows what we do at JACADIS and thinks it’s the coolest job on the planet (I agree!)  A recent exchange of messages flowed something like this:

B: “Sup?”

Si: “Testing a network”

B: “How long to break-in?"

Si: “Seconds”

B: “Crappy network!”

His last text made me pause and think.  I guess I could agree. After all, it did take a matter of seconds to get root access on a server containing confidential data.  But is the network crappy?  Let’s see:

• The network is always available
• The applications which ride on top of the network are always up
• Critical business units can access network services when needed and without interruption

Sounds like the network is functioning well.  Perhaps what he meant to say was “crappy security!”  Let’s test that.  The security program includes…

• A Cisco ASA with a very strict inbound and outbound access-list (firewall policy)
• A separate in-line, deep packet inspection IPS sensor
• Hosted content filtering and URL inspection (forced proxy)
• Managed Antivirus/Anti-spam services
• Desktop and server Antivirus
• A dedicated security staff with access to IT specialists in other units as needed
• Established and current security policy, sign-off by employees, and annual review
• Periodic security reminders as threat conditions change on the Internet, i.e. new worm, phishing scheme, etc.

Not bad.  In fact, this is actually better than some of the HIPPA, SOX, and PCI regulated organizations that we’ve had the privilege to work with.  So, this client’s security isn’t “crappy” either. 

I was born in England.  I coach soccer and my son plays as well.  It’s in the blood, so to speak, so I thought a soccer analogy might resonant with him…

Si: “Crappy?  Yes and no… When u lose a soccer game it’s not because ur team is crappy.  Ur outplayed, out skilled.  It’s team execution – all parts must work together.”

B: “And that’s why they call you in!”

Si: “Yep!”

Was I suggesting to my son that we out skilled our client? Or that our team was better than their team? In a sense, yes, but more importantly this metaphor was hatched:

Cyber criminals and hostile nation states execute a highly skilled game with precision and power.  The defensive tactics that previously kept the “hackers” from scoring is insufficient against these premier league tactics.  They have stepped-up their game… brought it to a new level.   

If JACADIS penetrates your network in seconds, it doesn’t always mean “your security stinks!”  It means our team tactics and strategy surpass what you have installed or even considered.  What worked 2 years ago, is not good enough today.  10 foot wall … 11 foot ladder. 

Key points?  Adapt.  The adversary has.  If you don’t know where to start, begin with a framework that makes security a living, integral part of your organization…ARMED.

-- Si

This isn't earth shattering news... but it does speak to this:  Expect the bad guys to use familiar tools (things you use each day) to gain access to personal information.  Why Adobe?  Why not!  It's free and many people use it.  In fact, the JACADIS security team uses "infected" Adobe PDF files to evaluate how well employees follow basic security awareness rules.   We also use it to test assumptions regarding how well a company's prevention, detection, and response safeguards stand-up to cybercrime-like attacks. 

A couple days of "harmless" and tactically sent Adobe attachments and links confirms several things every company needs to know:

1. Do our inbound content filters prevent malware from entering the corporate network?
2. What about the desktop? Does the host AV/IPS detect when the callback agent embedded in the Adobe file phones home?
3. Do outbound web content filters categorize the "call back" location as malicious?  Is it categorized at all?
4. And the SIM... Oh, the SIM .  Does it intelligently correlate all of this activity, relatively obscure in its parts, but significant as a whole?

Perhaps you'd be surprised if I told you most people can't even answer yes to at least one of these.  What's more, we don't go through great lengths to hide our call back servers or encode our traffic.  We keep it simple.  And simple works.  

Simple worked at a public insurance company, even with several layers of security deployed like Cisco IPS, ASA, CS-MARS, McAfee antivirus, and hosted AV/SPAM filtering.  We phished our way onto the network in two minutes.  Nothing logged our activities.  Thank goodness we're the good guys.

If you think "deployed" means "secure"... think again.  If you have doubts, drop me a note.  I'd love to hear from you.

-- Simon

A question was recently posted to the Federal Secure Software Advisory from Fortify:

“In my company, there are conflicting opinions on how much time we should spend training developers in hacking techniques versus writing solid code. What do you think? Should we spend 50 percent of the time on each? Or 20/80? I'd be interested in hearing about what others cover in developer training.”

I think it’s outstanding that companies are thinking like this.  Let me offer an expanded version of my answer:

It is my practice to recommend an 80/20 to 70/30 range. But, how much time you allocate should consider the types of applications that are developed by your team. While most exploits have their roots in the same mistakes such as unchecked buffers and unsanitized inputs, etc., the mechanics of how they are exploited over the network against Linux desktop may not be time well spent for a .NET web developer focused on Web 2.0. In fact, too much information, especially for developers with limited security exposure, may dilute your training efforts altogether.  This leads to a critical learning concept that I like to capture in three sentences:

Tell me and I may not listen

Show me and I may not watch

Involve me and I will learn

Catchy, but what does that really mean?  It means, take advantage of how the human brain works by maximizing all the senses; not just hearing and sight, but tactile as well.  And by making it personal, you make what is learned readily applicable. This is too important to miss since companies are doing more with less; developers are overworked; security is complicated – make the most of the time you’re given to get the concepts applied. 

I prefer a blended training approach that combines hacking techniques with secure coding in a single training. Emphasis is placed on challenging developers to think about the code they’ve written (and will write) and how it affects security at the client, web, and data tiers. Let’s assume you have 40 hours to get your developers up to speed on secure coding. Allocate 8-12 hours to exploring pertinent web application weaknesses, how they are found, and how they are exploited. The developer should be exposed to manual exploitation. Avoid introducing complicated tools, scripts, and exploits, as the emphasis is to make them developers that code securely, not developers that can penetrate applications.  If you introduce any tools at all, ensure they are ones they will continue to use after training is complete.

The techniques learned in the first 12 hours are used to stimulate conversation regarding potential weaknesses in your environment. With proper planning a “typical” internal app can be decomposed and analyzed during the training. Secure data sanitizing approaches can be taught, after which the in-house application can be evaluated for compliance with secure standards. This not only teaches the proper coding approach, but also exposes developers to the process of identifying weaknesses.  BONUS: If developers feel empowered to find software weakness they won’t rely on (or assume) others will find them.

I’ve found that in-depth hacker training introduces too many concepts and tactics that are not useful in the day to day activities of developers. Developers learn something new, but find themselves wondering how to use that knowledge in a day-to-day basis.  It’s not enough to know the techniques; your teams must be able to retain and quickly apply what they’ve learned. 

Si

According to the Washington Post, Amit Yoran describes the widespread DDOS attack against US Federal agencies as "loud and clumsy," suggesting it was carried out by an unsophisticated organization.  This statement led to a simple question during a phone call with a network security analyst at a state agency.  “If this was executed by amateurs, then why couldn’t the experts prevent it?”  This is a great question that deserves a analogy:

Give 10,000 uneducated men a loaded weapon.  No military experience is required.  Point them at a target and have them squeeze the trigger.  The attack will be suppressed, but not before there are casualties or loss of life.  It doesn’t have to be pretty, you just need enough force.

It’s the same with DDOS.  Substitute armed men for bots/zombies and bullets for billions of packets aimed at Federal agencies.  Whether you flood your target with waves of armed soldiers or billions of UDP packets, it’s the same principle: defenses can only withstand a certain level of pressure.  We’ve known for over a decade that the Internet’s Achilles Heel is DOS/DDOS.  But this vulnerability can only be exploited when sufficient force is applied. 

If the goal of this month’s cyber attack was to temporarily disrupt the web presence of US Federal agencies, amateurs or not, their mission was accomplished.  Returning to original question regarding experts preventing amateur attacks, let me offer a better question: What will happen when the “experts” launch an attack?  Temporary disruption is just the tip of the ice berg. 

Si

It's a startling fact: the JACADIS security consulting team has penetrated the networks of government, medical, private, and public sector organizations in a matter of minutes.  Thankfully, we’re the good guys; our clients want us to show them how they can be “hacked.” Our approach is simple and emulates the same tactics used by sophisticated data thieves and cyber criminals: target "Layer 8" -- the employee.  Our success rate? 100%  We've tricked managers, executives, supervisors, directors, secretaries, and professors into giving us access, usually with a simple click, and sometimes with no interaction at all.  The weakness?  People.

Technology is not a substitute for good computer skills and common sense.  We believe people have an unrealized role to play in the protection of personal information, financial data, and corporate secrets.   Technology will fail and people, the last line of defense, must must stand in the gap.  As this concept is accepted, the Layer 8 Effect will begin:

• a decrease in accidental disclosures due to carelessness
• employees that genuinely understand the need for restrictions versus scoffing at them
• focused, task oriented workers that are not as overwhelmed by their in-box and vulnerable to Phishing attacks 
• an increase in users reporting suspicious activity
• more users, both corporate and home, that use the Internet with greater skill and awareness, not easily duped or carelessly clicking on whatever comes their way

Will the Layer 8 Effect solve the rampant problem with Identity Theft and  hacker attacks?  No.  It will curb, however, the number of breaches that happen because of carelessness with social networking (Facebook, MySpace, Twitter, etc.), poor email habits, and a lackadaisical attitude regarding confidential information in general. 

Why should you care?  Your identity may be used to commit a crime, fund criminal activity, or support terrorism.  Your personal computer or company laptop could be used to attack businesses, governments or nation states.  No one is immune. 

We hope you're ready to do your part.  This initiative needs you, your family, and your company to participate.  Follow us here and on Twitter.  If you're a business professional, join our LinkedIn group to help remove yourself and your organization from the ranks of the easily fooled, to one that stands in the gap at Layer 8.

The recent cyber attacks against US federal agencies underscores a concept that each JACADIS client is taught early on.  “Prevention will fail.”  It is at this point that you must be able to detect and respond.  Failing to do so may severely increase the impact of the event.

The objective of this post is not to call out the Fed’s inability to thwart a large scale distributed denial of services attack (DDOS).  Rather, my goal is to emphasize the importance of knowing when your systems and networks are under attack and how to respond.  During an attack is not the time to discover you have no idea who is attacking your organization.  And similarly, wondering who to contact for help, whether it’s for security expertise or your ISP for blocking the attacker upstream, should not occur while your being hammered by a DDOS attack.  Answers to these questions should be known, documented as processes, and tested to ensure they can be followed when a real incident happens.   

Risk analysis and threat modeling is a critical success factor in planning for security incidents.  This does not need to be a difficult or expensive process.  Self-directed models, such as OCTAVE Allegro enable organizations to achieve sufficient risk and threat assessment results with minimal time or cost investment.  There will be more attacks; perhaps your systems will be part of the bot network that attacks our nation’s infrastructure?  Start evaluating now how this might happen, what you can do to prevent it, how you will detect it if prevention fails, and what resources you’ll need to respond.

Si    

Many of you have heard me mention the “Cyber Mafia.” Some of you chuckle, grin, and raise your eyebrows at first. The rest of you know organized crime is a prevalent and dangerous threat. To drive this point home, I want to share a security incident I read about in the Washington Post this week:

“A posting on Wikileaks.org claims that cyber attackers stole data of about eight million patients from the Virginia Department of Health Professionals' Virginia Prescription Monitoring Program website; they are demanding US $10 million in ransom for their return. The intruders claim to have encrypted the database and protected it with a password. That particular site is presently unavailable as are several others related to the Virginia Department of Health Professionals. The ransom note says that if the money is not paid within seven days, the data will be offered for sale. Federal and state authorities are investigating.”

Cyber extortion isn’t a new threat. Crime syndicates have used massive botnets to launch denial of service attacks against gambling and gaming sites before. Only when the ransom is paid does the DOS attack stop. “Protection” is then offered, for a fee of course, to prevent other criminals from launching additional attacks. But what about taking sensitive information, claiming exclusive access, and threatening to sell that data? Sure it’s also been done before, but this attack is overt and gutsy.

If it’s really that easy to steal 8 million identities from a government agency, then this is a signal to other criminals that there’s money to be made and the fields are ripe for harvest.

I predict there’s more of this to come. But please don’t be fooled -- you don’t have to be a state or federal organization to be targeted. Public, private, or non-profit, if you store, forward, or process confidential and personal information (PHI, SSNs, CCNs, etc.) for clients or employees, then you need to carefully consider the following questions:

1. What’s valuable to your organization, where is it stored, and how is it forwarded and processed within your company?

2. Who has access to it, how do they access it, and from where is it accessed?

3. What does the law say about your security practices from #1 and #2. Do you have a plan to close the gaps?

4. Do you frequently verify that security safeguards are functioning as designed?

Meet with your IT management and Executive team to find the answers. This is more than firewalls, antivirus, and a good security policy. If these answers aren’t “at your fingertips” or available within 1 business day, then we need to connect and chat.

Security focused,

Simon

This post is prompted by an exchange with a client that develops and hosts web applications for customers.  A recent automated vulnerability scan performed by the developers, on behalf of their client, revealed that a possible blind SQL injection point had been located in an aspx file.  As clear as day, passing bad data caused an unhandled exception, which was visible in the browser due to custom error messages being enabled.   The error message included a stack trace, the name of the database table used to authenticate users, the directory where the application was located, and the specific lines of code where the exception occurred. 

Attempts by the client to exploit the injection point were not successful, so a heated discussion arose between the developers and the client.  It did not center around how to fix the issue, but whether or not the named vulnerability actually existed.  In this case, the text of the alert was "Possible Blind SQL injection", pointing to the aspx file and the variable used in the injection. 

Now the discussion over the scan result is understandable: is it really SQLi or not?  Can data be extracted from the table "tblUser" or not?  I get this.  But what about the bounty of data contained in the stack trace, confirming that bad data caused an exception?  SQLi, RFI, XSS, XSRF -- who cares what it is called?!?  The code, as written, faults when bad data is passed! 

Apparently, this was not enough to convince the client that a code level fix was required.  The solution? Disable custom errors.  The result? No more vulnerability detected by the scanner.

Despite my best efforts, a "clean scan" was more important than bug-free code.  I believe this mentality is caused by a growing "checkbox security" attitude which allows mediocrity to displace excellence.  A "D-" is now acceptable because it's not an "F" -- "At least we passed!"  This checkbox attitude lets stakeholders console each other with "We scanned the app according to PCI 6.6.  No errors.  CHECK!"  Never mind the fact that we all know there's a bug, but we've disabled the error messages that allow the  security tools to see it... 

Security through obscurity at its finest.

A security topic that never fails to captivate an audience is “social engineering.”  In its simplest form, social engineering happens when a person uses trickery to manipulate someone into doing something or sharing confidential information.  In today’s digital economy, it's easier and more efficient to use technology like email to facilitate the theft of identities and sensitive data. 

Electronic social engineering, also known as “phishing” usually arrives in your mailbox as SPAM; unsolicited, usually tasteless, and for many organizations, more frequently than you’d like.   The email is designed to grab your attention and evoke a knee-jerk reaction.  Popular topics include:

“We have $50 million dollars for you in a Nigerian bank…”

“I saw you on YouTube…”

“Your bank account has been breached…”

Some phishing emails are clearly bogus -- misspelled, atrocious grammar, and flat-out offensive.  These are easy to spot if they make it past your SPAM filter.  Other emails are very crafty – seasoned with enough fact to raise your curiosity and lure you into a trap.  Follow these tips to keep from getting hooked.

Stay alert.  If someone secretly put a scorpion in your filing cabinet, you’d be pretty stunned when you reached in for the Jenkins file.  After getting stung once, you’d be very cautious every time you went for a folder.  Others who heard about your incident would be cautious too, hesitant and suspicious as they peered into their cabinets.  As strange as this metaphor may be, there are also dangers lurking in your corporate or personal email box.

Employees are under constant attack from cyber criminals.  Often, they do get “stung.”  While there’s no physical pain involved, the impact of a personal or corporate data breach can be extensive.  Needed is a level of awareness that protects us from the very real dangers that secretly enter our mail boxes and wait to catch us off guard.      

Do not react.  Social engineering attacks are effective because they create an emotional response that surprises the victim and temporarily forces their common sense into neutral.  Stay calm and follow these tips to keep you safe:

· Legitimate correspondence is well written and courteous.  It should not make you irate, embarrassed, or scared. 

· If you don’t use PayPal, eBay, or other online services, do not respond to emails from them.  Simply clicking the link can infect your computer with information stealing software.  

· If you receive an alarming email from an organization with which you do conduct business, call the number printed on official correspondence like a bank statement.   Do not follow web site links, provide personal information, or open any attachments.

· Pay attention to the spelling of web site addresses.  There’s a big difference between “bancone.com” and “banc0ne.com” – one might have your money; the other one will steal your money after you’ve unintentionally given them your bank information. 

· Bookmark and refer to the Web sites you know you can trust. Do not follow links sent to you via email.

Verbally report the incident.   Whether you’ve been tricked by a social engineering attack or identified the scam and resisted, it’s critical to report the incident.   Follow these steps:

· Immediately contact your IT department by phone or in person. Voicemail is not sufficient – be sure someone knows. Your PC may need attention.  The faster you respond, the lower the impact.

· If you successfully caught the scam, you still need to contact your IT department as soon as possible.  Others in your organization may also have been targeted.  If you’re quick enough, IT can send an email to warn your co-workers.  

· Do not forward the phishing email to a group of people.  There’s always one curious recipient that has to know whether or not the scam is real. 

Phishing attacks are the tactic of choice for identity thieves focused on committing fraud in your name. At their worst, a phishing attack may allow a crime ring to penetrate your company and steal the identities of your clients. For a company that is breached, the negative publicity coupled with the poor economy could spell business disaster. Keep yourself and your organization safe by staying alert, not reacting, and reporting suspicious email immediately.

Just a quick, but late note, to say thanks to our friends at Core Security and Qualys. This past Tuesday, they pulled together another great crowd of professionals interested in learning more about how to build an efficient vulnerability management system.  Special thanks also to Dr. Eric Cole for his dedication to the profession and down to earth security wisdom.  It was a privilege to share the virtual mic with Dr. Cole.

For those of you that tuned in, you will recall that we were both asked by Mike Yaffe to close with a pearl of wisdom, a poignant thought.  I challenged everyone to never make assumptions about how secure a device, host, or application may be.  There are too many tools, processes, and security professionals to leave the security of sensitive data to chance. 

If you don't know where to start, begin with what is most important.  Where's your restricted data, cardholder information, patient data, financial information, secret sauce?  Who has access and from where?  How are they accessing it and where does that data go?  Do the answers to these questions align with your legal obligations, corporate policy, and industry best practices? By focusing on high value, high impact systems, you'll quickly get the attention and perhaps the funding you need to make a difference -- even when the economy isn't so hot.    

Assumptions will burn you.  Never assume your safeguards are simply working.  Security erosion says they'll degrade over time if not frequently tested and optimized. 

Never assume someone else is "taking care of" security.  Chances are someone thinks you're watching their back -- you'll want to make sure those roles and responsibilities are documented. 

Never assume just because people attended security awareness training they're now "aware."  Phish them.  Social engineer them.  Surf their desks for sensitive data. 

Aggressively pursue the truth.  Find it before someone else does.

Simon