How To Secure an Organization That Is Under Constant Attack

2013-02-112013-02-11 ~ Ray Sinnema ~ 1 Comment

There have been many recent security incidents at well-respected organizations like the Federal Reserve, the US Energy Department, the New York Times, and the Wall Street Journal.

If these large organizations are incapable of keeping unwanted people off their systems, then who is?

The answer unfortunately is: not many. So we must assume our systems are compromised. Compromised is the new normal.

This has implications for our security efforts:

We need to increase our detection capabilities
We need to be able to respond quickly, preferably in an automated fashion, when we detect an intrusion

Increasing Intrusion Detection Capabilities with Security Analytics

There are usually many small signs that something fishy is going on when an intruder has compromised your network.

For instance, our log files might show that someone is logging in from an IP address in China instead of San Francisco. While that may be normal for our CEO, it’s very unlikely for her secretary.

Another example is when someone tries to access a system it normally doesn’t. This may be an indication of an intruder trying to escalate his privileges.

Most of us are currently unable to collect such small indicators into firm suspicions, but that is about to change with the introduction of Big Data Analytics technology.

RSA recently released a report that predicts that big data will play a big role in Security Incident Event Monitoring (SIEM), network monitoring, Identity and Access Management (IAM), fraud detection, and Governance, Risk, and Compliance (GRC) systems.

RSA is investing heavily in Security Analytics to prevent and predict attacks, and so is IBM.

Quick, Automated, Responses to Intrusion Detection with Risk-Adaptive Access Control

The information we extract from our big security data can be used to drive decisions. The next step is to automate those decisions and actions based on them.

Large organizations, with hundreds or even thousands of applications, have a large attack surface. They are also interesting targets and therefore must assume they are under attack multiple times a day.

Anything that is not automated is not going to scale.

One decision than can be automated is whether we grant someone access to a particular system or piece of data.

This dynamic access control based on risk information is what NIST calls Risk-Adaptive Access Control (RAdAC).

As I’ve shown before, RAdAC can be implemented using eXtensible Access Control Markup Language (XACML).

What do you think?

Is your organization ready to look at security analytics? What do you see as the major road blocks for implementing RAdAC?

Book review: Secure Programming with Static Analysis

2012-12-032012-12-03 ~ Ray Sinnema ~ 1 Comment

One thing that should be part of every Security Development Lifecycle (SDL) is static code analysis.

This topic is explained in great detail in Secure Programming with Static Analyis.

Chapter 1, The Software Security Problem, explains why security is easy to get wrong and why typical methods for catching bugs aren’t effective for finding security vulnerabilities.

Chapter 2, Introduction to Static Analysis, explains that static analysis involves a software program checking the source code of another software program to find structural, quality, and security problems.

Chapter 3, Static Analysis as Part of Code Review, explains how static code analysis can be integrated into a security review process.

Chapter 4, Static Analysis Internals, describes how static analysis tools work internally and what trade-offs are made when building them.

This concludes the first part of the book that describes the big picture. Part two deals with pervasive security problems.

Input Chapter 5, Handling Input, describes how programs should deal with untrustworthy input.

Chapter 6, Buffer Overflow, and chapter 7, Bride to Buffer Overflow, deal with buffer overflows. These chapters are not as interesting for developers working with modern languages like Java or C#.

Chapter 8, Errors and Exceptions, talks about unexpected conditions and the link with security issues. It also handles logging and debugging.

Chapter 9, Web Applications, starts the third part of the book about common types of programs. This chapter looks at security problems specific to the Web and HTTP.

Chapter 10, XML and Web Services, discusses the security challenges associated with XML and with building up applications from distributed components.

Cryptography Chapter 11, Privacy and Secrets, switches the focus from AppSec to InfoSec with an explanation of how to protect private information.

Chapter 12, Privileged Programs, continues with a discussion on how to write programs that operate with different permissions than the user.

The final part of the book is about gaining experience with static analysis tools.

Chapter 13, Source Code Analysis Exercises for Java, is a tutorial on how to use Fortify (a trial version of which is included with the book) on some sample Java projects.

Chapter 14, Source Code Analysis Exercises for C does the same for C programs.

This book is very useful for anybody working with static analysis tools. Its description of the internals of such tools helps with understanding how to apply the tools best.

I like that the book is filled with numerous examples that show how the tools can detect a particular type of problem.

Finally, the book makes clear that any static analysis tool will give both false positives and false negatives. You should really understand security issues yourself to make good decisions. When you know how to do that, a static analysis tool can be a great help.

A Detailed Look At Persistent Threats

2012-10-082012-10-07 ~ Ray Sinnema ~ 1 Comment

Advanced Persistent Threats (APTs) are sophisticated cyber attacks that have moved from the realm of the military to the mainstream.

Since we are now potentially all under attack, it’s imperative that we understand this phenomenon.

The book The Cuckoo’s Egg helps us understand APTs a bit better. It describes one of the first documented persistent attacks, in 1986/1987.

Although the techniques used by the attacker are not what we would now consider advanced, this book does give us valuable insight into the persistent part of the equation.

The Cuckoo’s Egg

The hero in The Cuckoo’s Egg is astronomer Clifford Stoll, then at the University of Berkeley. His project looses funding, but instead of being laid off, he’s moved to the computer department. As a newcomer, he’s given the interesting assignment to track down a $0.75 accounting error.

He checks the accounting software and discovers that one account’s computer time is not paid for.

It turns out that the owner of this account has moved away from Berkeley and isn’t using it anymore. The account is hijacked!

Instead of closing down the account, our hero decides to follow the intruder. He sets up an ever more elaborate system to track the attacker without giving away that he’s doing so.

When following every move of the intruder, our hero finds out that he abuses other systems as well. The attacker seems especially interested in military systems. Our hero contacts a bunch of organizations like the CIA, FBI, and NSA, but none of those seem able or willing to help him, so he keeps following the attacker himself.

As an astronomer, our hero has learned the value of documentation. He carefully logs everything in his log book, and over time that helps him see patterns as data accumulates.

In the end, we find out that the attacker is from Germany and gives information to the KGB. Our hero’s efforts help put this spy in prison.

Attacks

The title of the book refers to one of the two main techniques the attacker uses.

The first is simply guessing passwords. In the eighties, people were a lot less careful with their passwords than they are today. (Although even now there are still many problems with passwords.)

The other technique is an exploit for a simple vulnerability in GNU Emacs: this program could save mail files, but forgot to check permissions at the destination. Since it ran as root, you could copy files anywhere.

The attacker used this to install his own copy of the atrun utility. The Unix system executes this program every five minutes, and does so with full system privileges. So the Unix system was the nest that hatched the cuckoo’s egg, the attacker’s phony atrun program.

Once the attacker acquired system privileges, he copied the password file. He used that file to launch an dictionary attack to hijack yet more accounts.

Persistence

The attacks described are very simple compared to today’s landscape.

The value of the book is in showing us in detail the kind of persistence attackers display. It really drives home how much time and energy attackers are willing to spend to break into our systems.

To have any chance of withstanding these attacks, we’re going to need the same kind of persistence in our defenses.

Log Files to the Rescue

2008-07-012012-06-10 ~ Ray Sinnema ~ Leave a comment

Yesterday I got an email from a client describing a really, really weird situation that had occurred with our product. Of course, they couldn’t provide a way to reproduce the problem. Fortunately, there were only two users on the system at the time (it was in their integration testing environment), so they could tell what each of them was doing.

One person’s actions I could dismiss pretty quickly as the cause of the problem, so it must have been what the other did. However, her actions also seemed unlikely to have caused the problem. I started exercising the system in ways related to her actions, in hope of reproducing the problem. No luck whatsoever.

So I stepped back a little and started reasoning from the code. What could possibly have caused this? I came up with a scenario, tried it, and sure enough, there it was. But the problem was that my actions in no way resembled the description of the client’s actions. And on top of that, my actions seemed rather bizarre. Why would anyone want to do this?

I know debugging isn’t always an exact science, but my hypothesis was in real need of some testing.

Enter log files. Our product is a web application running in Apache Tomcat, for which it’s pretty easy to enable logging. Tomcat’s access log follows the Common Logfile Format, which looks like this (all on one line):

127.0.0.1 8080 - - [27/Jun/2008:08:41:49 +0200] 
"GET /docato-composer/getLoginDialog.do HTTP/1.1" 200 3132

Each HTTP request is logged on a single line, with the IP address of the client first, then some identity information (missing in the example), the time, the kind of request (GET), the URL, the protocol (HTTP/1.1), the result status code, and the result size. (Tools like Webalizer can parse such log files easily to provide statistics for web sites.)

I got the access log from our client, and put on my CSI hat. For each of the steps in my scenario, I looked up the associated URL and searched for it in the log. And yes, bizarre as it may have appeared to me, they were all there: conveniently one after the other, from the same IP address and just before the time the client noticed the problem. Case closed.

The morale of this story is that log files are a Good Idea™. Without them I might have dismissed my scenario as too unlikely, and have spent valuable time chasing alternative hypotheses. Also, while browsing the log files, I stumbled upon two other problems that the client didn’t even report. I fixed these as a bonus 😀

Secure Cloud Development

Musings on the Art and Craft of Creating Secure Software in the Cloud Era

log