February 20, 2015

NIST 800-61. Computer Security Incident Handling Guide

   I can call this standard as «CISO Time!» As far as computer security incidents are corncerned enough companies act in a reactive way. We have an incident, let's do something to reduce damage. Sometimes they thought how to patch vulnerabilities, which leads to some kind of remediation. And then wait for another incident.
   Also there is another way to deal with incidents — proactive way. In this standard you can find some useful steps how to implement incident response activities in company's every day life. Almost all recommendations are obvious, but they are placed together. If you are going to write incident response plan, you can follow instructions in this standard and you'll get sufficient plan.
   Standard consists of 3 parts. First part is devoted to organizing a Computer Incident Response (CIR) Capability. In this chapter you can find useful information about policy and plan elements, also with obvious advantages of developing CIR plan. Some pages describe how to effectively communicate within organization and what departments should participate in incident response activities.
   Second chapter was about how to handle an Incident. This activity consists of 4 steps: Preparation → Detection and Analysis → Containment, Eradiction, Recovery → Post-Incident Activity.
   As far as preparation step is is concerned I can't but mention 3 main activities:
  •  get all necessary contacts from people with whom you are going to work while CIR; 
  • all incident analysis hardware and software should be up to date and easy to use; 
  • incident analysis resources are also important, because using them you have all information about infrastructure in one place.
   Detection and analysis is one of the most important part of the plan. First of all, you should determine attack vectors, indicators and profile activity in your infrastructure. When you understand normal behaviour and create correlation and log retention policies you will be able to prioritize incidents. It is better to make such decision with colleagues and top-manager, such as CISO. Generally, you can try to divide incidents by functional or informational impact and recoverability, but every company can find their own criteria about how to prioritize incidents.
   Containment and eradication also as a recovery can be much different because of your organization internal policies. Containment depends on many factors as impact on SLA, potential damage and so on. Eradiction should be carefully done, because of possible information lost. Effectiveness on this step is fully depends on how good detection analysis was performed. Almost all recovery procedures are held by IT staff. It is their part.
   Post-Incident Activities include lesson learned meetings after incident. On this meetings your CIR team should update CIR policies and procedures, create chronology and monetary estimate of the amount of damage. Based on this lessons you can justify fundings, help your IA department to find incident trends and systemic security weaknesses. Also measures of success can be renewed. It is always important to understand when incident is localized and eliminated.
   In this chapter you can find CIR handling checklist. It is very brief, but also helpful to start from. The last part is devoted to coordination and information sharing. It is also a good start to from your list whom to call and what to say. Special attention in this standard is paid to granular information sharing because of business impact. It is better to speak with law and PR departments before presenting information to some unauthorized people.
   In conclusion, I would like to say that this standard is not a full guide about CIR. It is only a brief review. Almost every topic should be expanded with different technical and administrative measures. But if you don't know where to start or even you know — it is a good review to check your key positions. Great job, NIST!

February 2, 2015

Review on Software Security Course by Maryland University on coursera.org

   This course was my second course in Cybersecurity specialization. Syllabus you can find here. In brief this course gave me a lot of fun. From my point of view there was a good start, but at the end it became a little bit boring, brief and easy.
    There were 6 weeks, 6 quizzes and 3 labs. First lecture was about low-level memory-based attacks. Stack smashing and format string attacks were well described, there were clear examples, so if you are not familiar with this attacks you can find here useful information. I can't but mention references at the end of the week. There were a lot of links, which provided detailed and deep description of these attacks. Well done, professor! As for me, ROP description was not clearly explained and there were not enough examples to understand it without addtional reading.
   Week 2 was devoted to defense mechanisms against memory attacks. Key technics, such as stack canaries, DEP, ASLR, memory-safety enforcement, control-flow integrity (CFI) were described in details. During these 2 weeks students had time to finish lab 1. It was a vulnerable software with source in VirtualBox image. Professor also provided this lab with step-by-step instructions. It was great pleasure to find flaws, to write exploits and using gdb. I appreciate such tasks because in educational programms there is lack of practice, especially in practical information security.
    Nowadays everything migrates to web. Professor devoted week 3 and lab 2 to web flaws. In brief there were descriptions and examples of SQLi, XSS, CSRF and Session hijacking. Some defensive mechanisms were presented too. In order to create lab BadStore distib was chosen. It is damn vulnerable web app with lots of flaws. Unfortunately, tasks in lab was very easy. As for me it will be more useful and tough to use XSS or SQLi to get access, than find out some cookies info.
   Secure design in week 4 was pretty easy to understand. It was great, that principles of designing was introduced in course. In this week you can find basic definitions? Such as authentication, authorization and etc. Also there were criteria of a good model, key principles of secure design. They are obvious, but very hard to follow.
   Week 5 was a nightmare. I suffered and struggled with static code analysis. From my point of view this technology is efficient, but also it needs much more experience in software development than an average student has. As for me, quizz after the lecture was incredibly difficult, some ways of static analysis procedure was not fully described in lectures, but they were in quizz. Additional reading was Brian Chess and his book - «Secure Programming with Static Analysis». Great book, but without enough coding experience and time for understanding for me it was rocket science. Symbolic execution theme was fair, good examples and clear description of principles gave me an opportunity to solve quizz questions.
    Lab 3 was connected with fuzzing. In brief we fuzzed app from Lab 1. It was very easy and I didn't spend much time on thinking about it.
   Week 6 was greatly titled «Penetration testing». But I was confused, because Professor in brief told us several well-known tricks and software without going deeper. Some words was about fuzzing, but not enough to understand underlying algorythms.
   Course was pretty good at the beginning. 3 weeks was great, 2 good labs. I thought it would be better and better. But at the end themes became a little bit boring and unclear. May be they were in a hurry. If this course would be expanded with heap overflow and ROP examples, more information about XSS and CSRF, more practice and entire week or two about pentest it would be great and unbelievable. I think professor can do it!

January 11, 2015

Thoughts about electronic authentication after NIST 800-63-1 review

   This guideline is devoted to the problem of electronic authentication in federal IT system. For my current job this recommendations are not obligatory, but I found some tricky details in this standard. I also use it to structure information connected with this vital infosec problem.
   The standard consists of 6 major sections. The first one is called "E-Authentication Model", where you can find detailed description of  authentication process and architectural model. This scheme is used almost in all authentication protocols such as Kerberos, 802.1x and etc. Additionally you can find some words about who participate in authentication process, what types of tokens and credentials are widely used. Below all these topics will be described and explained.
   The next sections is about registration and issuance processes. After short introduction there are threats and mitigation strategies. As for me I find these two parts of every section valuable, because I can use it in security policy or as a part of threat modeling.Every section finishes with tables about assurance level and what should be done to fulfill the requirements.
   Section about tokens is a good place to find out some unusual authentication schemes with single and multi-factor tokens. Threats, mitigation strategies and tables with assurance level are at the end of the section.
   In token and credential management section I find good enumeration of CSP responsibilities. This list is written in general words, but you can implement these responsibilities in every system where token and credential management are presented. Can you guess what information you can find at the end of the section? Right, threats, mitigation activities and tables...
   Section about authentication process mainly focuses on defense against man-in-the-middle attacks. Almost all mitigation activities are based on using TLS and strong cryptography.
   Nowadays SSO is very popular because of convenience and security (of course, it should be properly developed and implemented). Without assertion process this technology will be useless. Assertion section in standard is well written, 2 models are described (direct and indirect), also there are examples of assertion types. You know what you can find at the end of the section...
   In conclusion, from my point of view, this guideline has lack of technical information and may be authors next time will try to give more practical recommendations about mitigation strategies. But nevertheless this standard is a good sources to systematize your knowledge.

January 5, 2015

Review on Usable Security Course by Maryland University on coursera.org

   During one of the autumn evenings I found an email from Coursera about  Specialization program. For me I found interesting specialization in Cybersecurity. If I'm not mistaken in Maryland University there is one of the biggest Security Operation Centers in US. The specialization contains 4 courses: Usable Security, Software Security, Cryptography, Hardware Security. All courses have their own dates to start, so you can enter a course. If you want verified certificate or you'd like to finish Cybersecurity specialization you should follow signature track and pay 49$ for each course. 
   Signature Track is a way that you can confirm your identity. You should type some text, so they can verify you. Also they took your photo and asked to send your government id with photo. This scheme is implemented in such way: you complete quizz and then they took your typo and photo. Of course, this is not the way to clearly identify you, there are a lot of ways to overcome it. But as for me, the main reason is to get knowledge, not to achieve certificates.
   Let's come back to our courses. I started with Usable Secuity. When I first read the syllabus, I thought: "Oh, piece of cake... What is the reason to give such kind of material?" I worked in the field of security for almost 4 years, not so much, but enough to understand some key principles. You assess risks, find suitable security measures, implement them and also include this in your information security policy. Of course, your users are a part of this process, but you educate them and control what they are doing. But this course gave me some info to think about...
   Course included 5 key themes: design principles, measuring and evaluating usability, authentication, web browsing and privacy. The material was not technical, so you could not find any descriptions of secure authentication schemes and etc. During week 1 human computer interaction and ways of measuring usability was described in details. Week 2 was about design and ways how to perform it. Week 3 gave key concepts how to evaluate system design (controlled experiments, A\B testing and etc). Week 4 provided me with solid guidelines for usable security. Week 5 revealed usable authentication theme. I was surprised when professor started to check current browser https certificate validation on professor of biology, who was not so familiar with computer security at all. He was a little bit shocked when he saw warning. When she became to show him how to accept risk and got access to site... For him it was a rocket science... As for me, he is smart person, but he is not living in the field of computer security, so all these things and tricks are not convenient for him.
Week 6 was about usable privacy. Professor gave good list about how to make terms and agreements clear to users. Then final exam and course was finished.
I got certificate with verification link on it.
   For me this course was very useful. Now I tried to think and act like a user or ask user to do something, because the only way to develop a secure system by design is to develop it convenient and clear for users and administrators.