February 20, 2015

NIST 800-61. Computer Security Incident Handling Guide

   I can call this standard as «CISO Time!» As far as computer security incidents are corncerned enough companies act in a reactive way. We have an incident, let's do something to reduce damage. Sometimes they thought how to patch vulnerabilities, which leads to some kind of remediation. And then wait for another incident.
   Also there is another way to deal with incidents — proactive way. In this standard you can find some useful steps how to implement incident response activities in company's every day life. Almost all recommendations are obvious, but they are placed together. If you are going to write incident response plan, you can follow instructions in this standard and you'll get sufficient plan.
   Standard consists of 3 parts. First part is devoted to organizing a Computer Incident Response (CIR) Capability. In this chapter you can find useful information about policy and plan elements, also with obvious advantages of developing CIR plan. Some pages describe how to effectively communicate within organization and what departments should participate in incident response activities.
   Second chapter was about how to handle an Incident. This activity consists of 4 steps: Preparation → Detection and Analysis → Containment, Eradiction, Recovery → Post-Incident Activity.
   As far as preparation step is is concerned I can't but mention 3 main activities:
  •  get all necessary contacts from people with whom you are going to work while CIR; 
  • all incident analysis hardware and software should be up to date and easy to use; 
  • incident analysis resources are also important, because using them you have all information about infrastructure in one place.
   Detection and analysis is one of the most important part of the plan. First of all, you should determine attack vectors, indicators and profile activity in your infrastructure. When you understand normal behaviour and create correlation and log retention policies you will be able to prioritize incidents. It is better to make such decision with colleagues and top-manager, such as CISO. Generally, you can try to divide incidents by functional or informational impact and recoverability, but every company can find their own criteria about how to prioritize incidents.
   Containment and eradication also as a recovery can be much different because of your organization internal policies. Containment depends on many factors as impact on SLA, potential damage and so on. Eradiction should be carefully done, because of possible information lost. Effectiveness on this step is fully depends on how good detection analysis was performed. Almost all recovery procedures are held by IT staff. It is their part.
   Post-Incident Activities include lesson learned meetings after incident. On this meetings your CIR team should update CIR policies and procedures, create chronology and monetary estimate of the amount of damage. Based on this lessons you can justify fundings, help your IA department to find incident trends and systemic security weaknesses. Also measures of success can be renewed. It is always important to understand when incident is localized and eliminated.
   In this chapter you can find CIR handling checklist. It is very brief, but also helpful to start from. The last part is devoted to coordination and information sharing. It is also a good start to from your list whom to call and what to say. Special attention in this standard is paid to granular information sharing because of business impact. It is better to speak with law and PR departments before presenting information to some unauthorized people.
   In conclusion, I would like to say that this standard is not a full guide about CIR. It is only a brief review. Almost every topic should be expanded with different technical and administrative measures. But if you don't know where to start or even you know — it is a good review to check your key positions. Great job, NIST!

February 2, 2015

Review on Software Security Course by Maryland University on coursera.org

   This course was my second course in Cybersecurity specialization. Syllabus you can find here. In brief this course gave me a lot of fun. From my point of view there was a good start, but at the end it became a little bit boring, brief and easy.
    There were 6 weeks, 6 quizzes and 3 labs. First lecture was about low-level memory-based attacks. Stack smashing and format string attacks were well described, there were clear examples, so if you are not familiar with this attacks you can find here useful information. I can't but mention references at the end of the week. There were a lot of links, which provided detailed and deep description of these attacks. Well done, professor! As for me, ROP description was not clearly explained and there were not enough examples to understand it without addtional reading.
   Week 2 was devoted to defense mechanisms against memory attacks. Key technics, such as stack canaries, DEP, ASLR, memory-safety enforcement, control-flow integrity (CFI) were described in details. During these 2 weeks students had time to finish lab 1. It was a vulnerable software with source in VirtualBox image. Professor also provided this lab with step-by-step instructions. It was great pleasure to find flaws, to write exploits and using gdb. I appreciate such tasks because in educational programms there is lack of practice, especially in practical information security.
    Nowadays everything migrates to web. Professor devoted week 3 and lab 2 to web flaws. In brief there were descriptions and examples of SQLi, XSS, CSRF and Session hijacking. Some defensive mechanisms were presented too. In order to create lab BadStore distib was chosen. It is damn vulnerable web app with lots of flaws. Unfortunately, tasks in lab was very easy. As for me it will be more useful and tough to use XSS or SQLi to get access, than find out some cookies info.
   Secure design in week 4 was pretty easy to understand. It was great, that principles of designing was introduced in course. In this week you can find basic definitions? Such as authentication, authorization and etc. Also there were criteria of a good model, key principles of secure design. They are obvious, but very hard to follow.
   Week 5 was a nightmare. I suffered and struggled with static code analysis. From my point of view this technology is efficient, but also it needs much more experience in software development than an average student has. As for me, quizz after the lecture was incredibly difficult, some ways of static analysis procedure was not fully described in lectures, but they were in quizz. Additional reading was Brian Chess and his book - «Secure Programming with Static Analysis». Great book, but without enough coding experience and time for understanding for me it was rocket science. Symbolic execution theme was fair, good examples and clear description of principles gave me an opportunity to solve quizz questions.
    Lab 3 was connected with fuzzing. In brief we fuzzed app from Lab 1. It was very easy and I didn't spend much time on thinking about it.
   Week 6 was greatly titled «Penetration testing». But I was confused, because Professor in brief told us several well-known tricks and software without going deeper. Some words was about fuzzing, but not enough to understand underlying algorythms.
   Course was pretty good at the beginning. 3 weeks was great, 2 good labs. I thought it would be better and better. But at the end themes became a little bit boring and unclear. May be they were in a hurry. If this course would be expanded with heap overflow and ROP examples, more information about XSS and CSRF, more practice and entire week or two about pentest it would be great and unbelievable. I think professor can do it!