Wednesday, August 31, 2016

More security links from Viacheslav

Viacheslav Chebotarev is available for off site security research work. Contact me if you want to communicate with him.

Monday, August 29, 2016

Imperva in Gartner’s Magic Quadrant for Web Application Firewalls

One of the things I try to reinforce when I teach security is that you cannot know everything about security. I just got hit with a ton of bricks. I used to follow web app firewalls closely. Ryan Barnett, Breach, and I used to stay in touch on the subject, in fact he helped us at SANS a long time ago.

Jim Manico, OWASP, (a fellow Kauaiian), and I try to stay in touch and I run things by him. But today, I got a press release saying for the third year in a row Imperva is the sole member of the GMQ for web app firewalls. Perhaps you remember the "Duh" scene in Air America when the US senator tries to give the local general his bag to carry. That is how I feel. But it is time to recover. Hopefully, Imperva has done a What Works piece so I can begin to get back in the game from a user's perspective. Maybe, I can do one or two short Linkedin interview, (3 - 5 questions), posts. But clearly, I have been slacking in this area. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D'Hoinne, Adam Hils, Claudio Neiva, 19 July 2016

Saturday, August 27, 2016

Where there's smoke

I posted recently about my experience with SimpliSafe and what I learned about wireless alarm systems in general. However, the problem I am trying to solve is the curve fit between safety and sanity with smoke alarms that false positive. One the safety side, I would like to see detection for: All devices were tested against seven types of fires:  smoldering wood, foam, romex, and flaming foam, liquid, wood and paper. At the same time, I have been plagued with false alarms for years. The ideal devices will operate for several years in a high salt environment and hopefully be kind about such things as shower steam, broiling or frying meat, toasters, (this is a classic).

One product I am looking into is First Alert SA320CN Dual Sensor Battery-Powered Smoke and Fire Alarm. It has a lot of reviews, mostly positive. And while this is not a review per se, it covers the safety issue perfectly, Firstinlastout wrote, "As a professsional firefighter/paramedic for nearly 13 years, I see a lot of fires. I do know that most detectors out there are NOT dual sensor....they are mostly only ionization detectors that detect flame. Remember it's usually not the fire that will kill you, it's the smoke and it's deadly component carbon monoxide that will end your life. Photoelectric detectors detect these smoke particles and alert you.......ionization types rarely do if it's a slow smoldering fire. If your sleeping, by the time the ionization sensors detect the actual flames, the smoke and the CO will most likely have already gotten to you and you will be dead. 

That's why it's so VERY VERY important to have a dual-sensor smoke detector. This item particular item IS a dual sensor that is designed to alert you to both smoldering low-flame fires and high intensity/ rapid flame fires. This detector will protect you 100% from fire related death/injury if used properly and placed correctly in your home. Remember to replace the battery every time you switch the clock during daylight savings time or any time the detector chirps. Always look for a photoelectric/ionization detector and buy one. Have one in your hallway, in the main living room at the very least and I always like to put one in each room because I am overly cautious. Also make sure to have a B-C extinguisher on hand near the kitchen to put out kitchen grease fires....the #1 cause of residential structure fires. Hopefully you can put a small one out, but if you discharge the entire extinguisher and the fire is not out......evacuate the house immediately and make sure you or someone called 911 prior to exiting your home. Stay safe !"

In Washington I found some ten year lithium battery stand alone dedicated CO2 detectors. After reading that post, I think I will get a couple more.

I agree that dual sensor is important and there is more than one way to do it. Nest has a white paper that makes several points, "Since residential smoke alarms were first popularized in the 1970s, home fires have changed: while it would generally take up to 30 minutes for a fire to take over a room in the 1970s, it can take as little as 5 minutes today. Today’s homes are bigger, with more open floor plans, more composite construction materials, and more polyurethane and synthetic furnishings which burn faster than materials used decades ago."

The First Alert SA320CN Dual Sensor Battery-Powered Smoke and Fire Alarm is reasonably priced and is the best seller on Amazon, which means it has been extensively reviewed. It can be installed standalone, it does not have CO2 detect, but I am willing to consider separate systems. A plus many people mentioned in the reviews is the ease of changing the battery which is a definite plus. I think I will ship a couple to Hawaii and we can see if they are relatively trouble free.

One of the products I have been reading about is Nest. One of my Facebook friends has had the same problem I have had with smoke alarms, Kip wrote, "Sounds like our nest smoke alarms. Lots of false alarms and had to take them down for sanity. Those ones talk to you and as I was trying to silence the false alarm at 3 in the morning the nest alarm was saying this alarm can not be silenced. I said yes you can and took them all off the wall, threw them in a bucket and put the lid on then took it out to the garage. That was months ago and when I go into the garage they still beep at me from the bucket. They may substitute for clay pigeons next."

I am duly warned. Our house may not be ideal for the Nest.  The Protect does interconnects wirelessly using a self-created wireless network so it works independently of your own Wi-Fi even if power fails. However, we can't cover the whole house with a single wireless network because the office is over the garages and separated from the house by a large lanai.

Another feature is interaction w/ the thermostat. The Nest has the ability to turn off the HVAC in an emergency so it doesn't fan the flames.

And it has a phone App. I am not a big App person, but when we are in Hawaii it is great to be able to see what is going on in Washington. I just ordered one and will see how challenging it is to set up and operate.

SimpliSafe isn't Safe, neither is Xfinity, Vivint or ADT.

The bottom line: DO NOT put a sign in your front yard saying monitored by:
- SimpliSafe
- Vivint
- Comcast Xfinity
If you must use such a sign, consider at least trading with a neighbor that has a different system than yours. Each of these systems uses wireless signals to communicate from the sensor to the control device. Each can be intercepted with Software Defined Radio.

Our home insurance requires a monitoring system. We had one installed by a professional, but we have had a lot of problems with it. Once the installer came two weeks after a problem and said, "I have paying customers you know", (we are paying customers).  I was attracted by the idea of SimpliSafe.

I also looked into Vivint, but they are not transparent about pricing, (or anything else). They use the ADT "free installation" marketing approach.

The most important feature for me was the smoke alarms. We have had problems with smoke alarms since we built the house.

The SimpliSafe system arrived promptly and the install was easy. Now, three weeks after the install we have had four false positives, with three of the smoke detectors. The system is running in test mode so the fire department is not called. One of my Linkedin connections, Indy, suggests, "Stephen, I have it installed in our home.  Some of the batteries were low and they would set off the alarm.  I took them out of the configuration, at the keypad, until I could change the battery and then add the sensor back in to the system through the keypad."

I put out a notice on Linkedin and Facebook to see if others have had problems. And learned a lot!  Scott Ashton pointed me to an IOActive blog post that found the PIN is transmitted as cleartext, "IOActive made attempts through multiple channels to contact SimpliSafe upon finding this critical vulnerability, but received no response from the vendor. IOActive also notified CERT of the vulnerability in the normal course of responsible disclosure. The timeline can be found here within the release advisory. " This means an attacker with some RF smarts can break in with about $150.00 worth of equipment if they can lurk 100 yards away from the property. Well home security wasn't my main driver the smoke alarms are. But it also means an attacker could set off false alarms.

Well, I do not have a massive investment in SimpliSafe, maybe a different technology? In Washington State we have Comcast Xfinity, maybe something like that? Well a bit of research turned up a Wired Magazine article saying, "Philip Bosco, a security researcher at Rapid7, found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion." Also, (and more importantly), the last time I had trouble with the system they tried to charge me for a service call. (they quit trying to do that after I offered to cancel the service).

Vivint, a retailer for 2GIG, can also be hacked or even jailbroken. Wired Magazine has an article about jamming the signal so you can enter a door without the alarm firing. The sane article mentions ADT. More information about ADT can be found here. Apparently these revelations resulted in a class action law suit.

Forbes has an article about hacking Bay Alarm, but that might have been a procedural problem.

Very educational.

Friday, August 19, 2016

Application Containers and Information Centric Security

Please consider the following quote by Grace Hopper, "Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it."As an information security manager, it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema) there is also data, including the increasingly important business record. Is the uniform approach to Defense-in-Depth appropriate when it comes to information?

Information centric, is another way to think of the defense-in-depth concept. Think of concentric rings - at the center of the diagram is your information. However, the center can be anything you value or the answer to the question, "What are you trying to protect?" Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers.

Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single section of the network, assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network.

Containers and Application containers potentially add a new "ring" of protection. According to computerworld, "Application containerization is an OS-level virtualization method for deploying and running distributed applications without launching an entire virtual machine (VM) for each app. Instead, multiple isolated systems are run on a single control host and access a single kernel.

Application containers hold components such as files, environment variables and libraries necessary to run the desired software. Because resources are shared in this way, application containers can be created that place less strain on the overall resources available.

Containers are an attractive option for developers craving for a seamless transition when they move software from one computing environment into another – from staging, testing to production."

But for all their advantages they also present new risks, according to Alderman from Tenable to mitigate, we must:
As new tools and techniques are being developed, Alderman gave some traditional approaches that companies can implement as initial steps to safeguarding their application containers:

1.         Enumerate all container images - Inventory all of your container images to understand what’s running in the environment. If a security flaw is detected in one container image, you’ll understand where these images are running for remediation activities.

2.         Secure the container host - Host vulnerabilities, exploits, and misconfigurations are now accessible across all containers. A single container exploiting the host will take down the whole host.

3.         Verify security of embedded libraries - This will prevent known vulnerabilities in embedded libraries from being deployed in container images.

4.         Limit user privileges in container images - If you’re root in the container, you’ll be root on the host. An attacker who hijacks a container will have access to the privileges of the container. Minimize root and root escalation privileges.

Wednesday, August 17, 2016

Sample Incident Response Policy

Data Breach Response Policy

Created by or for the SANS Institute.  Feel free to modify or use for your organization.  If you have a policy to contribute, please send e-mail to

1.0 Purpose
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

<ORGANIZATION NAME> Information Security's intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how <ORGANIZATION NAME>’s established culture of openness, trust and integrity should respond to such activity. <ORGANIZATION NAME> Information Security is committed to protecting <ORGANIZATION NAME>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

1.1 Background
This policy mandates that any individual who suspects that a theft, breach or exposure of <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data has occurred must immediately provide a description of what occurred via e-mail to Helpdesk@<ORGANIZATION NAME>.org, by calling 555-1212, or through the use of the help desk reporting web page at http://<ORGANIZATION NAME>. This e-mail address, phone number, and web page are monitored by the <ORGANIZATION NAME>’s Information Security Administrator. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.

2.0 Scope
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information or Protected Health Information (PHI) of <ORGANIZATION NAME> members. Any agreements with vendors will contain language similar that protects the fund.
3.0 Policy Confirmed theft, data breach or exposure of <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data

As soon as a theft, data breach or exposure containing <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data is identified, the process of removing all access to that resource will begin.

The Executive Director will chair an incident response team to handle the breach or exposure.

The team will include members from:
          IT Infrastructure
          IT Applications
          Finance (if applicable)
          Member Services (if Member data is affected)
          Human Resources
          The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
          Additional departments based on the data type involved, Additional individuals as deemed necessary by the Executive Director

Confirmed theft, breach or exposure of <ORGANIZATION NAME> data

The Executive Director will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.

Work with Forensic Investigators

As provided by <ORGANIZATION NAME> cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause. 

Develop a communication plan.

Work with <ORGANIZATION NAME> communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.

3.2 Ownership and Responsibilities
Roles & Responsibilities:

          Sponsors - Sponsors are those members of the <ORGANIZATION NAME> community that have primary responsibility for maintaining any particular information resource. Sponsors may be designated by any <ORGANIZATION NAME> Executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information.
          Information Security Administrator is that member of the <ORGANIZATION NAME> community, designated by the Executive Director or the Director, Information Technology (IT) Infrastructure, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.
          Users include virtually all members of the <ORGANIZATION NAME> community to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees and volunteers.
          The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial Services, Member Services; Human Resources.

4.0 Enforcement
Any < ORGANIZATION NAME > personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.
5.0 Definitions
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;
Plain text – Unencrypted data.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).
Protected Health Information (PHI) - Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered
Protected data - See PII and PHI
Information Resource - The data and information assets of an organization, department or unit.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data.  See PII and PHI above.

6.0 Revision History
Date of Revision
Description of Changes
August 17, 2016
Stephen Northcutt
Initial version

Additional study questions for second half of day 2 MGT 512

NOTE: The study questions seemed a bit sparse for today’s session, so I created a few more. Please note that I do not have the books, so I worked directly from the slides. This will probably be off from your books, but gives you a pretty good idea where to look.

What is a next generation firewall? Slide 127

What is the primary advantage to egress filtering? Slide 131

Data analysts have a consistent basis for traffic analysis and rule generation because of      _________________ that converts input into a format the signature rules expect to see .
 Slide 141

Which costs more to operate, IDS or IPS and why? Slide 147

What is the difference between Type  1 and Type 2 Virtualization? Slide 158

Why has Antivirus reached a limit? Slide 168

Name a technical control we can use in configuration management?  __________________ Slide 175

How does RAID 5 try to prevent data loss due to disk physical problems? Slide 196

Of C I A, which is probably most important for a bank or financial institution? Slide 204

Name as many architectural approaches to Defense in Depth as possible? Slide 234

Why should we be cautious about using the word “will” in security policy? Slide255

Thursday, August 11, 2016

Privilege Management Reading List

An Introduction to Identity Management - Spencer C. Lee

The underlying problem is the absence of federated directories.  Microsoft
defines federation as “the technology and business arrangements necessary for
the interconnecting of users, applications, and systems. This includes
authentication, distributed processing and storage, data sharing, and more.”

Federated directories interact and trust each other, thus allowing secure information sharing between applications.  Companies are currently running isolated, independent directories that neither interact with nor trust each other.

NOTE: This was a great paper and ahead of its time, but needs to be updated.
= = =
Improving Application and Privilege Management: Critical Security Controls Update by John Pescatore.

The biggest barrier to enabling application control and privilege management has been
fear of self-inflicted wounds: causing business disruption or huge increases in help desk
calls as legitimate software and business-critical access are blocked. But products and
techniques have improved over the past few years, and today you can find many success
stories that show what works in enabling application control and privilege management
with minimal or no interference to business operations.

This whitepaper describes the recent update to Version 6.0 of the CIS Critical Controls,
with a focus on application control and privilege management as high-payback, quick
wins—when done right

= = =
Keys to the Kingdom: Monitoring Privileged User Actions for Security and Compliance - David Shackleford

According to CERT, mechanisms to prevent privileged insider abuse should include the following:
•   Enforce separation of duties and least privilege. Separation of duties implies that
no one employee can perform all privileged actions for a system or application. Least
privilege implies that employees are granted only the bare minimum privileges
needed to perform their jobs.

•   Implement strict password and account-management policies and practices.
This should be enforced for all users, including administrators and other privileged

•   Log, monitor, and audit employee online actions.Organizations need to be vigilant about what actions privileged users are taking, and should use a variety of logging and monitoring techniques.

•   Use extra caution with system administrators and privileged users. Because these
users are often granted the “keys to the kingdom” in terms of access and capabilities,
additional safeguards often need to be implemented to adequately monitor and man-
age their behavior
= = =
Implementing Least Privilege in an SMB - Tim Ashford

This paper is focused on the problem of managing privilege in the Windows environment.

Note: This paper is a candidate to be updated as an Analyst paper
= = =

Implementing Least Privilege at your Enterprise - Jeff Langford

This is an introduction to the Saltzer and Schroder design principles.
= = =
Security Controls in Service Management - K  V  Warren

This paper is a crosswalk between ISO 27000 and the Critical Controls. Where possible, use access control configuration templates which are in compliance with organization's policies. User and group templates are used grant minimum access rights and privileges needed for the user to perform his/her job.  Policy elements include: (expiry, lifetime, minimum length, complexity, difficulty, lockout after X failed attempts, etc).

NOTE: this paper is a bit dated, but could be a topic for a future Analyst program paper.
= = =
Privileged Password Sharing: "root" of All Evil - J. Michael Butler

Privileged accounts are difficult to manage in any enterprise running multiple distributed operating systems and versions of those systems.  The more disparate the systems, the larger the problem. Take, for example, an environment that has HP UX, Red Hat Linux, IBM AIX, mainframes, Active Directory, Windows 2003 Server, Windows 2008 Server, and a few other odds and ends.  How can one administrator provision and keep track of every privileged user on every system?  For that matter, how can a team of administrators control who is doing what, on which server, and to what end?
= = =

Increasing Security and Reducing Costs by Managing Administrator Rights with Process-based Privilege Management with Viewfinity - A What Works Paper

What caused you to look for a solution like Viewfinity?

 In our Windows XP environment, we had a custom written tool that gave users 24
hour administrative rights to their machines. Going into Windows 7, we knew that tool
wasn’t compatible with Windows 7. About 1,000 of our 6,000 end users had local
administrative rights on their PCs and it had gotten out of hand. We had three different
models for the XP environment: regular users who were given complete local admin
rights, users with extra accounts without Internet access who had local admin rights and
users utilizing the custom written tool for temporary access. Going into Windows 7, we
had to come up with a solution to handle administrative rights and that’s what set us down the path of looking at the different tools and options out there.
NOTE: this paper is a bit dated, any updates on Viewfinity/CyberArk? Any real world stories of PAM tools helping with update to Win 10?
= = =

Wednesday, August 10, 2016

Continuous Monitoring Survey

Part of being a member of the cybersecurity community is helping out with research efforts to identify trends in information security. If you are involved in continuous monitoring please complete this survey.

Continuous Monitoring for vulnerabilities and exposures is providing benefits for 40% of those who took the SANS 2015 survey on continuous monitoring.   Yet, with only 6% scanning for vulnerabilities daily (as recommended by the Critical Security Controls and other important guidelines), there is plenty of room for improvement. (Link to 2015 survey:

In this new survey, publishing November 15, 2016 during a 1 PM ET webcast (, SANS will uncover what improvements organizations have made in their programs since our last survey, along with what practices and tools are making the most positive impact. For example:

  • Have they assessed more of their critical assets that need scanning? (In 2015, the majority had identified only 50% of their critical assets.)
  • Once they’ve identified critical vulnerabilities, can they repair them faster than the 2-3 weeks that the majority of respondents indicated they needed in 2015? If so, how?
  • Are their CM programs improving organizations’ visibility into existing, known assets as well as new assets coming online?
  • Have they achieved more integration and workflow management for the asset lifecycle, which was top of their wish list in last year’s survey? If so, how?

Tuesday, August 9, 2016

Vector of Attack - Unwanted Software

One of the atomic forms of defense in depth is threat vector analysis. Figure out how the bad man can get to us and move to cut that "path" off. According to: The Stack:

In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.

The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.

Types of unwanted software (UwS, pronounced ‘ooze’) fall into five categories: ad injectors, browser settings hijackers, system utilities, anti-virus, and major brands. While estimates of UwS installs are still emerging, studies suggest that ad injection affects 5% of browsers, and that deceptive extensions in the Chrome Web store affect over 50 million users. 59% of the bundles studied were flagged by at least one anti-virus engine as potentially unwanted.

The full report is at:

According to the study:
Estimates  of  the  incident  rate  of unwanted software installs on desktop systems are just emerging: prior studies suggest that ad injection affects as many as 5% of browsers and that deceptive extensions escaping detection in the Chrome Web Store affect over 50 million users.

Note on Opera from the study:
Based on the affiliate codes embedded in the download URLs for Opera, it appears that Opera directly interacts with PPI operators to purchase installs rather than relying on intermediate affiliates.
Look for connections to