You Can’t Buy Security Building an Open Source Information Security Program By: Boris Sverdlik aka @JadedSecurity
Who am I?Your friendly neighborhood security guyThat Jaded asshole who runs a blog and is on that DAILYpodcast.. You know.. ISDPodcast.comI’m That Guy on Twitter….Coming up on almost 15 years in the Industry.I started on the Offense Side, got sucked intoDefense, now it’s a little bit of both…I’m Not an “Evangelist” but I have stayed at a
DisclaimerNo Animals, Unicorns, Memes, Evangelists were hurtduring the production of this talk.Do not go back to your organization and say “Boris,compared this to X”This presentation has been tailored for consumption bythe awesome “DerbyCon Audience”. A made for RSApresentation will be available for all of your corporateNeedsFinally: Rape Is Never Funny.. Except when..
Why are we here?At Security Zone 2011, some very smart people came upwith the idea that Defense should be Sexy
Sexy DefenseSo a bunch of us put in a CFP for a panel at ShmooConand somehow it got hijacked and turned into a “You’reDoing it Wrong, Read The Manual” discussion.“We need more Data”“We need better tools”“We need to know how to use the tools we have”Focused on “IT Security” which is Doing it Wrong
“IT Security” is an oxymoronIT is in the business ofkeeping the businessrunningSecurity is there toenable the business tobe continue beingsuccessfulThe Pyramid is missing akey component. KnowYour Business!
IT Managers Focus onAvailability - RedundancyResource UtilizationOperational ReportingEase of ImplementationEase of SupportLimit production issuesCost of Ownership
Security Managers focus on Ensuring that security is tightly integrated into the business Identifying weaknesses in process and technical controls Ensuring that new initiatives do not impact current controls Reducing the risk posture of the entire organization as a whole (Physical, Technical and Administrative) Recommend and/or Implement controls that potentially conflict with IT Focus!
Truth of the matter is!People, Process Technology is the only way to build anInformation Security program properly.We fail at Security because we focus too much onTechnology and let “Analysts” drive our security decisionsThere is no Magic Bullet! There never will be!
Obligatory Repurposed Image • You Can’t Buy Security! • Despite what $Vendor claims!
So without further adieu <Fancy speak>Let’s Start with People!!!Hire the Right People to run your security program.You Guys are the right People!!!! So let’s ignore the nextcouple of slides that are directed towards the other HiringManagers.
So why hire them to run Security?Your Security Program is not a checklist…It requires an individual who has experience and can learnand adapt to your environment
Don’t Hire the guy/gal whowants to “Secure Everything”We all know that security guy who has a fit every time thefirewall is probed.The Sky is not falling!!! The Planet is not under attack!!!China is not after all your Data!!! If they are, they alreadyhave it…
So let’s say you’ve hired the right Person!!!The right person will be someone who understands you’rebusiness modelHe/She is not driven by the latest Gartner Analyst reportDoesn’t play buzzword BingoHas been in the industry long enough to Get It.Has the right combination of Technical, Business and Softskills.
You are the Right Person!<for the sake of argument, you aren’t hungover this Sunday Morning>You have just been hired as the new CISO for ABCCondom Company!!! You Start Monday!!! Yay!!!
What’s the first thing you do?Use the Googlez obviously!!!
I’m going to assume youalready scouted before you got hired! So what are we going to search? You want to learn everything you can about the business aspects How are Condoms Made How does ABC Condom make money Do they sell direct?
What’s this??? 4Chan??/b has a post saying ABC Condom Company is making anew product.. Now with a 100% more @#$^!(
Monday Morning Comes!The First thing your going to do is use all of your 1337social engineering skills to meet with as many individualsthat you can.Don’t focus just on the Management team… You reallywant to get a feel for the organizationYou’re an Employee… Did you sign an NDA as part ofyour hiring package? If not, that can give you some insighton the organizations stance on privacyYou might have your work cut out for you.. But hey, you’re
OK,We got the formalities out of the way.. What’s first?You can’t have a security Program without understandingwhat you are going to protect? Right?You’re first step is Information Classification!Do not use some Arbitrary Value that you learned inCISSP class.. Quantitative Risk assessment is a myth!AV(Asset Value)*EF(Exposure Factor)=SLE. MEH!!!The Business does not understand Asset Values ofintangible assets. It’s a futile process and will bring younothing but Grief!
First stepsAt this point you’ve identified from a high level how yourbusiness operatesWhat are the different Business UnitsWhat if any Legal/Regulatory Obligations you haveWhat the Collective Organization values.When you perform a Business Impact Analysis every BU(Business Unit) will claim that their process/product is themost valuable to the organization. This usually causes theprocess to fall apart and will eventually become a showstopper!
Where do I startSo if /b is an indicator we know we might have an R&Dinitiative. Let’s put this in our spank bank for later..How do we perform classification without using arbitraryvalues? Easy.. You have spent the last couple of dayslearning your business right?You know that you make money from Manufacturing andDirect to wholesalers.You know you have HIPAA, SOX and PCI obligations
First Things first You’ve done your OSINT Searches and have identified a couple of Web Servers and look what we have here.. A customer support forum… Let’s do some skid testing first… Run your scripts… put your leet SQLMap skills to the test.NOTE: This isn’t a pen test! Just to see if you can withstandthe kiddies..
So let’s getSo if /b is an indicator we know we might have an R&Dinitiative. Let’s put this in our spank bank for later..How do we perform classification without using arbitraryvalues? Easy.. You have spent the last couple of dayslearning your business right?You know that you make money from Manufacturing andDirect to wholesalers.You know you have HIPAA, SOX and PCI obligations
Information ClassificationStart Broad and put availability aside for a second.Start with three CategoriesPublic, For Internal Use Only, Sensitive
Sensitive• Intellectual Property (Secret Condom Formula, Research Data)• Books & Records• PII and PHI• Employee Information• Business Strategy Documents
For Internal Use Only• Phone Directories• Policies and Some Procedures (Depending on the sensitivity of the system)• Interoffice communications & General Memos• Calendars• HR Procedures• Non Application Specific Intranet Sites
Public• Financials already disclosed• Anything the business would be cool with showing up on
Start with Low Hanging FruitYou sell rubbers… I’m sureyou have a customer serviceorganization? Right???They more than likely haveaccess to a good chunk of yoursensitive dataThey are also most likely theones who click all the ShitYour organization may differ!This is not a one size fits all!
Step#1 Face to Face• Set up some “Getting to know you time” with the manager of the group and use your 1337 social engineering skills to convey “How can I help you” ***IMPORTANT!!!• Elicit as much information as possible: • Roles: How many groups do you have • What are their responsibilities • What applications do they use *** Important • How do you get new employees set up • What frustrates you about IT?
Findings• You’ve identified that the customer service group uses a proprietary app web app called Magnum for most of their functions.. Let’s consider this system CRITICAL• You’ve identified several different roles within the group• Youve identified that IT manages account administration• You’ve also identified things you weren’t expecting..
Lol. Wut?.. No Really..• Anyone can request and get access• Whoever wrote the app quit years ago• Nobody really knows who maintains the application• Code hasn’t been touched in years..
Guaranteed Tangent #1• Now it’s time for some real sexy time!!! • Meet with IT and position yourself as “Hey, I know you’re busy but $BusinessManager has asked me to look into who has access to Magnum.. • Build rapport with IT, don’t come off as Me Vs. You!!IT: Oh we just add them to $Group(s)You: Cool, what do $Groups have access to?IT: I dunno.... Before my time…You: Great.. Thanks…
Are you stuck??• No.. Now it’s time to put your leet skillz to use • Identify the nodes the application is running on. • Identify the authentication/authorization mechanism • Identify Change Management procedures • Review the code for any additional connections made by the application
Ha! Now we have Data• You’ve learned that the App is running on a Tomcat server with AD Authentication using Roles.. YAY!!• You know it uses a $ServiceAccount to access $Database• Now we go back to IT and ask for acl dumps for: • The individual nodes • TomCat • $Database
Now comes the hard part• You have to sort through all this crap!• Put together an access control Matrix based on job functions and True access lists• Document the entire PROCESS!!!• Draft an Application Specific Policy / Run Book
Follow up with the Business Unit!• Present the document to $Manager now enabling them to take responsibility for ownership of the application and assign a delegate• Have them review the current entitlements and have them agree on a review process in line with the criticality of the application• You should know each of their processes intimately, The Run Book should be a good baseline for a BCP• Establish a partnership that will prove beneficial to them
Wow.. That took a lot of work• We haven’t implemented a single bullshit policy yet!• We haven’t bought a single Blinky Box• We haven’t bitched about budget.• We haven’t once talked about CHINA!
We’re not even close to done!• The classification exercise is the very minimum every CISO/CSO/Head of Security/Whatever needs to ensure is done before building their security program!• We’ll call that Step#1
Step #2?• So now you can go ahead and snag some templates off of SANS for your “Security” Policies
Policies and Procedures• Now that you know your business you can draft your policies so that they align with the business• Keep them short and concise and RELEVANT! • Don’t forget the basics • Acceptable Use • Data USAGE! • Communications • Physical • ETC!!!
Now comes the “Fun” part• You know exactly what assets you need to protect• You know where your assets are• You know what they are worth to the success of your business• You have the support of the business
Step #3 Implementation• We don’t need to buy $Product to lower your risk of exposure• Cover your BASICS (Not what the CISSP Taught You) • Access Controls • Application Security • Network Security • Operational Controls • Physical Security • Business Continuity • User Awareness Training!
OPEN SOURCE• OPEN SOURCE IS NOT FREE!!!• Always weigh the cost of implementation against purchasing a solution if you do not have the resources available to build.
Access Controls• Authentication & Authorization • You need to be able to map the classification process back to a system that can enforce controls and provide accountability• Remote Access should follow this access control mechanism as well.• If you aren’t on Windows there are options!!! • OpenLDAP • OpenIAM • And much More!!!
Application Security• Work with your development teams to ensure that secure functions are documented and available for reuse across the organization• While code review for ever app will never be possible, make sure that major revisions for high risk applications are at reviewed.• Use static analysis tools to test your development efforts for potential bugs• Don’t run applications of different risk levels on the same logical/physical systems• Always assume the host/client has been compromised as such ensure application security controls are at the application layer
Network Security• VLAN does not mean segregated!• Firewall rules should be very explicit• The End User environment should not have unfettered access to your production environment• For God Sakes do not allow direct internet access through a PAT!!• Group Systems logically by the data that they house• SSL != SAFE!• Certificates != Good 2FA• NAC is a wet dream you will never fully attain• Use Active and Passive Network Monitoring
Logging• Ensure you have centralized logging from your business critical systems• Ensure that you can maintain the integrity of the logs.• Logging mechanism should provide administrative monitoring!!
Monitoring• You do not need to spend $$$ on a commercial SIEM• Open source Solutions such as OSSIM can provide all that you need to build your monitoring program.• The Solution must provide real time Alerting• You do need to build a process to address alerts and fine tune the system.• Resources are Key!
Intrusion Detection• Once you’ve identified your critical resources during Step 1, you now know where to focus your resources.• Network Intrusion Detection should never be implemented to fulfill a checkbox! You need to spend the time to trend the environment and build your rules from a white list perspective. Snort is FREE!• Host Based Intrusion Detection provided by OSSEC can provide real value when implemented on critical resources. It can maintain your compliance checking as well..
Vulnerability Management• Vulnerability Management is a place where a lot of organizations get stuck in an endless loop of exceptions and acceptances and blah blah blah.• An authenticated scan should be your validation that patches are being applied and that new applications aren’t being introduced without going through the process• It’s a QA function when done right• Again.. OpenVas and Seccubus are FREE!
BYOD???• Have you noticed I haven’t nitpicked endpoint controls???• Once you build out your classification you can use criticality/sensitivity of the data to apply additional controls as required• There are plenty of ways to provide access to data in a hostile environment
Security Awareness• You’re users will never stop clicking shit• Compliance driven security awareness does not work• It must be reinforced and integrated into the culture• Defense in depth and treating the endpoint as hostile is the only way to go.
Now go find a Red Team• A Penetration test by a 3rd party is the only way to validate your program is effective. They hold no bias…• If you have external facing infrastructure, then crowd source the external pen test! Often times a bug bounty will be more cost effective than a full dynamic analysis
At this point you’re not even close to done!!• The Security Program is just that a program!• It is a living, breathing animal and must be continually fine tuned
What’s Next?• This is why I love the Community apparently Dennis Kuntz @denniskuntz has already started working on a framework! http://www.cossp.org