Storage Security Governance
Upcoming SlideShare
Loading in...5

Storage Security Governance



Storage Security Governance - My article in ISSA December 2012 Issue

Storage Security Governance - My article in ISSA December 2012 Issue



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Storage Security Governance Storage Security Governance Document Transcript

    • December 2012 Volume 10 Issue 12 Storage Security Governance: A Case Study Structured Risk Analysis Offers Rich Rewards Network Device Forensics Network Device Forensics
    • Table of Contents Feature 12 Network Device Forensics By Didier Stevens – ISSA member, Belgian Chapter The goal of this article is to raise awareness about the measures you can take to improve the success of network forensics. 16 Storage Security Governance: A Case Study By Vinoth Sivasubramanian – ISSA member, UK Chapter The author describes the experiences and results of an assignment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challenges surrounding storage and bring about a continual-improvement storage security program. 24 Structured Risk Analysis Offers Rich Rewards By Greg Jones Risk analysis is a far from exact science with assessments continuing to vary in scope. This article discusses the emergence of context-aware classification systems and methods that can guide you through the process with pre-categorized risk information and could be the key to effective risk and threat analysis. ©2012 Information Systems Security Association, Inc. (ISSA) The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219. Articles Also in this issue 3 From the President 4 5 Sabett’s Brief Holiday Shopping with My Smartphone 6 Herding Cats Pocket Storage for All 7 Security Awareness Security Awareness Training Feedback Surveys 8 Association News 30 Risk Radar YARA Signatures 32 toolsmith ModSecurity for IIS: 36 Conferences 2 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • From the President International Board Officers President Ira Winkler, CISSP, Distinguished Fellow Vice President Andrea C. Hoy, CISM, CISSP, MBA Secretary/Director of Operations Bill Danigelis, CISSP, Senior Member Treasurer/Chief Financial Officer Kevin D. Spease, CISSP-ISSEP, MBA Board of Director Members Frances “Candy” Alexander, CISSP, CISM, Distinguished Fellow Debbie Christofferson, CISM, CISSP, CIPP/IT, Distinguished Fellow Mary Ann Davidson Distinguished Fellow Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS Pete Lindstrom, CISSP George J. Proeller, CISSP, CISM, ISSAP, ISSMP, D.CS, Distinguished Fellow Nils Puhlmann, CISSP-ISSMP, CISM Brian Schultz, CISSP, ISSMP, ISSAP, CISM, CISA, Fellow Stefano Zanero, Ph.D., Senior Member DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY Hello ISSA members Ira Winkler, International President The Information Systems Security Asso- ciation, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publica- tions and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individu- als and chapters all over the world, the ISSA is the largest international, not-for- profit association specifically for security professionals. Members include practitio- ners at all levels of the security field in a broad range of industries, such as com- munications, education, healthcare, man- ufacturing, financial, and government. The ISSA international board consists of some of the most influential people in the security industry. With an international communications network developed throughout the industry, the ISSA is fo- cused on maintaining its position as the preeminent trusted global information security community. The primary goal of the ISSA is to pro- mote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. T oday, I reviewed the schedule for the upcoming RSA Conference in February, and I am looking forward to the ISSA Member Recep- tion that will be held on Tuesday of the conference. While the whole conference is generally a great opportunity to get together with other security profession- als, our reception is an opportunity to recognize the accomplishments of our peers. This reminds me that the nomination process for the ISSA Fellow Program is currently open until December 5. This program acknowledges sustained mem- bership and contribution to the ISSA, as well as the information security com- munity in general. So, let me take this opportunity to remind everyone that you should look to yourselves and fellow members to consider people to nomi- nate. There are several levels in the Fellow Pro- gram. The first is Senior Member, which acknowledges sustained membership within ISSA. Specifically, after five years of membership you are eligible for the Senior Member designation. To apply, you need to complete the online applica- tion on the ISSA website and have your local chapter complete the endorsement form. There are other requirements, but this is the basic flow. Yes, it is the intent of the ISSA to engage members with their local chapters. The chapters will support the applicants; the applicants will see the benefits of in- teracting with other members and take advantage of the networking opportu- nities. Hopefully, most applicants have already been participating within their chapters, and this engagement increases the strength of the chapters as well. The Fellow and Dis- tinguished Fellow designations are reserved for members who have not only sustained long-term membership, but have also served in leadership positions within the ISSA as well as serving the information secu- rity community as a whole. There are a number of qualifications that applicants must meet. I recommend that you check the ISSA website (=> Advance) to de- termine the specific requirements, and seek out a party who can nominate you or another deserving member. Before being elected president, I was responsible for overseeing the Fellow Program, and it was actually the most rewarding aspect of serving on the ISSA International Board. Specifically, I was the person responsible for acknowledg- ing members’ accomplishments. It was a pleasure to personally congratulate these people in front of their peers and large audiences. Rarely is there such an opportunity to acknowledge people in our profession. I have also received messages expressing appreciation from the people who have been accepted into the varying levels of the program. We all appreciate the rare recognition of our professional accom- plishments. It encourages us to serve the ISSA as well as the larger information security community. So, please consider reviewing the re- quirements of the three levels of the Fellow Program, and consider people to nominate. They and the ISSA will thank you. Ira Winkler December 2012 | ISSA Journal – 3©2012 ISSA • • • All rights reserved.
    • The information and articles in this magazine have not been subjected to any formal test- ing by Information Systems Security Association, Inc. The implementation, use and/or se- lection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the respon- sibility of the reader. Articles and information will be presented as technically correct as possible, to the best knowl- edge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni- cal inaccuracies may arise from printing errors, new develop- ments in the industry and/or changes or enhancements to hardware or software compo- nents. The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the mem- bers and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories and articles become the prop- erty of ISSA and may be distrib- uted to, and used by, all of its members. ISSA is a not-for-profit, inde- pendent corporation and is not owned in whole or in part by any manufacturer of software or hardware. All corporate in- formation security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see All product names and visual representations published in this magazine are the trade- marks/registered trademarks of their respective manufacturers. Another year is drawing to a close. T hank you, authors, most of whom are ISSA members, for sharing your insights, experiences, and expertise – and I certainly encourage others to submit as well. Thank you, advisory board members, for your efforts to keep the Journal relevant and informative – we’ve developed next year’s editorial calendar and it looks like another great year ahead. Visit the ISSA website => Learn => ISSA Journal => 2013 Calendar to see where you might be able to contribute. Of course, if you think a topic has been over- looked, let us know, or better yet, submit an article to close the gap. And thank you, readers – the why we do what we do. I encourage you to let us know how we are doing; offer up some comments and considerations on an article you’ve read; send in a letter to the editor, agreeing or disagreeing – let’s keep the dialog going. And I wish you all Happy Holidays and a safe, prosperous, and secure New Year. – Thom ISSA Journal Editor: Thom Barrie Advertising: 866 349 5818 +1 206 388 4584 x101 Editorial Advisory Board Mike Ahmadi Michael Grimaila, Fellow John Jordan, Senior Member Mollie Krehnke, Fellow Joe Malec, Fellow Donn Parker, Distinguished Fellow Joel Weise – Chairman, Distinguished Fellow Branden Williams, Fellow Services Directory Website 866 349 5818 +1 206 388 4584 Chapter Relations 866 3495818 +1 206 388 4584 x103 Member Relations 866 349 5818 +1 206 388 4584 x103 Executive Director 866 349 5818 +1 206 388 4584 x102 Vendor Relations 866 349 5818 +1 206 388 4584 x101 Headquarters ISSA Inc. 9220 SW Barbur Blvd. #119-333, Portland, OR 97219  • Toll-free: 866 349 5818 (USA only)  •  +1 206 388 4584  •  Fax: +1 206 299 3366 Welcome to the December Journal Thom Barrie – Editor, the ISSA Journal 4 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • Sabett’s Brief one another”), and (c) protected stor- age (a fairly well- understood con- cept that “depends heavily on encryption and integrity pro- tection”). Again, these can combine to provide some level of protection for the organization. Overall, the Draft SP 800-164 does a reasonable job of introducing the issues of trust and security in a mobile envi- ronment, then providing a conceptual approach for addressing and improving those issues. Future drafts could go fur- ther by addressing three critical things: (1) providing practical guidance on how companies can apply the concepts in the document,(2)theroleofthegovernment in the mobile deployment environment, and (3) how the various technical and policy concepts in the framework can be used to limit the liability of an organiza- tion looking to roll out or improve their mobile deployment. Now, I’m headed off to do all of my shopping…using my Android phone. Have a wonderful and safe holiday season! About the Author Randy V. Sabett, J.D., CISSP, is Counsel at ZwillGen PLLC (, an adjunct professor at George Wash- ington University, and a member of the ISSA NOVA Board of Directors. He was a member of the Commission on Cyber- security for the 44th Presidency and can be reached at The views expressed herein are those of the author and do not necessarily reflect the positions of any current or former clients of ZwillGen or Mr. Sabett. S o, how many of you would trust your mobile device to securely handle a high or very high value mobile transaction? After all, security and trust serve as two of the building blocks upon which decisions about risk in the mobile environment can be made. From a corporate perspective, such de- cisions ultimately can affect the liabil- ity that an organization will face as a result of how its employees use mobile technology. Today’s mobile technology, unfortunately, often has weak (or even nonexistent) security and trust. To ad- dress this shortcoming, NIST recently released another draft in their 800-se- ries of Special Publication documents.1 Entitled “Guidelines on Hardware- Rooted Security in Mobile Devices,” Draft SP 800-164 introduces a security framework for mobile devices. Draft SP 800-164 establishes up front that various overlapping roles exist re- lated to mobile devices, with the main use case focused on enterprise deploy- ments of technology and, specifically, “bring your own device” (or BYOD). For example, the roles of Device Owner and Information Owner can be played by either the company or the employee, depending on the particular arrange- ment between the two. Interestingly, Draft SP 800-164 does not mention the role of the government or regulators. It also does not talk about the liability that a stakeholder might have as a result of taking on a particular role. Each of the entities that it does discuss, however, has a particular set of interests and identi- fiable activities within the mobile en- vironment. The resulting liability con- cerns necessitate a deeper inquiry into the security components and hardware 1 See features available (or that should be available) on the particular devices. From a security perspective, various Roots of Trust exist that provide vary- ing degrees of protection to the mobile environment. A future BYOD approach may no longer be limited to a binary “yes, you may bring your device” or “no, you may not bring your own device.” In- stead, depending on how much or how little liability exposure an organization may decide to take on, it may want to examine both the security components and the security capabilities in the de- vices it will be deploying. Draft SP 800-164 states that three se- curity components are required within mobile devices. First, the Roots of Trust (RoTs) mentioned above must be imple- mented as “security primitives com- posed of hardware, firmware, and/or software that provide a set of trusted, security-critical functions.” Second, an Application Programming Inter- face (API) must be implemented that exposes the RoTs to the device and the OS so that those RoTs can be used to provide a chain of trust. Third, a Policy Enforcement Engine must exist to en- able the use of policies on the mobile de- vice. These security components must further be used to implement the three mobile security capabilities of device in- tegrity, isolation, and protected storage. The guidance goes on to describe a num- ber of different contexts in a “notional architecture” of a typical mobile device. Within those contexts, the components above should be used to provide the ca- pabilities of (a) device integrity (defined as “the absence of corruption in the hardware, firmware, and software of a device”), (b) isolation (defined as “the capability to keep different data com- ponents and processes separate from By Randy V. Sabett – ISSA member, Northern Virginia, USA Chapter Holiday Shopping with My Smartphone December 2012 | ISSA Journal – 5©2012 ISSA • • • All rights reserved.
    • Pocket Storage for All I can hear the friendly ribbing now. “Oh GEE Brando, an issue dedicated to storage? I am sure you will have fun towing the company line on that one! After all, you joke about how storage is cheaper for you than others when you talk about collection without limita- tions.” Sure, generic security guy, I do joke about that. But I wanted to take this month’s column in a different direction. It does deal a little bit with storage, but it’s the storage we carry with us every day. Yep, the old smartphone problem, and what the heck is that thing doing? I’m presently writing this column about three weeks before you will read it. It’s the week following BSidesDFW, which was a great success thanks to the fan- tastic organizers and community sur- rounding them. One session in par- ticular that I really enjoyed was with Francisco Artes live, and hilarity from Gal Shpantzer via Skype, where they discussed how smartphone storage worked and the security features of both the Android and iPhone platforms. I’ve written and blogged about the super fo- rensic-friendly nature of these devices, but it wasn’t until this session that I re- ally began to understand the nature of what is left around on these devices. I’ve been very interested in doing foren- sic analyses of the phones in my house, but I’ve not had the time or networking abilities to get into the right crowds to both gain the knowledge and equip- ment required. Here’s the good news. If you have an iPhone, you probably have pretty seamless upgrades into newer versions of iOS and the adoption rate is insane (over 61% at the end of Octo- ber). If you have an Android, you may be frustrated with your ability to upgrade depending on the carrier or handset. So let’s talk bad news for iPhone users now, because I was certainly enlightened to learn how the underlying storage and the security models work. Everything on your iPhone is essentially stored in a database. Great for quick ac- cess and organization, and it allows for some containerization such that appli- cation data doesn’t commingle. Sounds great so far, right? But what happens if you delete a text message or something from an application? Since you deleted it, it must be gone, right? Nope. The database entry is marked in a way that allows it to eventually be overwrit- ten, but it still is on the phone. So a fo- rensic analysis will show all those texts that you thought you deleted. But wait, because it gets SO much worse. Every time you back up your iPhone, all of those entries that you have marked as deleted are backed up right with all the good stuff that you want to see. This means that it becomes insanely hard to remove them from your device because they now are in your backups. If you grab the newest iPhone and restore from your old backup, all of those deleted texts now make their way onto your new phone! According to Francisco and Gal, the only way to prevent this is to set up your iPhone as a NEW device, not re- storing from backup. That is, start all over. Now let’s put on our tin foil hats and get really suspicious of everything with a battery. Maybe you are one of the many iPhone users who doesn’t have a (work- ing) home computer. Or maybe you want to take advantage of Apple’s gen- erous offer to back up your phone for you via iCloud so that no matter where you are, you can restore your phone if you have a problem. Do you see where I am going? All of those deleted texts are now up in the cloud and out of your control. If you were thinking of doing something illegal and coordinating it from your iPhone, your backups could be subpoenaed without your knowledge and all of those deleted texts might be in the hands of the Feds. Yikes! The point of Francisco and Gal’s pre- sentation wasn’t necessarily to make everyone run from the room scream- ing in fear, but to uncover some of the good security-related things that mobile devices can do while highlighting the snakes in the grass that we all need to be aware of – especially corporate secu- rity folks who are charged with keeping information secure on those devices. It might be time to re-think about how in- formation moves throughout your com- pany and see how bad a lost cell phone might actually be. About the Author Branden R. Williams, CISSP, CISM, is a CTO at RSA, the Security Division of EMC, ISSA Fellow, and regularly assists top global retailers, financial institutions, and multinationals with their informa- tion security initiatives. Read his blog, buy his book, or reach him directly at By Branden R. Williams – ISSA Fellow and member, North Texas, USA Chapter Herding Cats 6 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • W hoever said that there’s no such thing as a stupid ques- tion, only a stupid answer, has probably never seen a feedback sur- vey for security awareness training ses- sions. Questions such as “Did you learn anything?” and “Do you feel more se- cure?” are as common as they are idiotic. I guess it’s largely shaped by the motives of who is asking the question. The train- ers involved are primarily interested in demonstrating that they are good train- ers and questions are designed to elicit complimentary feedback. Feedback sur- veys are a great chance to obtain valu- able feedback, but only if we’re asking the right questions. In this column we’re going to look at training feedback surveys in more detail. Getting useful feedback from training sessions is challenging, but not impossible. For a start, you need to be aware of people’s biases. Surveys mea- sure “declared preferences” since they rely on people expressing their views. While easier to gather, declared prefer- ences have inherent biases that need to be acknowledged and allowed for when interpreting the results. “Revealed pref- erences” are what people actually do, but measuring what people do accu- rately and efficiently can be difficult, especially if people know they’re being observed. Here are some suggestions for allowing for people’s biases while ob- taining reliable survey data. Selection Bias. By definition, the pop- ulation available to fill out training awareness feedback forms are usually those who actually attended. There- fore, the results do not include those who chose not to attend. Consider care- fully what the people who didn’t attend might say. That the training was too long? Too basic? Too boring? If people have perceptions that are holding them back from attending, it’s important to find out why. It’s not necessarily about the session; it’s about people’s percep- tions of the session which also need to be managed. You may want to consider a survey targeted at people who didn’t at- tend to ask them why. Confirmation Bias. When we signal the desired answer in the phrasing of the question, we deserve the answers we get. It’s human nature to avoid confronta- tion or disappointing people, and there is a tendency for people tell us what we want to hear. To counter for this bias, try to avoid questions which are phrased in moral terms. Look out for the word good as it normally signals a moral norm and therefore an expected answer. Intention Bias. People have all sorts of good intentions. Go to the gym. Lose weight. Stop smoking. However, there is a big gap between intent at a point in time and what people actually do in the following days and months. It’s all very well people declaring their inten- tion to take security more seriously, but you should have a glance at your own 2012 New Year’s resolutions for a real- ity check. If you’re going to bother ask- ing people about their intentions after training, then you should have a way of measuring later how many people fol- lowed through. Phrasing. Questions should be as short as you can make them without becom- ing vague, and you should only ask one question at a time. For example, “Was the training clear and easy to follow?” actually has mixed up two different concepts, which mean different things - training clarity and training pace. Where questions are unclear or confus- ing, the temptation will be to abandon the survey (which reduces comple- tion rates) or skip though (which re- duces data quality). Be Specific. Avoid subjective words that are going to have different interpreta- tions. For example, the word often will mean different things to different peo- ple. Instead of a word like often, try set- ting out a specific time frame such as “at least once a week.” Vocabularies. The use of obtuse lin- guistic structures (complex sentences) and TLA (vague acronyms) will cause problems by impacting both completion rates and data quality. Consider trying out your test questions on some volun- teers and ask them to repeat back to you in their own words what your question is asking. You may be surprised in how your questions were interpreted. When you reliably get people repeating back your questions as you intended, then you’re ready to go. Designing effective surveys does take time and effort, but is worth it in order to obtain valuable feedback. It is im- portant to allow for people’s biases and tendencies when designing a survey. If you’re judging the “success” of your se- curity awareness training by feedback from slackers who hang around to gos- sip after training sessions and tell you what you want to hear, you’re probably wasting your time. About the Author Geordie Stewart, MSc, CISSP, is the Prin- ciple Security Consultant at Risk Intelli- gence and is a regular speaker and writer on the topic of security awareness. His blog is available at http://www.risk-intel-, and he may be reached at By Geordie Stewart – ISSA member, UK Chapter Security Awareness Training Feedback Surveys Security Awareness December 2012 | ISSA Journal – 7©2012 ISSA • • • All rights reserved.
    • Association News Connect with Us D o you tweet? ISSA now has a Twitter page! Don’t forget to like us on Facebook! You can also find us on LinkedIn! When it comes to cybersecurity, be- ing out of the loop is a dangerous place. Keep informed with ISSA social media connections – just click the icons. FEBRUARY 5, 2013 • LONDON, ENGLAND Announcing the 2013 ISSA European Conference.  This event will focus on some key challenges we all face: Cyber Crime, Cyber Conflict, and Cyber Espionage. At this conference at- tendees will hear from leading European and international speakers that will inform and set our future direction in Information Security. A great value, ISSA members can attend for just $35 USD. Visit to register today. Space is limited. Keynote Presentations Now Online! Click here to view video recordings of the 2012 International Conference Keynote Presentations. Additional recordings will be available in the months following the conference. Please look for announcements in member communications and on ISSA’s social media sites. T he ISSA Web Conferences bring together ISSA mem- bers from around the world to share leading industry presentations and answer member’s questions. Each event is designed to address the timely needs of our members through a live online event and a subsequent recorded ver- sion for on-demand viewing. All content is developed by the ISSA Web Conference Committee. CPE Credit Available: ISSA members will be eligible for a cer- tificate of attendance, after successful completion of a post- event quiz, to submit CPE credits for various certifications. Predictions for the New Year Date: January 22, 2013 Start Time: 9:00 a.m. US Pacific/ 12:00 p.m. US Eastern/ 5:00 p.m. London Once again some brave (or foolish?) folks volunteer some insights and predictions into where infosec challenges will come from in 2013 and beyond. To a degree, changes in legis- lation and technology are easy meat to predict in a 12-month time frame. But what about environmental impacts such as cyberattacks and cyberwarfare trends? Will the cold wind of social media exploits bring infosec into focus for the igno- rant end user? What is likely to be the next big hurricane of “wikileaks-type” exposure to rock the industry? Where will the wind of change blow security in the “cloud?” Will the heat be turned up further on compliance requirements? Will there be a drought of funds making everything we want to do harder to achieve? Join us, make notes, and then check back in a year to see how we did! Click here for more information on our 2013 schedule. International Director Pete Lindstom’s fireside chat with former US Cybersecurity Coordinator and former ISSA International President, Howard Schmidt. Comments on Howard Schmidt Keynote H earing the interview with Howard Schmidt after his time serving in the US Whitehouse was one of the conference highlights for me. ISSA is so fortunate in having a previous ISSA president serving as a special advi- sor to President Obama. Howard's views on security threats to small-medium-sized businesses were particularly interest- ing.1 This is an area that the ISSA UK Chapter has focussed on for the last two years with the ISSA5173 standard,2 which was presented at the conference by ISSA UK Board member, Gabe Chomic (Critically Unprotected Infrastructure: Information Security and Small Business). Geoff Harris – ISSA International Director and member, UK Chapter 1 warns-threat-smalle/. 2 Embracing Change Keynote Panel NEW! 8 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • Association News My First Experience at an ISSA International Conference B eing able to attend the ISSA International Conference was like opening a treasure chest and finding all kinds of jewels and valuable objects to enjoy: the speakers, the exhibitors, and the time for networking and conversa- tions with people – including those who had only been voices on the telephone.  Our keynote and featured speakers were marvelous in their perspectives of information security and how we can em- brace a changing world – and the surprising key to our suc- cess is communication and building relationships, not the deployment of new technology (although that has its place). Be ready to explain new technologies to the C-suite and show how they relate to business success; they won’t fund what they don’t understand. Day 1 Jay Leek (Taking Your US-Focused Risk Management and Se- curity Program International) had great advice: keep it sim- ple, do not confuse email with communication, pick up the phone and call, and lead by example. Christofer Hoff (Stuff My Cloud Evangelist Says: Just Not to the CSO) discussed the 7 dirty words for security. He said we can’t afford a turf battle; this isn’t West Side Story. Rafal Los (House of Cards - How Not to Collapse When Bad Things Happen) presented an effective perspective for responding to new “challenges” – resilience. Bad things are going to happen, but how are you going to re- spond and “get back to business.” Be pragmatic, create staged attacks, assess your response, and update your response; do it until it is “muscle memory.” On Day 2 Howard Schmidt (morning keynote) reminded us that we have to be able to listen and to negotiate; we need to get per- sonal relationships going with key persons in our organiza- tion. He quoted Althea Gibson: “We can’t accomplish any- thing without others.” Stephen Northcutt (Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprec- edented Change and Challenge) focused on leading in a time of change and having situational awareness; be alert for what you can measure and know what is “ever green.” Consider giving up a low-value task to pursue a high-value task; de- cide what you want to accomplish, make a plan, and you will achieve great things. Andy Ellis (Social Engineering the Risk Hindbrain: How to Avoid Security Subsistence Syndrome) had a captivating pre- sentation topic of “Herding Lizards”; lizards know fear, they run away! People consider risk differently; “safe” means dif- ferent things to different roles: CEO, Sales, Product Development, CFO, Employees, and Security. Train people to get used to fixing risks; make them less afraid of it. If you try for “perfect,” you won’t get to “good.” So, as an individual, get better at what you do now; do three things well and then pick up something else. Next year the conference is in Tennessee, a very hos- pitable location that is reachable from any port. If you didn’t get to attend this year’s conference – or even if you did – definitely consider attending in 2013; it will be a wonderful and enlightening experience (y’all). Conference Recap from Mollie Krehnke, ISSA Fellow and member, Raleigh, USA Chapter [Note: Mollie received her ISSA Fellow award at the conference.] Christofer Hoff Rafal Los December 2012 | ISSA Journal – 9©2012 ISSA • • • All rights reserved.
    • Association News A t ISSA International this year, exhibitor and spon- sor Ixia interviewed security professionals to gain insight into their thoughts on cyber terrorism. And here’s what they found: 1. Do you anticipate a major cyber terrorism event to occur in the next year? 79% responded yes to this question. In our discussions with these security experts, many of them said “It’s already hap- pening!” 2. Which industry do you feel is the strongest target for cyber terrorism? • Oil & Gas 12.3% • Finance 22.8% • High Tech 0% • Government 17.1% • Power grid 35.2% • Utilities (water, etc.) 12.4% The respondents viewed the financial industry as the most tempting target, with profit as a chief motivation. However, many acknowledged that the finance industry was better pro- tected than some other industries, such as power grid and utilities, which received a combined 48% of the vote. Utilities and the power grid were called out as being wired-in to the Internet and under-protected, AND a target that would crip- ple the nation if the attack was successful. Also, several re- spondents requested a Select All option as they viewed all op- tions as vulnerabilities. It’s interesting to note that there were no votes for High Tech as a top target for cyber terrorism. Though High Tech is clearly an Advanced Persistent Threat (APT) target, it was not regarded as a cyber terrorism target. 3.Doyoubelieveit’stheresponsibilityoftheUSGovernment to protect you from cyber terrorism? People really had to think about this question. The majority of respondents – 59% – believed it is the US Government’s re- sponsibility to protect us. The remaining 41% disagreed, with many of them lacking faith and trust in the government’s ability to move quickly enough to be effective. Worth noting is the fact that respondents who worked for the government universally felt it was a responsibility of the government. Many respondents who answered positively likened the situa- tion to the expectation that the government is responsible for preventing physical terrorism, and that the parallel should hold for cyber terrorism. On the other side of the coin, shared responsibility was a common theme. Several respondents used the example of protecting your house – the government is expected to provide protection, but in the end homeowners are responsible for protecting themselves with appropriate security measures. The fight against cyber terrorism continues… It was interesting to pick the brains of the security pros at- tending ISSA International this year, since these are the men and women on the front lines of the fight against cyber ter- rorism. While they may have disagreed on the top target for cyber terrorism and whose responsibility it is to stop it, there was no question among our respondents that it’s a growing threat that requires constant vigilance. Conference Recap from Kate Brew – ISSA member, Capitol of Texas Chapter Survey Results on Cyber Terrorism from the International Conference 10 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • ISSA London 2013 • February 5,2013 Deloitte Offices,2 New Street Square,London,UK Presented by ISSA International & Generously Hosted by Deloitte The 2013 ISSA London Conference will focus on some key challenges we all face: Cyber Crime,Cyber Conflict,and Cyber Espionage. February 4 This peer-only event will feature executive briefings from Lt Col William Hagestad II USMCR, a leading authority on Chinese Cyber & Information Warfare,and Eddie Schwartz, VP & Chief Information Security Officer,RSAThe Security Di- vision of EMC.Attendance at this event is by invitation only. Register Today • Space is limited. February 6 Join ISSA’s European leaders for an event focused on grow- ing and supporting chapters in the region. The Chapter Lead- ers Summit is open to Chapter Board Members and Officers. ISSA will be hosting two satellite events in conjuction with ISSA London 2013: Opening Keynote Digital Identity,State Protective Monitoring,and Civil Liabilities Right Honourable David Davis MP House of Commons, UK Parliament Cooperation in Securing National Critical Infrastructure Dr.Steve Purser Head ofTechnical Competence Department,European Network & Information Security Agency (ENISA) Cyber Crime Challenges for Europe Dr.Victoria Bains Europol Cyber Crime Centre Establishing Trust Across International Communities Patrick Curry OBE Director,British Business Federation Authority Insider Attacks: Lessons Learned Dr.Thiébaut Devergranne Docteur en droit/Doctor of Law in France A great value! ISSA members can attend for $35 USD, non-members for $105 USD. Eddie Schwartz VP & Chief Information Security Officer, RSAThe Security Division of EMC Closing Keynote Red Dragon Rising Across Europe Lt Col William Hagestad II USMCR
    • Network Device Forensics Network Device Forensics 12 – ISSA Journal | November 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY I magine that a rogue laptop connects to your corporate WiFi and is able to access the Internet via your corporate proxy server. Let us assume that your WiFi is protected by a pre-shared key, but that this rogue laptop is owned by a former employee. Will you detect this? And will you be able to trace back to the former employee? A foreign competitor hires a tech-savvy criminal to install a trojaned operating system on your edge router. This trojan facilitates access to your corporate network for unauthorized persons by tampering with the authentication control logic. Will you detect the trojaned router? These two examples represent two common classes of foren- sic investigations where forensic evidence needs to be col- lected from network devices. In the first example, network devices contain evidence of the network traffic that flowed through them. In the second example, network devices have been compromised and forensic evidence needs to be lifted from them. Forensic evidence gathered by network devices To operate properly, network devices need to maintain infor- mation about the network traffic they process. Since network devices have limited amounts of memory compared to gen- eral purpose computers, they tend to collect only the bare es- sential information for their processes and this information is discarded rather quickly when it is no longer needed. There is often a significant delay between the time a security incident occurs and the time the forensic investigation starts. And as a switch or router discards obsolete meta data quickly, you will not find forensic evidence if you react too late. But you can improve the success rate of your forensic evi- dence gathering by configuring your switches and routers to collect additional data and persist this data. All professional network devices allow for the logging of events. But the inter- nal event log of network devices is rather small because of the memory constrains. Old events get discarded at a fast rate to make place for new events. Centralized logging Here is an important first opportunity for you to improve the evidence collection phase of your forensic investigations. Install one or more machines as a central log repository and configure all your network devices to forward events to this central log repository. Dimension your central log repository so that it can hold several months worth of events. The syslog standard is often used to centralize events. The second opportunity you have to improve the evidence collection phase of your forensic investigations, is by increas- ing the types of events that are logged, for example DHCP events. Professional network devices classify events by types and by alert level. Not all event types are logged by default, and only events with important alert levels are logged. In- crease the type of events, and lower the alert level for event The goal of this article is to raise awareness about the measures you can take to improve the success of network forensics. By Didier Stevens – ISSA member, Belgian Chapter ©2012 ISSA • • • All rights reserved.
    • Trojanized devices The operating system of your network devices can be tro- janized in two ways: by trojanizing the operating system files (like Cisco’s IOS image files) and booting from them, or by exploiting a vulnerability in the operating system and tro- janizing it in memory. A release management process for network device image files allows you to know if a network device is running an autho- rized operating system or not. But an unauthorized operating system image is not necessarily a trojanized operating system image. Your success in identifying trojanized operating sys- tem images will depend on your network device vendor. For example, Cisco provides lists with cryptographic hashes of all images they release. If the cryptographic hash of the unau- thorized operating system image matches a hash in this list, you can be sure that it is a legitimate operating system image and that it is not trojanized. Some high-end network devices can operate with digitally signed operating system images. Periodic review of the digital signature of these operating sys- tem images will detect trojanized operating system images. RAM trojans But the hardest forensic case to crack is an operating system trojanized in memory. Many professional network devices operate like this: the operating system is stored in a file which is stored on non-volatile, solid-state memory, like flash mem- ory. When the network device is powered on, a very small logging. Watch out; you will need to strike a balance between resource usage and log level, because increasing the number of log events has an impact on CPU usage and can thus nega- tively impact the performance of your network devices. Utilize on board security features Make sure to research security features available in your network devices that can help you indirectly with your fo- rensic investigations. Enable them if necessary. For example, Cisco switches have a DHCP snooping feature. Enabling this feature instructs the switch to build and maintain a table of all successful DHCP transactions it sees passing through its interfaces. This table lists IP addresses, corresponding MAC addresses, and the interfaces serving these clients. Imagine a contractor connects his laptop to your wired net- work without authorization. You would notice this by moni- toring your DHCP logs for rogue machine names. But this will only give you a machine name and a MAC address. This is often not enough to trace back to the contractor. But with the DHCP snooping binding table, you will be able to corre- late the IP address and MAC address with a switch interface. This will allow you to find the physical location of the Eth- ernet connector used by the contractor. Reviewing physical security evidence like access control logs or CCTV images should be enough to identify the contractor. Or you could just ask your employees working near the network access point who used this connection. In the case of the former employee using your corporate WiFi infrastructure, you would notice this too by monitoring your DHCP logs for rogue machine names. Additional logs from WiFi access points and wireless LAN controllers should en- able you to pinpoint the access point used by the former em- ployee. But since WiFi access points do not need a physical connection, you will find it harder to identify the culprit. Forensic artifacts found in network devices Network devices can become compromised because their configuration gets modified or because their operating sys- tem gets trojanized. Finding forensic evidence for these in- cidents can become much harder. A secure, centralized log repository is vital so that perpetrators cannot erase logs to cover their tracks. To detect unauthorized configuration modifications, a re- lease management and version control process is necessary. The release management process will make sure that only approved modifications are applied to your network de- vices, and the version control process will make sure that these modifications are documented. Periodic review of your network device configurations will allow you to detect un- authorized configuration modifications by comparing them with the configurations kept in the version control system. This review process can be automated. If your network devices support scripting and you have cus- tom scripts like Cisco IOS Tcl, make sure to include these in your release management and version control process. Predictions for the New Year Live Event: January 22, 2013 To a degree, changes in legislation and technol- ogy are easy meat to predict in a 12-month time frame. But what about environmental impacts such as cyberattacks and cyberwarfare trends? Will the cold wind of social media exploits bring infosec into focus for the ignorant end user? What is likely to be the next big hurricane of “wikileaks-type” ex- posure to rock the industry? Where will the wind of change blow security in the “cloud?” Will the heat be turned up further on compliance requirements? Will there be a drought of funds making everything we want to do harder to achieve? Join us, make notes, and then check back in a year to see how we did! Upcoming Click here for more information on our 2013 schedule. December 2012 | ISSA Journal – 13 Network Device Forensics | Didier Stevens ©2012 ISSA • • • All rights reserved.
    • Pay attention to the fact that al- though operating systems tro- janized in RAM are not persistent (i.e., that rebooting the network de- vices removes the trojan), network devices are not often rebooted and the trojan can easily be present for months if not years. And if a trojan runs in RAM with full system ac- cess, there is nothing to prevent it from modifying the image in flash to achieve persistence. Conclusion There are several preventive steps that you can take to facili- tate a forensic investigation of network devices. You can im- prove the logging of your devices and enable extra informa- tion gathering features on your devices. This will help you gather more forensic evidence. Network devices can also be- come compromised. You can find forensic artifacts in flash and in RAM. There are tools to help you analyze these arti- facts. I hope this article will inspire you to take measures that will facilitate forensic investigations of network devices. References —Dale Liu, Cisco Router and Switch Forensics, ISBN 978- 1597494182. —Felix Lindner, The Shellcoder’s Handbook, 2nd Edition Chapter 13: Cisco IOS Exploitation, ISBN 978-0470080238. —Felix Lindner, “Developments in Cisco IOS Forensics” - Black Hat, ner/BH_US_08_Lindner_Developments_in_IOS_Forensics. pdf. —Felix Lindner, “Router Exploitation” - Black Hat, http://www. Lindner-RouterExploit-SLIDES.pdf. —Sebastian ‘topo’ Muñiz, Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootKit), tachments/Killing_the_myth_of_Cisco_IOS_rootkits.pdf. —Andrew Vladimirov, Konstantin Gavrilenko, Andrei Mikhailovsky, Hacking Exposed Cisco Networks, ISBN 978- 0072259179. About the Author Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is a member of the Belgian ISSA chapter and an IT Security Consultant currently work- ing at a large Belgian financial corporation. Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs. com). You can find his open source security tools on his IT se- curity related blog at He may be contacted at program stored in ROM will load the operating system from flash into RAM, where it is executed by the CPU. With an op- erating system trojanized in memory, the image file in flash is intact, but the modifications are made in RAM, where the image file is loaded to be executed. One way to make these modifications in RAM is by targeting the network device with an exploit for a vulnerability.1 This exploit contains code to modify the operating system in RAM and trojanize it, for example by adding a backdoor functionality. To investigate such compromise, you need to be able to access and analyze RAM. Cisco IOS has features to access RAM: their routers and switches have a command that allows you to write the content of RAM to a core dump file. This solves the “access” phase of your forensic investigation, but not the “analysis” phase. The structure of the file containing the core dump is not documented. Only Cisco knows the complete details and you will need their cooperation if you need a full analysis. The Cisco Technical Assistance Center (TAC) will sometimes ask clients to provide them with a core dump to help with the analysis of their support cases. But since the RAM core contains everything that was in RAM, it contains a lot of forensic evidence. But you are not completely dependent on Cisco’s TAC for core dump analysis. There are two open source tools that can partially analyze core dumps. The first tool is Cisco Incident Response (CIR) from Recurity Labs GmbH,2 an open source tool that attempts to detect trojanized core dumps by detect- ing memory and process anomalies. CIR has been successful in detecting proof-of-concept trojanized IOS images present- ed at the Black Hat Security conference.3 The second tool is the Network Appliance Forensic Toolkit (NAFT)4 released by me. It is able to analyze the basic struc- ture of memory and processes, but it is not yet able to au- tomatically detect memory and process anomalies. NAFT is a set of Python programs, and it can run on many operat- ing systems. You instruct your IOS device to produce a core dump and transfer it to a tftp server, and then you can ana- lyze this dump with NAFT. For example, command naft- processes r870-core will dump all processes it finds in core dump r870-core (figure 1). 1 Felix Lindner,“Burning the bridge: Cisco IOS exploits,” issues.html?issue=60&id=.7. 2 3 4 Figure 1 — Core dump 1 Cwe 80049B5C 0 3 0 5552/6000 0 Chunk Manager 2 Csp 80371B90 8 341 23 2640/3000 0 Load Meter 3 Mwe 8118AB24 4 1725 2 5300/6000 0 Spanning Tree 4 Lst 80046D90 14780 841 17574 5484/6000 0 Check heaps 5 Cwe 8004F930 0 1 0 5672/6000 0 Pool Manager 6 Mst 808278AC 0 2 0 5596/6000 0 Timers 14 – ISSA Journal | December 2012 Network Device Forensics | Didier Stevens ©2012 ISSA • • • All rights reserved.
    • BLACK HAT | BRIEFINGS | MARCH 12-13, 2013 BLACK HAT | TRAININGS | MARCH 14-15, 2013 WWW.BLACKHAT.COM Black Hat Europe 2013 - The premiere conference on information security - returns to Amsterdam on March 12-15, 2013. This year we will feature two days of hands on training courses followed by two days of Briefings comprised of over 50 presentations covering the most relevent topics in security today.
    • S torage security has always been one aspect of IT man- agement that never seems to get the attention it de- serves, regardless of legal, regulatory, and business risks. Storage security should be a concern for any organiza- tion irrespective of size and number due to the multitudes of challenges surrounding it. For example, one recent survey conducted by PWC [1] stated that 29 percent of the organiza- tions still find locating their data as a big challenge; however, going by experiences at the ground level, there are even more challenges such as the following: • There are just not enough eyes on the problem! • Where is the data residing? • Increased regulatory audits • How do we align with the existing standards and reg- ulations? • How do we handle the advances in technology such as increased use of mobile devices, consumerization, etc.? This paper describes the experiences and results of an assign- ment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challeng- es surrounding storage and bring about a continual-improve- ment storage security program. Organizational background Phoenix Consulting (The Firm), based in India, is a bou- tique IT audit and consulting firm helping clients meet their compliance requirements and achieve their security objec- tives. The Company (name withheld for security purpose) is a commodity trading organization that aims to reduce the gap between customers and farmers, has a 1000+ client base, and is fitted with state-of-the-art routers, switches, firewalls, Windows servers, and storage area network (SAN) storage ar- chitectures and devices that store customer information, IDs, and bank account details. Though the organization is ISO 27001:2005 certified and had a structured Information Se- curity Management System (ISMS), they had recently faced issues with sensitive data: 1. The Company was not aware of where the data was lo- cated: The storage devices were left out of the purview of the ISO 27001 scope due to an ongoing implementation. 2. Bringing it under the purview of ISO 27001 governance program: The scope was extended to covering storage devices and the data that needed to be protected. As an added advantage, increasing the scope also satisfied guide- lines on storage security imposed by the local authori- ties, aligned with ISO 27001, gave the organization better control and governance, and helped them optimize their resources (time and manpower) on areas that required at- tention. That is when The Firm was called, as we had helped them achieve ISO 27001 certification. The impediments that would arise during the implementation of this project were very well known to us as we had both the expertise and experience in implementing projects of similar nature. Here are the steps involved in making the storage security program a success. The critical steps for the success of this program are the fol- lowing: The author describes the experiences and results of an assignment that brought about a marked improvement in storage security for a commodity trading organization. The practical steps suggested will aim to answer some of the core challenges surrounding storage and bring about a continual-improvement storage security program. By Vinoth Sivasubramanian – ISSA member, UK Chapter Storage Security Governance: A Case Study 16 – ISSA Journal | December 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY ©2012 ISSA • • • All rights reserved.
    • used to capture and record the most important information is shown below. DESCRIPTION STORAGE SECURITY RISK Risks Legal,financial,regulatory,and business risks Rewards Elevated customer confidence Effort High Cost Estimation $600,000 USD Time Span 6 Months Approach ISO 27001 approach Cost of damages $10 million USD annually in the event of a breach Cost of protection $2 million for the first year,less than 1 million from next year onwards Return on Investment Roughly $5 million per year ISO Clause Mandatory clause 5 of ISO 27001:2005 – Manage- ment Review of ISMS Gap analysis Since management expectations were very clear and they were already aware of some of the existing gaps, a gap analysis exercise was carried out which detailed the current scenario 1. Gain management support 2. Perform gap analysis 3. Identify assets 4. Perform risk assessment 5. Implement security controls 6. Perform an audit and improve Gain management support Getting management support in our case was quite easy as the organization had recently faced a regulatory issue. Man- agement was briefed about the challenges involved in storage security, the time it would take to implement this program, and our approach bringing it to completion. In circumstanc- es where there are no legal or regulatory issues, get manage- ment support by briefing them of the possible business risks, rewards, and efforts involved. As per ISO 27001, record the minutes of these meetings as per the record control proce- dure1 and management review requirement.2 Unless there are regulatory, contractual, or legal obligations or compulsions, ensure that the cost of protecting the information is less than the information being protected. A sample template that was 1 Mandatory clause 4.3.2 of ISO 27001. 2 Mandatory clause 5 of ISO 27001:2005. December 2012 | ISSA Journal – 17 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • ing, accessing, processing, and disposing it. A sample data is given below. Data Description ID details of customer DataType Highly confidential,irrespective of location of the data Access No write access to anyone;read access to select few Security type Least exposure to business,legal,or financial risks After getting a clear and comprehensive mandate on the data that needed to be protected as part of this storage security governance program, we laid out the next course of our plan to implement these programs. The first was to form a focus group, identifying members across the enterprise who would help propel the program forward. Lessons learned: Take time to accurately sample the data us- ing automated and manual methodologies. Get management expectations clear on the data that needs to be protected as top priority. This will help the organization prioritize risk and allocate resources wherever needed. Remember this is a program to improve storage security practices and is a one- time solution. Risk assessment The challenge we encountered in doing a risk assessment for this organization was that an ongoing ISO 27001:2005 risk assessment was already being performed, and we were told specifically not to disturb the assessment or change the methodology. So in line with the expectations and directives of senior management, a linked risk assessment approach was carried out, wherein the information that needed to be protected was treated as an individual asset, and the various threats, vulnerabilities, and controls in place were listed out. Lessons learned: Perform the risk assessment exercise with the assistance of the focus groups; this provides them insight into these activities, and also provides the much needed ad- ditional controls which are required at the ground level. We shall now look how the storage security program initia- tive was carried out with the right mix of people, processes, and technology. Implement Controls Based on the results obtained from the risk assessment and inputs from legislative guidelines and various other best practices [2][3][4][5] controls as outlined below were imple- mented, not in particular order. Review of security policies Armed with the results from the risk assessment exercise, in- formation security policies were reviewed [4] where needed and new ones written where found missing. In our case we tweaked the configuration management policy to include the storage devices, and wrote fresh policies in relation to Bring Your Own Device (BYOD) and Use Your Own Applications of the organization in regards to storage security. After a de- tailed gap analysis, the following area emerged as the single stumbling block to achieving the management objectives and meeting compliance requirements: where is the data located? Lessons learned: Conduct a gap analysis, irrespective of the compliance level of the organization – keeping in mind man- agement expectations and objectives – and then chart out the stumbling blocks. Form a focus group and engage all the in- formation users, as you will get to know the security posture of the organization in reference to storage security better, which will help improve the initiative. Solving data location challenge To solve the challenge of data location, we used a two- pronged approach. The first part was using an automated tool – ManageEngine3 asset man- ager in this case – to capture all the IP devices located in the enterprise. Next we listed the non-IP devices, namely USB and mobile devices. The organization had provided only organization-approved USBs to be used by their employees, and these was given only to the senior man- agement. Since mobile applications were also used, mobile devices were listed in the asset register. After comprehensive discussions with the asset custodians and stakeholders, we had gathered enough information on the locations of the most critical data. Lessons learned: Capture IP and non-IP devices within the enterprise and list them in the asset register. Capture the in- formation residing on these devices through multiple itera- tions with the asset users and custodians (to increase the ac- curacy of the information collected, it is necessary to perform at least two iterations to eliminate errors and miscommuni- cations, which we will encounter when we go about capturing the information residing on devices). Authenticate informa- tion discovery/classification technologies. Identify assets – knowing what to protect After getting to know the devices and the information resid- ing on these devices, authenticate the automated data gen- erated using comprehensive sampling methodology: we did a 98 percent sample to provide comprehensive assurance to management that the data collected was authentic. This also enabled management to make better decisions. In our case this sampling provided a better insight into what needed to be protected. Using the data on hand, management deter- mined which information was very critical to the organiza- tion; incidentally, these were also in line with local laws and regulations. Management identified this information, classi- fied it as highly confidential, and provided directives for stor- 3 inventory.html. Get management expectations clear on the data that needs to be protected as top priority. 18 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • Fortified cloud Security to the cloud. Security for the cloud. Security from the cloud. Our solutions do more than bring you to the cloud, they keep your business secure when you get there. + FIND OUT how CA Technologies can help you accelerate, transform and secure your IT by visiting and learn more by reading our cloud strategy and vision white paper at Copyright © 2012 CA. All rights reserved. Join us at Gartner IAM Visit us at Booth S19 December 3-5, 2012 Las Vegas, NV
    • (UYOA). The table describes in short the policies that we had tweaked and the ones that were newly written. POLICY DESCRIPTION 1. Access control policy Tweaked,to support the management directives 2. BringYour Own Device and Use Your Own Applications Newly drafted 3. Configuration management Tweaked,brought SAN under the configuration management database (CMDB) 4. Patch management policy Tweaked,to include upgrading of SAN storage devices 5. Incident management Tweaked,to include storage security issues to be reported through the inci- dent management system 6. Information control policy Newly written,to provide greater clarity to management and stakeholders in identifying the most critical informa- tion and how it must be controlled Lessons learned: Always earmark the policy effective data in concurrence with management before going ahead in draft- ing the procedures that are required to support these poli- cies. Since in most organizations procedures, meaning the steps that are required to support the high-level statements of management, are generally driven bottom up, earmark- ing a policy effective date will bring in greater commitment amongst middle management, thereby helping the initiative propel fast forward. Review of Procedures With management’s directives being very clear, we now re- viewed the procedures that were directly related to storage security. The procedures that we had reviewed in line with the task on hand were backup, asset management, internal audit, media disposal, legal, and compliance. The table below describes some of the tweaks performed on the procedures and their cross references to the ISO 27001:2005 standard. PROCEDURE DESCRIPTION ISO CLAUSES Asset management procedure Asset management procedure was tweaked to include automated scan- ning of all the IP devices and verifying information on all non-IP devices on a fortnightly basis. Mandatory Clause 4.2.1d and Control A.7 Asset Manage- ment Backup procedure Back up procedure was spruced up to include correct identifiers and method of storage and disposal, which are often missing factors in backup procedures.Technologies to eliminate manual tapes were also charted out. A.10.5.1 Informa- tion Back-up Internal audit procedure The internal audit procedure was enhanced to include audit of storage devices and the allied storage houses of information. Mandatory Clause 6 (Internal Audit), A.15.3.Informa- tion Systems Audit Legal and compliance procedure Resources were allocated to manage the agile compliance landscape;the procedures to report the changes were documented. A.15.1.1 – A.15.1.5 Compli- ance with legal requirements Media disposal procedure How to dispose of the media,contain- ing the information that needs to be protected,in the event of a total failure of the device.Incorporating authorized agents to carry data off site for disposal. A.10.7 Media Handling and A.10.8 Exchange of Information Lessons learned: While doing a review of the various pro- cedures, make time to discuss the technological investments that need to be made in this regard. Knowledge of these in- vestments will help in procuring the technology while the process is still in place. This will help save a lot of time, and help move things at a quicker pace. Technological perspective With knowledge of the information that needs to be protect- ed being clear, the first step we took was to reinspect the ap- plication architecture and redesign the business processes to meet the organization’s expectations. Business process re-engineering With the very critical organization assets lying scattered across various applications and reports, the business pro- cesses were re-engineered, wherein multiple processes of cap- turing user information and completing the sale processes were integrated into one simple application and screen. In a similar manner the reports that were associated with this in- formation were also confined to one single area. This helped control access to the information and the related aspects of storage, retention, and disposal of the storehouses of the most vital assets of the organization. Lessons learned: A very important aspect in redesigning business processes is to never lose sight of the task in hand; in this case we redesigned the process, keeping in mind cus- tomer ID and bank account details and confining them to a centralized location. Very often people lose sight of the spe- cific goal and go into complete process re-engineering. Application architecture inspection The application architecture was also inspected, incorpo- rating secure and privacy-by-design principles wherein pri- vacy and data protection guidelines were integrated within the entire life cycle of the code, starting from requirements gathering to implementation of the code, which was not the case earlier. An important concept implemented after this in- spection was that the customer information capturing screen did not use cookies or store any kind of information at all. The information that was captured was stored in the data- base in an encrypted format. To minimize cost we went chose 20 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • column-level encryption for storing the information on the database. Apply the same principles to database backup – this is often overlooked and forgotten. Access to this encrypted data was made available only to a select few. Information integrity monitoring software The next technology that we implemented was to invest in information integrity monitoring software, wherein any changes in the access or availability or the information entity itself was allowed only after approvals from the entire man- agement. This software used an all-approvers’ hierarchy, in which each member of management undertook the responsi- bility of approving changes to the confidentiality matrix. Server and media encryption Since the physical server housing the database and the criti- cal information need to be adequately protected, we looked at the various encryption solutions available on the market and finally decided on an encryption solution that suited budget- ary requirements, ease of operability, and service delivery ca- pabilities of the vendor. Similarly end point encryption was performed on endpoint devices using appropriate tools to protect the media that might be used to contain the protected information. Since the organization had a zero-tolerance pol- icy towards using unapproved USB devices, controlling them through the media encryption and end point software also provided the required protection. The following best prac- tices were used: • Aligned encryption technology with existing crypto- graphic standards and controls [4] • Selected location-at-rest encryption to minimize user impact to server availability • Implemented in-flight and at-rest encryption mecha- nisms Lessons learned: There were challenges involving encryp- tion; the lessons learned are the following tips: • If undecided between two potential points of encryp- tion, pick the one closest to the application generating the data • Ensure deduplication is performed before encryption to minimize data duplication • Ensure encryptions create adequate log entries in line with business, legal, regulatory, and compliance re- quirements [3][4] Third-party agreements Third-party agreements were spruced up to incorporate se- cure working practices of the service providers, in the event of maintenance of the storage devices. In particular we made them agree to let us audit their work and working practices, thereby ensuring good security practices. Lessons learned: As part of regulatory compliances, third- party service providers and consultants are also required to adhere to the practices adopted by the organization. Howev- er, many organizations miss out in auditing their service pro- viders. Initially service providers may be a bit apprehensive of this, but informing them of the long-term benefits and how it could work in their favor will make them oblige. As a reward act as a brand ambassador by giving a good recommendation for them, allowing them to include your name on their web- site, etc. In short, have a reward mechanism with penalties for missing out on security practices. System controls Even though confidential information was accessible to only a select few clearly defined with roles, we made the system even stronger by mapping their access to the MAC addresses of the user’s sys- tem. Integrated with a log manage- ment system, any deviations were recorded, tagged as incidents, and closed through the corrective and preventive action processes. Network-level controls We used VPN-anywhere software [9] (a software used to ensure only authorized users access resources) to identify and authenticate user access to the application’s front end for internal users who had access to the privileged information. Rules on firewalls were adequate- ly created to check for leakage of the protected information. Fiber channel security Secure fibre channel storage networks were used in this or- ganization, which are basically SAN devices. A storage area network is an architecture to attach remote computer storage devices such as disk arrays, tape libraries, and optical juke- boxes to servers in such a way that to the operating system the devices appear locally attached. These SANS were on a fibre channel topology that utilized the fibre channel protocol. Storage area network best practices (configuration manage- ment database) [2]: • Restricted switch interconnections • Disabled unused ports • Hard zoning was used as the management wanted strict controls in relation to the movement of the data • Implemented LUN masking Audit After having implemented various controls, we conducted a detailed audit to check the effectiveness and efficiency of the controls. Specific audits conducted by us are described below. Vulnerability assessment and penetration testing As the final stage before signing off this project, a penetra- tion testing and vulnerability analysis exercise was carried out on the servers, SAN storage, media, desktops, laptops, In short, have a reward mechanism with penalties for missing out on security practices. December 2012 | ISSA Journal – 21 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • security professionals authenticated the knowledge of the storage admins and storage admins authenticated the storage knowledge of security personnel within the enterprise. This ensured the challenges were clearly understood and solved amongst them. Improve You cannot improve what you cannot measure. Therefore, based on some simple metrics satisfying compliance and legislative requirements, a simple measurement exercise was conducted. One of the measurement exercises with a tem- plate is described below. Measurement After completion of the above activities, an improvement measurement exercise was carried out. The result clocked a 90 percent improvement of the information visibility, which was in line with the regulations of the local government. A sample result is tabulated as an example (table 1). Lessons learned: Always ensure you earmark a follow-up au- dit on the measurement results. Check for improvements and sustained results. This way you build up a long-term relation, providing greater value to your projects. Overview summary With storage security seriously impacting business, we pres- ent a brief overview of the process before (figure 1) and after (figure 2) implementation of the storage security program pictorially for better understanding. Conclusion Even though The Company was already ISO 27001:2005 cer- tified, the concept of storage security was something new to network devices, and the members of the organization. This also included conducting configuration review assessments of the networks, servers, database, SAN storage, desktops, company-owned mobiles, and social engineering tests. The tools used to conduct these assessments are listed below. All tools were selected based on budgets, ease of operability, and service delivery capability of the vendor. DESCRIPTION NAME OFTHETOOL Desktops and server assessment MS Baseline [6] Networks OpenVAS [7] SAN storage devices SNIA Standards [2] Database Appdetective Pro [9] Social engineering Manual Source code review Source code review is one area generally missed and is re- ally the Achilles heel in storage security. It is here that data is generated. So as part of the audit stage, source code of the application was checked thoroughly using static testing methodologies wherein the entire code was tested manually to identify vulnerabilities in the code and dynamic analysis to uncover potential leakage points on the system. The source code was also audited from a process perspective as to how the organization went around in freezing the code before be- ing developed. An end-to-end, development-to-release man- agement audit was also carried out to identify any process- related gaps. Log management Logging is an essential part of storage security. Log all storage devices with clear mark up on the data to be protected as well as the storehouses. We used benchmark logging wherein the current configuration snapshot was benchmarked and stored within the log management solution; any changes to the con- figuration parameters of any asset will be recorded, and de- viations were set to be categorized as incidents and closed off through a proper root cause analysis (RCA) using corrective action/preventive action (CAPA) form. Training and retraining One of the biggest challenges towards storage security is that storage admins are not aware of security, and security per- sonnel are not aware of the storage challenges. To fill this gap the services of the SAN provider were utilized effectively to teach security principles and practices to storage admins and to teach storage principles and practices to security per- sonnel. A reverse knowledge transfer was employed wherein DESCRIPTION BEFORE THE INITIATIVE AFTER THE INITIATIVE IMPROVEMENT BENEFIT EFFORT What needs to be stored more carefully No data available Available 100 Percent Minimization of regula- tory fines,enhanced customer confidence High Table 1 – Improvement measurement exercise Figure 1 – The Process during ISO 27001:2005 Certification. ISO 27001: 2005 Management Determines the Scope of ISO 27001:2005 Identify the Assets under the Identified Scope Perform Risk Assessment on the Identified Controls Treat the Identified Risks through Implementation of Various Controls Audit, Measure & Improve the Controls Implemented 22 – ISSA Journal | December 2012 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • the management and business heads. Getting the message across at all levels and emphasizing the importance of stor- age security and its long-term benefits was the most chal- lenging. Once we had the support of management, others fol- lowed suit and it was then easy for us to help the organization achieve its security objectives. The guidelines laid out above are the experiences learned from implementing a storage se- curity program and are meant only to act as a guide to propel storage security in the right direction. Overall, organizations that are certified against standards such as ISO 27001 and COBIT can find the going a bit easier because of the many cross references. References [1] information-security-survey-2012. [2] [3] [4] [5] ty. [6] aspx?id=7558. [7] [8] [9] About the Author Vinoth Sivasubramanian is a passion- ate information security professional with more than eight years of experience in various domains such as telecomm, con- sulting, and finance. In addition to volun- teering time for security associations such as ISACA and ISSA, he dedicates time to sustainable living by investing time and money in organic farming activities through local volunteers with a vision to lead people to a stable and balanced living. He can be reached at JANUARY 2013 Risk Analysis / Risk Management Editorial Deadline 12/1/12 FEBRUARY Emerging Threats Editorial Deadline 1/1/13 MARCH Legal, Regulatory, Privacy, and Compliance Editorial Deadline 2/1/13 APRIL Selling to the C-Suite and the Changing Roles of InfoSec Professionals Editorial Deadline 3/1/13 MAY Education, Academia, and What’s Happening in Research Editorial Deadline 4/1/13 JUNE The Cloud and Virtualization Editorial Deadline 5/1/13 JULY Identity Management Editorial Deadline 6/1/13 AUGUST Convergence of Technologies Editorial Deadline 7/1/13 SEPTEMBER Mobile Security / BYOD – Technology/Business/ Policy/Law Editorial Deadline 8/1/13 OCTOBER Big Data and the Use of Security Controls Editorial Deadline 9/1/13 NOVEMBER Forensics and Analysis Editorial Deadline 10/1/13 DECEMBER Disaster Recovery / Disaster Planning Editorial Deadline 11/1/13 EDITOR@ISSA.ORG • WWW.ISSA.ORG For theme descriptions,visit ISSA Journal 2013 Calendar Past Issues – Figure 2 – ISO 27001:2005 Linked Storage Security Implementation ISO 27001:2005 Scope Directed by Legislative Guidelines in Combination with Management Directives Risk Assessment on the Data Reservoirs Information to Be Protected Was Identified Information Storage Devices Were Captured and Listed Business Process Walkthrough to Identify Data Flows and Storage Reservoirs Audit, Measure & Improve the Controls Implemented December 2012 | ISSA Journal – 23 Storage Security Governance: A Case Study | Vinoth Sivasubramanian ©2012 ISSA • • • All rights reserved.
    • Structured Risk Analysis Offers Rich Rewards By Greg Jones Risk analysis is a far from exact science with assessments continuing to vary in scope. This article discusses the emergence of context-aware classification systems and methods that can guide you through the process with pre-categorized risk information and could be the key to effective risk and threat analysis. tively tackle threat elements, from data leakage or theft to malicious attacks. However, if limited to the requirements of many standards, it can be highly subjective and limited in scope, looking only for risk within a given context with little consideration given to the wider picture such as user buy-in, emerging threat vectors, and industry-specific threats. With- out these factors, any threat assessment can quickly lose its relevance and its value. Risk management needs to a measured but continual process, because its true value lies in being able to alert the organiza- tion to an issue before it is realized and manage it into reso- lution. However, the overall management process can only be successful if it contains accurate methods for the evalu- ation of risks and threats. Many of the common approaches currently used fail to provide sufficient guidance and fail to capture knowledge from the early adopters of either business or technology. Furthermore, early adopters will need support from more technical frameworks as they “forge a path” for the rest of us. Prescriptive measures Of course, we have come a long way in the development of risk analysis. In the mid 1990s, technical computer security was embryonic. The implementation of even the most basic security control would often result in executive foot stamp- ing, as a result of which few had installed antivirus (AV), fire- walls, or passwords. When it came to designing and testing the first Internet banks, risk analysis was often a good way of ensuring executive buy-in and of protecting investment. Abstract Risk analysis is a far from exact science with assessments con- tinuing to vary in scope. But the emergence of context-aware classification systems could be about to change that. Meth- ods that guide you through the process with pre-categorized risk information could be the key to effective risk and threat analysis. R isk analysis is now an integral part of any business decision and essentially involves playing Devil’s Ad- vocate in a commercial context, looking for potential issues, their impact, and the time and cost involved in reme- diation. It’s a far-from-exact science precisely because it deals in “what if” scenarios and the “cause and consequences” of them. Today’s regulation and security frameworks go some way to providing consistent risk analysis with processes and proce- dures that can be used to systematically evaluate risk. These provide a valuable starting point, but the danger is that orga- nizations embark upon a risk analysis assessment as a box- ticking exercise and mistakenly believe they have covered all the angles. In reality, implementing a risk analysis has to be a more methodical, context-based process which seeks to ex- plore elements of risk and the fallout involved beyond that stipulated by regulations, not least because security stan- dards are prone to date and become out of step with the ever changing threat spectrum. Whenever an enterprise embarks on a new venture or change in strategy, there will inevitably be some element of risk analysis to protect the existing business. Risk assessment is invaluable in enabling the business to identify and then ac- 24 – ISSA Journal | December 2012 ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY ©2012 ISSA • • • All rights reserved.
    • we would now consider essential requirements: recommend- ing AV on servers, the installation of a firewall on Internet connections, that users have unique userIDs each with pass- words, and that data was routinely backed-up. The antipathetic reaction was mainly due to the security com- munity’s discomfort concerning the gap between the actual controls and those specified by the standard. Most medium- sized organizations would receive an unfavorable benchmark if their security was compared to the standard (and would do for many years). Correspondingly, later versions of the stan- dard and its successor ISO2700x, selected controls via a free- form risk analysis where threats were not pre-calculated and impacts not pre-described, as this drove the whole security process and was ultimately used to select the organization’s security controls when they were codified into a risk treat- ment plan. In reviewing this risk treatment plan, key con- trols were often missing. Sometimes these errors happened because of a lack of a solid framework for the risk assessment. However, many skilled security officers could play the system to “risk assess” away essential controls for reasons of budget- ary success or political expediency. Until recently, it was very common to find that controls in the areas of segregation of duties, monitoring of administrative users, and network sep- aration were de-selected supposedly because of the low risk.3 3 Michael Cobb,“Segregation of Duties: Small business best practices,” Application Security, 11 December 2011, - http://searchsecurity.techtarget. In 1995 the British Standards Institute published BS77991 (later to become ISO17799 and) as a “prescriptive” security standard. This was great for organizations that needed guid- ance in implementing tangible security measures in com- mercial environments, which at that time could mainly be described as “security greenfields” – at the time many orga- nizations didn’t have systemic security environments. The standard had ten simple “key controls” which all organiza- tions should maintain. It seems quite incredible now but the most essential of con- trols (such as firewalls and AV) were not installed as a matter of course. To do so, the security practitioner needed to justify them. But it was a different time. I remember giving a pre- sentation at the time for ISACA on the differences between circuit-level, proxy, and state-full inspection firewalls to a security interest group, when a representative from a large US telco who was sharing the stage, turned into a unfriendly combatant fighting for a “firewall-free world.” Not a cause that many would rally to defend these days. There was a surprisingly negative reaction to this prescrip- tive standard. Many CISOs and security consultants claimed2 that it did not take into account risk or different organiza- tions security requirements. Yet the standard only had what 1 “ISO/IEC 27002,” ISO 27001 security, html. 2 “Alan Calder on IT Governance, information security and ISO 27001,” BS 779, 16 October, 2007, PROTECT, DETECT & DEFEND AGAINST CYBER CRIME Build specialized career-advancing strengths in fighting cyber crime with these online degree programs: M.S. in Cybersecurity with Specializations in: • Intelligence • Forensics B.S. in Cybersecurity with Concentrations in: • Cybercrime Investigations and Forensics • Information Assurance CALL: 315.732.2640 VISIT: December 2012 | ISSA Journal – 25 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • • • All rights reserved.
    • There is no “one-size-fits-all” standard, and risk will vary for each business and fluctuate over time. But nearly all orga- nizations use the Internet, use PCs, and comprise of people, thereby sharing common threats. Modern methods need to embrace the benefits and efficiency of standard controls and common threats in the same way as organizations buy stan- dard application systems rather than building from scratch. Selective security Of course, the development of ISO27005 in 2008 formalized the approach to risk, but this still focused on the process of risk identification and estimation, thereby failing to close the gap between actual and perceived risk. And therein lies the crux of the matter, for although risk assessment is a very valu- able tool, a skilled and forceful security officer will always be able to “risk-assess away” the need for essential controls if the methodology being used for the assessment is unbound- ed and not parameterized. For example, until recently it was very common to hear from online businesses that the risk of DDoS was invented mainly because the cost of mitigation was high, even when the list of victims of such attacks was growing. These days, information security has become more methodi- cal and science based. Newer standards have adjusted to be- come more sophisticated. A baseline level of security is re- quired to which additional controls can be added as required for increased threat/impact but not reduced as the underlin- ing threats are ubiquitous and so the control is mandatory. Many standards now include predefined and codified impact tables and threat categorization, and generic risk categories help focus the risk analysis. These are described below. The Payment Card Industry Data Security Standard (PCI- DSS) is an example of one of these standards with predefined technical controls. It mandates computer security controls which are routinely deployed. The card issuers who have im- posed the standard, believe that the risk associated with pro- cessing customers’ data warrants the minimum acceptable security requirement laid out by the PCI-DSS. However, it too has been criticized. In recent industry conferences, many organizations subject to PCI-DSS have been lobbying for a reduction in the requirements, favoring instead the introduc- tion of a risk-based approach. Interestingly, a review of PCI- DSS4 will show more than a passing relation to the controls annex of ISO27001 (given that many of the organizations struggling to meet the requirements of DSS are also IS027001 certified). Surely the similarity between the controls annex and PCI-DSS means most of the technical controls should al- ready be in place in a ISO27001-certified organization. Baselines and impact tables Most organizations (at least within a peer group sector) share a risk profile, so there will always be common ground. The industry is beginning to embrace this through benchmark- ing and risk score analysis. An example of an approach which provides a structured application of security controls based on different risk profiles is the combination of Standards for Security Categorization of Federal Information and Informa- tion Systems FIPs199 and Minimum Security Requirements for Federal Information and Information Systems FIPS200. These are “amplified” (a word used throughout the docu- ments) into the US National Institute of Standards and Tech- nology (NIST) “Recommended Security Controls for Federal 4 “PCI vs ISO,” 12 October 2012, Focus on PCI, index.php/Articles/pci-vs-iso.html. 26 – ISSA Journal | December 2012 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • • • All rights reserved.
    • This is usually such a laborious approach that it quickly loses management commitment. These standards and the development of impact tables have greatly enhanced the risk management process, enabling the security practitioner to hone assessments to business need and to communicate risk more effectively to management, but they are far from infallible. If the risk assessment doesn’t place the business within a real-world context, for example, it cannot accommodate emerging risks that are sector specific. Skewed judgements Upon engagement, most practitioners seek to capture in- formation on customer sensitivity, contract type, customer Information Systems and Organizations” (SP800-53).5 The idea is that an organization determines the risk associated with computer security failures based on a series of impact tables. The categorization of High, Medium or Low is then used to produce a tailored control baseline that accounts for this risk. The key fact here is that the control specification can always be set as more stringent but not reduced through a standard assessment process. PCI-DSS and SP800-53 alike do allow for the modification of controls in a “compensating controls” section; any entry here will receive suitable scrutiny. The pro- cess will always result in a “good” control environment which covers the commonplace risks because it mandates specific necessary controls and leaves little room for omitting par- ticular sections. Detractors claim that this method does not cover any organization exposed to unique risks, but as they are the exception rather than the rule, these regulations are still highly relevant in tackling the most frequent, likely, and destructive threats in the most common business environ- ments. What is really impressive about this scheme is the “science” that has gone into it. Not only is the security content good but each control is codified into a control category and each control within that control category is systematically coded. Where a control is amplified based on risk, the control is named after an indexed scheme. For example, if we review one specific control within the standard named AU-5 (1) (2) (Audit Control Number 5) with the control amplified or ex- tended, add the pre-defined control extension (1) and control extension (2). This allows for extreme rigor in quality control and supports future initiatives such as determining the im- pact and likelihood of various vulnerabilities. Similarly, in the UK the HMG InfoSecurity Standard No. 1 (IS1)6 risk calculations classify assets and the potential im- pact of security events, breaking them down into Confiden- tiality, Integrity, and Availability (CIA) in pre-defined tables called the Business Impact Level. This allows a consultant to engage with key directors to determine the likely impact of a breach in Confidentiality, Integrity, and Availability. Fur- thermore, IS1 also incorporates a structured assessment of the capability of threat agents or actors. In our experience of working with other firms, we have noted that consultants sometimes use a very similar approach in their proprietary “low-touch” security architecture frame- work service. Although there are more comprehensive archi- tecture design methods, they often engage with senior man- agement with a clean sheet of paper, and at a technical rather than a business level. Often this approach is used because previous assessments have been conducted incorrectly or the results have not been understood or available to the assessor. 5 “Recommended Security Controls for Federal Information Systems and Organizations,” August 2009 (updated May 2012), NIST Special Publication 800-53 Revision 3, final_updated-errata_05-01-2010.pdf. 6 “HMG IA Standard No.1, Technical Risk Assessment,” Issue No 3.51, October 2009, CESG and Cabinet Office, is1_risk_assessment.pdf. Easy and Convenient! The holidays are right around the corner! Indulge yourself and surprise your friends with an ISSA golf shirt or baseball cap with our new logo. Place Your Order Today: ISSA Store ! *Note: Prices do not include shipping charges. Pin with Butterfly Back Sticky Note Pads (package of 12) Travel Mug • Baseball Cap Conference Bags Fraud-Resistant Pen (Ballpoint, Blue Ink) Short-Sleeve Shirt • Long-Sleeve Shirt We’ve stocked our shelves with ISSA merchandise featuring our new logo. Visit our online store today – it’s easy and convenient to securely place your order and receive great ISSA-branded items. Just click the links. December 2012 | ISSA Journal – 27 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • • • All rights reserved.
    • ness with no peers, as there is no baseline context. And on the same basis, it cannot assess new devices. So a new business with new technology such as the introduction of smart me- tering in the energy industry, may not gain from these new approaches. However, there are some new developments at the micro level that will help. Micro-level codification So far the discussion has largely focused on macro security as opposed to the micro-evel exposures discovered in mission- critical devices or code that could cause high impact. The techniques described do little to help assess such threats or detect the emergence of new vulnerabilities or accommodate a new device on the network. However, on the same theme of codification of risks and threats, there has been some great work done in this area by NIST and the Mitre Organization8 : Information assurance data standards: • Common Platform Enumeration (CPE) – a codified list of operating systems and platforms • Common Configuration Errors (CCE) – a dictionary of common errors in recognized platforms (in CPE) • Common Weakness Enumeration (CWE) – hierarchy of software bugs that link to CVEs and CAPECs • Common Attack Patterns Enumeration & Classifica- tions (CAPEC) – a list of attack patterns • Common Vulnerability Enumeration (CVE) – patch/ bug announcements The most interesting of these from our perspective is the CWE, a classification system that already enables security en- gineers to make useful comparisons. Imagine a world where Cross Site Request Forgery (CSRF) had only just been dis- covered. Previously, when a security engineer came to assess 8 “The MITRE Adoption Programs and the NIST SCAP Validation Program,” August 2008, churn, regulatory infraction, displacement by competitors, and operational revenue. This information, when compared with industry knowledge of what competitors are doing, pro- vides an invaluable real-world context for the risk assessment. At the same time, it is vital that the assessor takes a consen- sus of threats from a quorum of leaders. Systems are by their nature pluralistic and produce different benefits to different members of the business community. If this isn’t captured, the analysis will be flawed. A common example of how risk analysis can become skewed can be found in e-business where transaction-based websites are sometimes awarded a higher priority than necessary. The site might be exceptionally popular with the CIO as it increases his profile, but if it represents only one per cent of daily revenue, the risk analysis should take this relative im- portance into account. This is especially true if, in a wider business context, the strategic plan does not include a future focus on trading online. This example highlights what is becoming a common trend. Many risk analysis techniques are conducted solely within IT and are often focused towards the online environment. Cor- respondingly, the online presence will often have a height- ened importance in the risk analysis. In reality, it should be assessed in terms of its importance to the business in terms of revenue, customer retention, and the sustainment of everyday business operations. Naturally in a commercial environment the subjective description of impact has to be augmented with a financial value. This is relatively straight forward and can be done using basic accounting techniques and by working in conjunction with the business’ finance team. Taken together, these data sets then provide enough input to determine the impact tables which dictate the baseline controls. If we accept it as a given that most organizations in a particu- lar business and geography will have a similar risk profile, then such an approach can produce very satisfactory results. Once this analysis has been performed, security recommen- dations made, and controls implemented, it then becomes a matter of creating an on-going risk management process, such as that advocated by the standardized risk management process embodied in Australia/New Zealand Risk Manage- ment Standard: AS/NZS4360.7 This risk management process should seek to enforce existing controls but also be capable of discovering and tracking new exposure to discover suitable remediation. To summarize, there is a general trend in modern security standards, from doing an unbounded risk analysis and then implementing controls on the basis of the risk analysis, to performing a very parameterized risk-impact analysis that determines a specific template profile of controls to be ap- plied. As the latter approach is more regimented and pre- scriptive, it does have some obvious limitations. It does not cope with the unknown as well as the traditional method. It is difficult to apply to totally new businesses or line of busi- 7 “AS/NZS ISO31000 Risk management – Principles and guidelines,” 20 November 2009, CAPEX Common Attack Patterns Enumeration & Classification CPE Common Platform Enumeration CWE Common Weakness Enumeration CCE Common Configuration Enumeration CVE Common Vulnerability Exposure CVSS Common Vulnerability Scoring System 28 – ISSA Journal | December 2012 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • • • All rights reserved.
    • notion of “acceptable risk,” whereby the rewards outweigh the negatives of a security compromise in the cost:benefit analy- sis. Acceptable risk can often lead to inadequate resources be- ing allocated to a given area which is perceived as being at low risk. However, risks can quickly change and simply scal- ing back resource in one area is not sustainable. The other complication may come from compounding vulnerabilities which when assessed as a whole rather than as components can wildly swing risk levels and are notoriously difficult to quantify accurately. In reality, if the business is sufficiently aware of its strengths and weaknesses, it should be able to use acceptable-risk analysis to allocate resources more effectively. Data classification, for instance, can really help here by en- abling the business to organize its data by value and free-up resources. Risk analysis needs to be both context-aware and intuitive in order to accommodate the ever-shifting threat spectrum, and we as security professionals need to assist in its develop- ment as a science. If we don’t, the box-ticking regulations will continue to hold sway, and we will continue to have to jus- tify security spend. Standards-based procedures will always dominate, but it is the application of those standards and greater awareness and codification of risk that will continue to protect the organization as risk factors change. About the Author Greg Jones is Director of Digital Assur- ance and has nearly 20 years of commer- cial technical experience spanning network development, network and system design/ architecture, operations, IT, and the wider technical security and delivery ramifica- tions associated with professional services. Greg’s areas of ex- pertise include security assessment, secure systems design, and holistic security management. He started his career as a devel- oper with IBM over 20 years ago and holds a Master of Science in Information Security from the Royal Holloway University of London. He can be contacted at greg.jones@digitalassurance. com. the situation there was only unstructured information, which could lead him to draw some very inaccurate conclusions. With CWE, an experienced security engineer will be able to relate it quickly to a standard XSS. This will yield informa- tion on the likelihood and potential impact of a breach on Confidentiality, Integrity, and/or Availability. This provides a systematic approach, enabling us to quantify and determine the reaction required to risk. It is certain to say that many of the vulnerabilities yet to be discovered will be related to others well known and documented. This allows remediation efforts to be prioritized. As yet CCE only documents what should be done, but in the future there could be a fuller link to CCE which would pro- vide insights into what could happen if the correct configura- tion isn’t enabled. It could be easily extended to include in- formation that exists in, or a link to, CWE or CAPEX so that impact can be assessed. This would allow a security officer to weight the “score” of a unsecured NFS mount against the insecure use of telnet or even the exposure represented by a “directory traversal bug” in an application. These methods are providing more systematic methods to better estimate risk through the availability of better statis- tics on the propensity of an exposure. As an example, let’s take an industry where risk analysis is key, the insurance in- dustry. In this sector, risk is calculated once and then embed- ded in actual tables. Hopefully, one day the likely impact of a software flaw and the propensity that it will be exploited will be embedded into tables in just this same way The codification of risk at the micro level can ensure that risk analysis is relevant to future developments. Prioritizing in this way can help focus resource, but it’s important that such decisions are placed in a wider business context if they are to help inform risk management. Conclusion Today, ongoing security risk management is typically man- aged with all other risk by an operational risk department. Devoting resources in this way is commendable, but it can lead to decisions being taken in isolation. For example, the  —  ISSA Career Center Looking for a New Career Opportunity or that Perfect Addition to Your Staff? ISSA’s Career Center offers a community to connect employers and those seeking new opportunities. Current opportunities include: Computer Emergency Response Team (CERT) Analyst • Information Assurance Certification & Accreditation Analyst • Assitant/Associate Professor of Information Systems in Information Assurance • Information Security Administration Manager • Principle Associate, Information Security Technical Job • Assistant Professor - Computer Science and Digital Forensics December 2012 | ISSA Journal – 29 Structured Risk Analysis Offers Rich Rewards | Greg Jones ©2012 ISSA • • • All rights reserved.
    • Y ARA (Yet Another Re- cursive Ac- ronym) is a malware classification tool that is gaining ground in various security communities. It is very lightweight and easy to install, with support for Linux, Windows, and Mac OS X. The agility and ease of signatures and conditions for matching condi- tions is tremendous. How YARA is ap- plied to malware research is interesting, bringing to the surface a wide variety of creative juices for how one classifies malware and monitors and locates new samples of interest; how one even ana- lyzes strings and processes in memory; and how it can all be easily automated and shared. This brief article introduces how to obtain and install YARA, rules, and how it can be applied (high level). Victor Manuel Alvarez created YARA and has posted it for free download.1 It was first released several years ago and has been slowly gaining ground. There are now private groups that share YARA rules for malware already researched. It comes at a price all security researchers love – free – and is robust and easy to use. For any reverse engineer it’s fantas- tic, given how one can create signatures with hex and entry-points specifica- tions. For a dynamic analysis engineer or analyst YARA is flexible enough to enable easy signature creation to look for common ASCII or hex strings or other data of interest found in files, memory (specific processes), string dumps, and more. YARA comes with very thorough docu- mentation on how to use and install it. The program itself is used similar to that of an antivirus engine that relies 1 upon signatures. YARA is run in a ter- minal, using rules supplied by the user, to scan a file or PID to see if any of the rules match that data being scanned. To install the program in Ubuntu the au- thor found the following quick steps to work best: sudo apt-get install libpcre3 libpcre3-dev wget http://yara-project. gz wget http://yara-project. 1.6.tar.gz tar xvfz yara-1.6.tar.gz cd yara-1.6 ./configure make make check sudo make install cd .. tar xvfz yara-python-1.6.tar.gz cd yara-python-1.6.tar.gz python build sudo python install yara -v While the above sequence of com- mands offers no thorough support in this article, a YARA manual and online documents are available if assistance is required. If installed correctly the final command, yara –v, prompts YARA to print out the version information of the program. Once the program is installed correctly, it can be used to compare rules against data of interest. Rules within YARA are very simple on the surface, having the following basic structure (this is a simplistic view): rule name { meta: name = “” strings: $STRING_1 = “STRING” // comments if desired condition: $STRING_1 } Meta data is exactly that, such as arbi- trary data one might want to enter for the rule (basically a signature file). For example, an author may want to add his name, version for the rule, MD5 value for a sample related to the rule, a de- scription related to the file, etc. Strings are used to identify data that uniquely identifies data of interest. For example, if a binary has a unique string such as “spider32,” that can be added as one of the strings to look for in helping to identify data as possibly related to the rule. What makes YARA extremely powerful is that you’re not just limited to ASCII text. You can also have strings related to hex values, specific offsets in files, wildcard matches, and integers to name a few possible options. For exam- ple, if looking for hex in a file that has the first two bytes known, and then the next two randomized, and then the last known, such as “10 ff ?? ?? ff”, a string can be represented as that in a rule such as the following: strings: $a = {10 ff ?? ?? ff} //hex data is always contained within these brackets for strings When looking at a binary or a process, multiple unique strings can be identi- fied to create a rule that might have many possible options, such as a C&C URL, unique strings related to the bina- ry, unique components such as a POST By Ken Dunham – ISSA Fellow and member, Boise, USA Chapter YARA Signatures Risk Radar 30 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • to a 1.jpg. Conditions can then be specified within the rule to combine multiple strings for a match to be made, look for all of the strings, or just a single string as desired. Take for example the next rule that looks for the first three strings to be present or a possible more unique fourth string to make it be “true” for a YARA output after running a scan: rule Name { Meta: Malware = “Rogue.AntiVirusPro” MD5 = “D8855F6FCB1A087A5819E40D2B9E0030” strings: $a = “setup/setup.exe” $b = “new4” $c = “215” $d = “H8SRT8f94.tmp” //possible unique name for this sample condition: ($a,$b,$c) or $d //strings a-c must exist OR string d must exist for this rule to be true } Rules must have conditions that are bolean, true or false. This can be established through a variety of ways using terms like “all of them,” “for any of ($a,$b,$c),” using “OR” statements, and so on. Rules can also be combined and filtered through many layers, such as identifying that a file is a CWS Flash file, and then using another rule to look for specific strings of in- terest to then narrow it down into classification schemes for specific CVE exploits of interest or malware families, etc. YARA can easily be automated and is supported via Python. With various malware research groups sharing YARA sig- natures and the ease of custom signatures, it provides many options for researchers. YARA can be automated to be used in incident response, where new code is run against others already mitigated on a network. Creating a signature can be done by an analyst, not just engineers, within just a few minutes once malware has already been researched reveal- ing unique strings. Naturally this type of work can lead to false positives, with some having more success at identifying unique malware strings for use in YARA rules. If you have sensitive samples, you can easily create your own database of rules that resides only on your computer. As seen in some tutorials in books and online, YARA can also be integrated into analysis scripts that perform classification, lookups, MD5 cloud queries, and more, which makes it very powerful for those with a little Python experience. YARA is clearly gaining ground by some in the research com- munity after several years of use. It only takes a few hours to become familiar with the details of how rules are created and to install the program. Once implemented it provides interesting new opportunities for working with malware. It was created as a classification tool but can be used to perform incident response to identify possible hostile code in memory or on disk. It can also be used to help analyze strings of any type, such as looking for API calls in a string dump. It can also be used for monitoring, using rules to find new samples that might match a former sample that has attacked a net- work to find dirty sibling malware. About the Author Ken Dunham ( has two decades secu- rity experience, currently working for iSIGHT Partners. Cre- dentials include MTE, CISSP, GCFA Gold (forensics), GCIH Gold (Honors) (incident handling), GSEC (network security), and GREM Gold (reverse engineering).  ISSA Members Receive a 50% DiscountonInformationSecurity Related Books ISSA has arranged for a 50%discountonAuerbachPub- lications and CRC Press information security books. Choose from hundreds of books on a variety of subject! Visit the Special Offers tab for details on this and other great offers (member login required). Titles include: K13375 Managing the Insider Threat: No Dark Corners An adversary who attacks an organization from within can prove fatal to the organi- zation and is generally impervious to con- ventional defenses. The first comprehensive resource to use social science research to explain why traditional methods fail against these trust betrayers, this groundbreaking book identifies new management, security, and workplace strategies for categoriz- ing and defeating insider threats. Each chapter offers questions to stimulate discussion and exercises suitable for team projects. K13576 Electronically Stored Information: The Complete Guide to Management, Understand- ing, Acquisition, Storage, Search, and Retrieval Using easy-to-understand language, the book explains exactly what electronic information is, the different ways it can be stored, why we need to manage itfromalegalandorganizationalperspective, who is likely to control it, and how it can and should be acquired to meet legal and mana- gerial goals. Its reader-friendly format means you can read it cover to cover or use it as a reference where you can go straight to the in- formation you need. Complete with links and references to additional information, techni- cal software solutions, helpful forms, and time-saving guides. K10743 The 7 Qualities of Highly Secure Software Providing a framework for designing, devel- oping, and deploying hack-resilient software, this book illustrate the qualities needed for the development of highly secure software. Eachchapterdetailsoneofthesevenqualities that make software less susceptible to hacker threats. Filled with real-world examples, the book explains complex security concepts in language that’s easy to understand to supply readers with the understanding needed to building secure software. December 2012 | ISSA Journal – 31 Risk Radar: YARA Signatures | Ken Dunham ©2012 ISSA • • • All rights reserved.
    • toolsmith Prerequisites/dependencies Windows OS with IIS (Win2k8 used for this article) SQL Server Express 2004 SP4 and Management Studio Ex- press for vulnerable web app .NET Framework 4.0 for ModSecurity IIS D ecember’s issue continues where we left of in No- vember with Part 2 in our series on web application security flaw discovery and prevention. In Novem- ber we discussed Arachni, the high-performance, modular, open source web application security scanning framework. This month we’ll follow the logical work flow from Arachni’s distributed, high-performance scan results to how to use the findings as part of mitigation practices. One of Arachni’s re- lated features is WAF Realtime Virtual Patching.1 Trustwave Spider Lab’s Ryan Barnett has discussed the con- cept of dynamic application scanning testing (DAST) data that can be imported into a web application firewall (WAF) for targeted remediation. This discussion included integrat- ing export data from Arachni into ModSecurity,2 the cross- platform, open source WAF for which he is the OWASP Mod- Security Core Rule Set (CRS) project leader. I reached out to Ryan for his feedback with particular attention to ModSecu- rity for IIS, Microsoft’s web server. He indicated that WAF technology has gained traction as a critical component of protecting live web applications for a number of key reasons, including: 1. Gaining insight into HTTP transactional data that is not provided by default web server logging 2. Utilizing virtual patching to quickly remediate iden- tified vulnerabilities 3. Addressing PCI DSS Requirement 6.6 The ModSecurity project is just now a decade old (first re- leased in November 2002), has matured significantly over the years, and is the most widely deployed WAF in existence. 1 patching.html. 2 protecting millions of websites. “Until recently, ModSe- curity was only available as an Apache web server module. That changed, however, this past summer when Trustwave collaborated with the Microsoft Security Response Center (MSRC) to bring the ModSecurity WAF to both the Internet Information Services (IIS) and nginx web server platforms. With support for these platforms, ModSecurity now runs on approximately 85% of internet web servers,” Ryan explained. Among the features that make ModSecurity so popular, there are a few key capabilities that make it extremely useful: • It has an extensive audit engine which allows the user to capture the full inbound and outbound HTTP data. This is not only useful when reviewing attack data but is also extremely valuable for web server ad- ministrators who need to trouble-shoot errors. • It includes a powerful, event-driven rules language which allows the user to create very specific and ac- curate filters to detect web-based attacks and vulner- abilities. • It includes an advanced Lua API which provides the user with a full-blown scripting language to define complex logic for attack and vulnerability mitigation. • It also includes the capability to manipulate live trans- actional data. This can be used for a variety of secu- rity purposes including setting hacker traps, imple- menting anti-CSRF tokens, or cryptographic HASH tokens to prevent data manipulation. In short, Ryan states that ModSecurity is extremely powerful and provides a very flexible web application defensive frame- work that allows organizations to protect their web applica- tions and quickly respond to new threats. I also sought details from Greg Wroblewski, Microsoft’s lead developer for ModSecurity IIS: “As ModSecurity was originally developed as an Apache web server module, it was technically challenging to bring together two very different architectures. The team man- aged to accomplish that by creating a thin layer abstract- ing ModSecurity for Apache from the actual server API. During the development process it turned out that the new layer is flexible enough to create another ModSecu- rity port for the nginx web server. In the end, the security community received a new cross-platform firewall, avail- able for the three most widely used web servers.” ModSecurity for IIS: Part 2 of 2 - Web Application Security Flaw Discovery and Prevention By Russ McRee – ISSA Senior Member, Puget Sound (Seattle), USA Chapter 32 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • The current ModSecurity development process (still open, recently migrated to GitHub3) preserves compatibility of features between three ported versions. For the IIS version, only features that rely on specific web server behavior show functional differences from the Apache version, while the nginx version currently lacks some of the core features (like response scanning and content injection) due to limited ex- tensibility of the server. Most ModSecurity configuration files can be used without any modifications between Apache and IIS servers. The upcoming release of the RTM version for IIS will include a sample of ModSecurity OWASP Core Rule Set4 in the installer. Installing ModSecurity for IIS In order to test the full functionality of ModSecurity for IIS, I needed to create an intentionally vulnerable web applica- tion and did so following guidelines provided by Metasploit Unleashed.5 The author wrote these guidelines for Windows XP SP2; I chose Windows Server 2008 just to be contrarian. I first established a Win2k8 virtual machine, enabled the IIS role, downloaded and installed SQL Server 2005 Express SP4,6 .NET Framework 4.0, as well as SQL Server 2005 Man- agement Studio Express,7 then downloaded the ModSecu- rity IIS 2.7.1 installer.8 We’ll configure ModSecurity IIS after building our vulnerable application. When configuring SQL Server 2005 Express, ensure you enable SQL Server Authentication, and set the password to something you’ll use in the connection string established in Web.config. I used p@ssw0rd1 to meet required complexity. J Note: It’s “easier” to build a vulnerable application using SQL Server 2005 Express rather than 2008 or later; for time’s sake and reduced troubleshooting just work with 2005. We’re in test mode here, not production. That said, remember, you’re building this application to be vulnerable by design. Conduct this activity only in a virtual environment and do not expose it to the Internet. Follow the Metasploit guidelines carefully but remember to establish a proper connection string in the Web.config (line 4) and build it from this sample9 I’m host- ing for you rather than the one included with the guidelines. As an example, I needed to establish my actual server name rather than localhost. I defined my database name as crapapp instead of WebApp per the guidelines, and used p@ssw0rd1 instead of password1 as described: <add name=”test” connectionString=”server=WIN2K8- VMSQLEXPRESS;database=crapapp;uid=sa;password=p@ ssw0rd1;” providerName=”System.Data.SqlClient”/> I also utilized configurations recommended for the pending ModSecurity IIS install so go with my version. 3 4 5 Webapp. 6 7 4E3D-94B8-5A0F62BF7796&displaylang=en%7CSQL. 8 9 Once you’re finished with your vulnerable application build you should browse to http://localhost and first pass creden- tials that you know will fail to ensure database connectivity. Then test one of the credential pairs established in the users table, admin/s3cr3t as an example. If all has gone according to plan you should be treated to a successful login message as seen in figure 1. Figure 1 – A successful login to CrapApp ModSecurity IIS installation details are available via TechNet,10 but I’ll walk you through a bit of it to help over- come some of the tuning issues I ran into. Make sure you have the full version of .NET 4.0 installed and patch it in full before you execute the ModSecurity IIS installer you down- loaded earlier. Download the ModSecurity OWASP Core Rule Set (CRS), and as a starting point copy the files from the base_rules to the crs directory you create in C:inetpubwwwroot. Also put the test.conf file11 I’m also hosting for you in C:inet- pubwwwroot. This will call the just-mentioned ModSecurity OWASP Core Rule Set (CRS) that Ryan maintains and also allow you to drop any custom rules you may wish to create right in test.conf. There are a few elements to be comfortable with here. Watch the Windows Application logs via Event Viewer to both de- bug any errors you receive as well as ModSecurity alerts once properly configured. I’m hopeful that the debugging time I spent will help save you a few hours, but watch those logs regardless. Also make regular use of the Internet Informa- tion Services (IIS) Manger to refresh the DefaultAppPool under Application Pools as well as restart the IIS instance after you make config changes. Finally, this experimental in- stallation intended to help get you started is running in ac- tive mode versus passive. It will both detect and block what the CRS notes as malicious. As such, you’ll want to initial- ly comment out all the HTTP Policy rules in order to play with the CrapApp we built above. To do so, open modsecu- rity_crs_30_http_policy.conf in the crs directory and comment out all lines that start with SecRule, or simply pull 10 modsecurity-extension-for-iis.aspx. 11 December 2012 | ISSA Journal – 33 toolsmith: ModSecurity for IIS | Russ McRee ©2012 ISSA • • • All rights reserved.
    • the whole policy file from the crs directory. Again, we’re in experiment mode here. Don’t deploy ModSecurity in pro- duction with the SecDefaultAction directive set to “block” without a great deal of testing in passive mode first or you’ll likely blackhole known good traffic. Using ModSecurity and virtual patching to protect applications Now that we’re fully configured, I’ll show you the results of three basic detections, then close with a bit of virtual patch- ing for your automated web application protection pleasure. Figure 2 is a mashup of a login in attempt via our CrapApp with a path traversal attack and the resulting detection and block as noted in the Windows Application log. Similarly, a simple SQL injection such as ‘1=1-- against the same form field results in the following Application log entry snippet: [msg “SQL Injection Attack: Common Injection Testing Detected”] [data “Matched Data: ‘ found within ARGS:txtLogin: ‘1=1--”] [severity “CRITICAL”] [ver “OWASP_CRS/2.2.6”] [maturity “9”] [accuracy “8”] [tag “OWASP_CRS/WEB_ATTACK/SQL_ INJECTION”] [tag “WASCTC/WASC-19”] [tag “OWASP_ TOP_10/A1”] [tag “OWASP_AppSensor/CIE1”] [tag “PCI/6.5.2”] Note the various tags including a match to the appropriate OWASP Top 10 entry as a well as the relevant section of the PCI DSS. Ditto if we pop in a script tag via the txtLogin parameter: [data “Matched Data: <script> found within ARGS:txtLogin: x22><script>alert(document. cookie)</script>”] [ver “OWASP_CRS/2.2.6”] [maturity “8”] [accuracy “8”] [tag “OWASP_CRS/WEB_ ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/ WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_ AppSensor/IE1”] [tag “PCI/6.5.1”] Finally, we’re ready to connect our Arachni activities in Part 1 of this campaign to our efforts with ModSecurity IIS. There are a couple of ways to look at virtual patching as amply de- scribed by Ryan. His latest focus has been more on dynamic application scanning testing as actually triggered via Mod- Security. There is now Lua scripting that integrates ModSe- curity and Arachni over RPC where a specific signature hit from ModSecurity will contact the Arachni service and kick off a targeted scan. At last check this code was still experi- mental and likely to be challenging with the IIS version of ModSecurity. That said we can direct our focus in the op- posite direction to utilize Ryan’s automated virtual patching script,, where we gather Arachi scan re- sults and automatically convert the XML export into rules for ModSecurity. These custom rules will then protect the vul- nerabilities discovered by Arachni while you haggle with the developers over how long it’s going to take them to actually fix the code. To test this functionality I scanned the CrapApp from Arach- ni instance on the Ubuntu VM I built for last month’s article. I also set the SecDefaultAction directive set to “pass” in my test.conf file to ensure the scanner is not blocked while it discovers vulnerabilities. Currently the script writes rules specifically for SQL Injection, Cross-site Scripting, Remote File Inclusion, Local File Inclusion, and HTTP Response Splitting. The process is simple; assuming the results file is results.xml, –f results.xml will create modsecurity_crs_48_virtu- al_patches.conf. On my ModSecurity IIS VM I’d then copy modsecurity_crs_48_virtual_patches.conf into the C: inetpubwwwrootcrs directory and refresh the Default- AppPool. Figure 3 gives you an idea of the resulting rule. Note how the rule closely resembles the alert spawned when I passed the simple SQL injection attack to CrapApp earlier in the article. Great stuff, right? In Conclusion What a great way to wrap up 2012 with the conclusion of this two-part series on Web Application Security Flaw Discovery Figure 2 – Path traversal attack against CrapApp denied 34 – ISSA Journal | December 2012 toolsmith: ModSecurity for IIS | Russ McRee ©2012 ISSA • • • All rights reserved.
    • and Prevention. I’m thrilled with the performance of Mod- Security for IIS and really applaud Ryan and Greg for their efforts. There are a number of instances where I intend to utilize the ModSecurity port for IIS and will share feedback as I gather data. Please let me know how it’s working for you as well should you choose to experiment and/or deploy. Good luck and Merry Christmas. Stay tuned to vote for the 2012 Toolsmith Tool of the year starting December 15. Acknowledgements —Ryan Barnett, Trustwave Spider Labs, Security Researcher Lead —Greg Wroblewski, Microsoft, Senior Security Developer Ping me via email if you have questions (russ at holisticinfo- sec dot org). Cheers…until next month. About the Author Russ McRee manages the Security Analytics team (security inci- dent management, penetration testing, monitoring) for Micro- soft’s Online Services Security & Compliance organization. In addition to toolsmith, he’s written for numerous other publica- tions, speaks regularly at events such as DEFCON, Black Hat, and RSA, and is a SANS Internet Storm Center handler. As an advocate for a holistic approach to the practice of information assurance Russ maintains He serves in the Washington State Guard as the Cybersecurity Advisor to the Washington Military Department. Reach him at russ at holis- org or @holisticinfosec. A Wealth of Resources for the Information Security Professional – DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY Figure 3 – arachni2modsec script creates rule for ModSecurity IIS Data Loss Prevention: Gone in Under 60 Milliseconds Recorded Live: November 20, 2012
 GRC: Is There Such a Thing
as TMI? Recorded Live: October 30, 2012
 Application Security: Is That Malware in Your Package? Recorded Live: September 25, 2012
 Asset Management in a Consumerized World Recorded Live: August 28, 2012
 Social Media Gone Wild Recorded Live: June 26, 2012 You’ve Got Humans on Your Network: Securing the End User Recorded Live: May 22, 2012
 Breach Report: Lessons Learned Recorded Live: April 24, 2012
 Security and Legislation Recorded Live: March 27, 2012 Compliance vs The Cloud Recorded Live: February 21, 2012 Year in Review: How Last Year’s Trends Help Us Plan for The Future Recorded Live: January 25, 2012 Click here for 2012 ConferencesClick here for 2012 Conferences December 2012 | ISSA Journal – 35 toolsmith: ModSecurity for IIS | Russ McRee ©2012 ISSA • • • All rights reserved.
    • Expanded listings – Have a chapter event to post? Let us know – ISSA Industry Events ISSA works with many industry events to provide discounts to our members. Attending these events provides you with an ad- ditional return on your ISSA membership investment. SecureWorld Expo Boston, March 27-28 Atlanta, April 2-3 Kansas City, April 16-17 Houston, May 1-2 Philadelphia, May 22-23 Charlotte, May 29-30 Portland, June 5-6 SecureWorld Expo brings together the security leaders, ex- perts, senior executives, and policy makers who are shaping the very face of security. SecureWorld helps IT professionals earn required CPE training credits. Located in different re- gions throughout the US, SecureWorld is at the convergence of information security, physical security, GRC, IT audit, computer forensics, business continuity, consumerization, cloud security, privacy, and security awareness. Along with a regional approach to content, nationally recog- nized security companies use SecureWorld as a way to meet and network with security professionals regionally. By bring- ing the national security companies together with local se- curity professionals, attendees are able to seek out solutions to their enterprise security needs in an effective and efficient manner. ISSA members are offered a $100 discount off the $265 con- ference pass which includes access to the conference sessions, conference breakfast keynote, exhibits, and open sessions with lunch keynote, and 12 CPE credits. Register online ISS- NWS13. SecureWorld + Extended Training 2013 includes 4+ hours of intensive training worth 16 CPE credits and full access to the complete SecureWorld conference program. SecureWorld + pass is only $495 with a special ISSA member discount, regis- ter using code ISSNWS13. Click here for conference details and to register. RSA Conference 2013  2/25/2013 to 3/1/2013 Moscone Center, San Francisco, California, United States RSA® Conference helps drive the information securi- ty agenda worldwide. Throughout its 20+ year history, RSA Conference consistently attracts the world’s best and brightest in the field, creating opportunities for confer- ence attendees to learn about information security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies. Click here for more information and conference dates.  Cost: $1,595 - $2,295. Discount to ISSA members: $175; Dis- count code: 1213ISSADL15. (*Please note this code cannot be ret- roactively applied and must be entered at the time of registration.) February 23-24, 2013 Sir Francis Drake Hotel, San Francisco, California Register today to join us for this peer-only event. CISO guests click here for guest registration and criteria. First-time quali- fied guests may attend at no charge. CISO executive members click here to register to attend this ISSA CISO Executive Fo- rum. Rooming reservations can be made at the host hotel, as described below. The conference rate is $209.00 (+ tax) per night. To secure a room, please contact the Sir Francis Drake Hotel by booking online or by calling Group Reservation at 415 395 8546 (9am- 5pm PT) and asking for the ISSA CISO Forum rate. Reserva- tions must be made by January 31, 2013 or before the group rooms are sold out, so do not delay. Please note: Prevailing rates may apply after these dates or when the group rooms are sold out, whichever occurs first.  Early departure fees may apply should you check out prior to the con- firmed check out date. February 5, 2013 Deloitte Offices, 2 New Street Square, London, UK Secure Information for Europe The 2013 ISSA London Conference will focus on some key challenges we all face: Cyber Crime, Cyber Conflict, and Cy- ber Espionage. At the conference, ISSA will also host two sat- ellite events in conjunction with the Conference: February 4 – ISSA European CISO Executive Briefing and Roundtable February 6 – European Chapter Leaders Summit Register today at • Space is limited. International Conference Heads to Nashville! Save the Date - October 8-11, 2013 Nashville, Tennessee It is our pleasure to announce that the 2013 ISSA Internation- al Conference will be held October 8-11, 2013 in Nashville, TN. The Middle Tennessee Chapter will serve as host for the 2013 event, building on their successful Nashville InfoSec Conference. 2013 ISSA International Conference Events: • October 8 – Chapter Leaders Summit* • October 9-10 – ISSA International Conference • October 11 – CISO Executive Forum* *Open to qualified attendees. ISSA EVENT ISSA EVENT ISSA EVENT Events 36 – ISSA Journal | December 2012 ©2012 ISSA • • • All rights reserved.
    • * Name _____________________________________________________ Certifications ___________________________________ * Employer ___________________________________________________ * Email ________________________________________ Job Title ___________________________________________________ * Preferred phone number for receiving calls: (choose one) * Preferred address for receiving mailing (choose one): n Home n Professional n Home n Mobile n Professional * Address 1 __________________________________________________ * Phone ________________________________________ Address 2 __________________________________________________ Fax _________________________________________ * City ________________________________ State/Province ___________ * Country ____________ * Zip/Postal Code _____________ In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question. * Security Question: _____________________________________________ * Security Answer: ________________________________ Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal. ISSA Code of Ethics The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future: • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; • Promote generally accepted information security current best practices and standards; • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; • Discharge professional responsibilities with diligence and honesty; • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers. Signature __________________________________________ Date ______________ To enable us to better serve your needs, please complete the following information: Your Industry (Select only ONE number from below and enter here) _________ A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. C. Communications L. Government/Military U. Real Estate D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution E. Security N. Information Technologies W. Transportation/Automobiles F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water G. Education P. Internet/ISP/Web Y. Other ___________________ H. Computer Tech-hard/software Q. Media/Publishing I. Electronics R. Legal Your Primary Job Title (Select only ONE number from below and enter here) _________ 1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer 2. IS Manager/Director 10. Operations Specialist 18. Auditor 3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner 4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager 5. Application Manager 13. Security Specialist 22. Administrator 6. Applications Specialist 14. Contingency Planner 23. Educator 7. Systems/Tech Support Manager 15. Sales/Marketing Specialist 24. Other________________ 8. Systems Programmer/Tech Support 16. Independent Consultant Your Areas of Expertise (List all that apply) ______________________________________ A. Security Mgmt Practices E. Security Architecture I. Operations Security B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security C Network Security G. Law/Investigations/Ethics K. Telecommunications Security D. Access Control Systems/Methods H. Encryption L. Computer Forensics ISSA Membership Application Return completed form with payment. * Required Entries ISSA Member Application 7/12 Membership Fees Membership Categories (dscriptions on back) General Membership: $95 plus chapter dues 2-Year: $185; 3-Year: $275; 5-Year: $440 Government Organizational: $90 plus chapter dues Student Membership: $30 CISO Executive Membership: $995 *Membership Category _______________________________ (See above) *Chapter(s) _______________________________________ (Required within 50 miles of local chapter - list on reverse) ISSA Member Dues (on reverse) $ _______________ Chapter Dues x Years of Membership $ _______________ (on reverse) Additional Chapter Dues $_______________ (if joining multiple chapters - optional) Total Membership Dues $ _______________ ISSA Foundation Donation $ _______________ A tax-deductible contribution, as allowed by US tax code, can be made in addition to your ISSA Membership Payment. For more information on the foundation and its programs, visit Total (dues + ISSA Foundation) $ _______________ You may download the form and submit it electronically as an email attachment. You will need an email account to send it. DOWNLOAD FORM ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at Print out and mail or fax form to: ISSA Headquarters 9220 SW Barbur Blvd #119-333, Portland, OR 97219 Fax +1 (206) 299-3366 Phone +1 (206) 388-4584 • DOWNLOAD FORM
    • Risk Radar: Real-World Rogue AV | Ken Dunham At-Large.............................25 Asia Pacific Chennai...............................0. Hong.Kong...........................0. Philippines.........................20.. Singapore..........................10. Sri.Lanka............................10. Sydney.................................0. Tokyo.................................30. Victorian..............................0. Europe, Middle East & Africa Brussels.European.............40. Egypt....................................0. France................................00. Irish.................................155. Israel....................................0. Italy.....................................65. Netherlands........................30. Nordic..................................0. Poland.................................0. Romania...............................0. Saudi.Arabia........................0. Germany............................30. Spain.................................60. Switzerland........................80. Turkey................................30. UK. ......................................0. Latin America Argentina.............................0. Barbados............................25. Brasil...................................5. Chile..................................30. Colombia.............................5 Ecuador................................0. Lima,.Perú...........................5. Puerto.Rico........................35 Uruguay...............................0. North America Alamo................................20. Alberta...............................25. Amarillo.............................25. ArkLaTex..............................0. Baltimore...........................20. Baton.Rouge......................25. Blue.Ridge.........................25. Bluegrass.............................0. Boise..................................25. Buffalo.Niagara..................25. Capitol.Of.Texas.................35. Central.Alabama...................0. Central.Florida...................25. Central.Indiana...................25. Central.New.York.................0. Central.Ohio.......................20. Central.Pennsylvania.........20. Central.Plains....................30. Central.Virginia..................25. Charlotte.Metro..................30. Chicago.............................30. Colorado.Springs...............25. Connecticut........................20. Dayton...............................25. Delaware.Valley..................20. Denver...............................25. Des.Moines........................30. East.Tennessee...................35. Eastern.Idaho.......................0. Eastern.Iowa.........................0. Fort.Worth..........................20. Grand.Rapids.......................0. Greater.Augusta.................25. Greater.Cincinnati..............10. Greater.Spokane.................20. Hampton.Roads.................30. Hawaii................................20. Inland.Empire.....................20. Kansas.City........................20. Kentuckiana.......................35. Lansing..............................20. Las.Vegas...........................30. Los.Angeles.......................20. Madison.............................15. Mankato.............................20. Melbourne,.FL...................25. Memphis............................30. Metro.Atlanta.....................30. Middle.Tennessee..............35. Milwaukee..........................30. Minnesota..........................20 Montana.............................25. Montgomery......................35. Montreal..............................0. Motor.City..........................25. Mountaineer.......................25. National.Capital.................25. New.England......................20. New.Hampshire..................20. New.Jersey.........................20. New.York.Metro.................55. North.Alabama...................15. North.Dakota......................25. North.Oakland....................25. North.Texas........................20. Northeast.Florida...............30. Northeast.Indiana...............10. Northeast.Ohio...................20. Northern.New.Mexico........20. Northern.Virginia...............25. Northwest.Arkansas...........15. Oklahoma...........................30. Oklahoma.City...................25. Omaha.................................0. Orange.County...................20. Ottawa................................10. Palouse.Area......................30. Phoenix..............................30. Pittsburgh..........................30. Portland.............................30. Puget.Sound......................20. Quebec.City.........................0. Rainier...............................20. Raleigh...............................25. Rochester...........................15. Sacramento.Valley..............20. San.Diego..........................30. San.Francisco....................20. SC.Midlands......................25. Silicon.Valley.....................30. South.Florida.....................20. South.Texas........................30. Southeast.Arizona..............20. Southern.Indiana................20. Southern.Maine.................20. Southern.Tier.of.NY..............0. St..Louis............................20. Tampa.Bay..........................20. Tech.Valley.Of.New.York.....35. Texas.Gulf.Coast................30. Toronto...............................20. Tri-Cities............................20. Triad.of.NC.........................25. Tucson,.AZ.........................10. Upstate.SC...........................0. Utah...................................15. Vancouver..........................20. Ventura,.CA........................30 Yorktown............................30 ISSA Chapters & Annual Dues Changes/additions – visit our website – ISSA.Member.Application.7/12 Credit Card Information n..MasterCard. n..American.Express. Card.#.___________________________________.Exp..Date. ____________ Signature.________________________________.CVV.code._____________ Membership Categories and Annual Dues General Membership: $95 plus chapter dues or.public.sector, the.private.or.public.sector;.or.IS.Auditors,;.Educators,.attorneys.;.or.Professionals.with. berships.for.General.Members,$185;.3-Year:. $275; .5-Year:.$440. Government Organizational: $90 plus chapter dues,.he.or.she.has.all.of.the.rights.and. privileges.of.a.General.Member. Student Membership: $30 restriction.against.students.forming.a.student.chapter. CISO Executive Membership: $995 sibility, help.shape.the.profession..ISSA.recognizes.this.need.and.has.created.the.exclusive.CISO.Execu- information.about.CISO.Executive.Membership.and.required.membership.criteria,.please.visit.the.–. Please check the following: The most important aspects of my membership for the current membership term are: .n..Build.or.maintain.professional.relationships.with.peers,.risk.or.privacy .n..Earn.CPEs/, .n..Gain.leadership.experience .n..All. n..None Most challenging information security issue? .n..Governance,.risk.and.compliance .n..Security.awareness .n..Threat.updates .n..Legal.and.regulatory.trends .n..Incident.response .n..Strategy.and.architecture .n..All. .n..None Which business skills would be most valuable for your professional growth? .n..Business.forecasting.and.planning .n..Management.and.supervisory.skills .n..Legal.knowledge .n..Presentation.skills .n..Negotiation.skills .n..Written.and.verbal.communications .n..All. .n..None