SELJE - VFP and IT Security.pptx

1. Virtual Fox Fest VFP and IT Security Eric Selje Salty Dog Solutions, LLC eric@saltydogllc.com SaltyDogLLC.com

2. Virtual Fox Fest About Me  Fox developer since 1985  MadFox since 1995  IT Security for the last few years  First public speaking since 2019

3. Virtual Fox Fest Agenda  What Does IT Security Do?  IT Security Frameworks  CIS Controls  Visual FoxPro and IT Security

4. Virtual Fox Fest A Day in the Life of IT Security

5. Virtual Fox Fest Lay of the Land What do I need to address right now? • Baselines / Abnormalities • 🚩Alerts 🚩 ♦ May come directly from the tool • Anti-Virus, Scanner, Web-Based Threat Monitor, etc ♦ Better if comes from SIEM that aggregates information from multiple sources • Impossible unless systems are set up. Easy once they are.

6. Virtual Fox Fest Tools, You Say? SIEM (Security Information and Event Manager) • My main source for alerts • Aggregate logs from disparate sources • Analyze/Act on that information ♦ Great for forensics after fact ♦ Better if ALERTS are set up to catch stuff before it happens • Evidence of network traversal • Hard drives filling up • Who logged in with elevated privileges?

7. Virtual Fox Fest Sample Splunk Page

8. Virtual Fox Fest Dashboards

9. Virtual Fox Fest Some SIEM Examples

10. Virtual Fox Fest Lay of the Land Review Vulnerability Scans • Common Vulnerabilities and Exposure (CVE) ♦ CVE is Unique Identifier ♦ Assess its risk to your environment ♦ Will it be patched automatically, or do I need to intervene?

11. Virtual Fox Fest Sample Vulnerability Scan

12. Virtual Fox Fest A Basic (Non-Credentialed) Scan

13. Virtual Fox Fest Drilling Into One Device

14. Virtual Fox Fest Drilling Down Further Into Vuln

15. Virtual Fox Fest Remediate / Mitigate Triage the vulnerabilities and decide: • Remediate: Fix the Problem ♦ Patch / Remove ♦ Will it automatically auto-update? • Mitigate: Put a Band-Aid on the Problem ♦ Cordon off the threat ♦ Put extra controls to watch the problem • Accept/Recast: Decide you can live with the risk ♦ Might require “paperwork”

16. Virtual Fox Fest Automatically Patch “Patch Management as a Service” • WSUS • Kace Quest • PDQ

17. Virtual Fox Fest What’s on the Horizon? • Read Email Briefs ♦ Mandiant, Bleeping Computer, Krebs on Security • Websites ♦ HackURLs.com • Podcasts / YouTube channels ♦ Hacking Humans, Security Now, CyberSecurity Headlines, and Darknet Diaries • Watch Vendor Presentations ♦ New tools / software / threats • Talk with my Colleagues

18. Virtual Fox Fest Plan, Prepare, Educate • Policies! ♦ BYOD ♦ Appropriate Use ♦ Backup and Storage ♦ Configuration Management ♦ Incident Response ♦ Log Management ♦ Media Sanitization ♦ Password • More Policies! ♦ Access Control ♦ Physical Security ♦ Remote Access ♦ Wireless Networks ♦ International Travel ♦ Contingency Planning and Disaster Recovery ♦ Network Management ♦ Security Patch Management

19. Virtual Fox Fest Security Awareness Training  Test Phishing / Smishing/ Vishing  Learning Campaigns w/ Knowledge Checks • Social Engineering • Good Passwords • MFA

20. Virtual Fox Fest My Toolbox  Log Management (SIEM)  Vulnerability Scanner  Anti-Virus/Malware  Patch Management  Web-Based Threat Protection  Security Awareness Training

21. Virtual Fox Fest Pause for Questions

22. Virtual Fox Fest IT Frameworks

23. Virtual Fox Fest Frameworks are Roadmaps Some are for the BIG Picture Some are for very specific purposes

24. Virtual Fox Fest BIG Risk Management Frameworks NIST 800-53 “Security and Privacy Controls for Information Systems and Organizations”

25. Virtual Fox Fest 1,000s of Controls

26. Virtual Fox Fest Smaller Risk Management Framework NIST Cybersecurity Framework

27. Virtual Fox Fest

28. Virtual Fox Fest CIS Controls CIS Control 1: Inventory and Control of Enterprise Assets  Know everything about what’s on your network. CIS Control 2: Inventory and Control of Software Assets  Have software in place that scans your workstations for what software is running on them and keeps it up to date. CIS Control 3: Data Protection  Have controls in place so our data is not easily accessible to anyone snooping around either when it’s at rest or in transit. You should also have a data retention plan in place so you know whether you should purge the data regularly or hold onto it in perpetuity. CIS Control 4: Secure Configuration of Enterprise Assets and Software  These determine who gets to make changes to your network or install new software and what procedures they have to go through in order to document the changes.

29. Virtual Fox Fest CIS Controls CIS Control 5: Account Management  Who gets an account on the system? What service accounts are running? Do they have to have passwords? How long? CIS Control 6: Access Control Management  This ties in with Control 5, Account Management, but deals with the rights users have. Do users need administrative rights? Do you require Multi-Factor Authentication? Can a user log in remotely or do they have to be in a specific geographic location based on their IP address when they enter their credentials?

30. Virtual Fox Fest CIS Controls CIS Control 7: Continuous Vulnerability Management  Scan your devices for the known vulnerabilities and patch them automatically. CIS Control 8: Audit Log Management  Enable logging on all of your devices and as much of your software as possible and forward those logs to a centralized repository. CIS Control 9: Email and Web Browser Protections  Have spam filtering on your inbox, prevent EXE files from getting into your inbox, and have your anti-malware scan your downloads.  Run your web traffic through a proxy server to block any attempts to navigate to known malicious sites.

31. Virtual Fox Fest CIS Controls CIS Control 10: Malware Defenses  Have it  Centralize it  Log it CIS Control 11: Data Recovery  Have a secure recovery plan in place and test it regularly. CIS Control 12: Network Infrastructure Management  Ensure your network devices are patched and secure, and nothing gets introduced without it being vetted.

32. Virtual Fox Fest CIS Controls CIS Control 13: Network Monitoring and Defense  Set up those alerts as mentioned in Control 8 (Log Management).  Configure your firewalls to only allow in the traffic you want to get through (start with a Deny All posture and open up the necessary ports from there after seeing what got blocked that you really want to allow).  Create VLANs to segregate traffic, especially to workstations that handle sensitive data.

33. Virtual Fox Fest CIS Controls CIS Control 14: Security Awareness and Skills Training  This is probably the second most important thing you can do, and this is actually one of my favorite tasks. • Video Campaigns • Test Phishing / Vishing / Smishing • Signed Policies

34. Virtual Fox Fest CIS Controls CIS Control 15: Service Provider Management  Keep track of who you’re working with, what data and services they have access to, and monitor them to ensure compliance with any security policies you have. CIS Control 16: Application Software Security  How to make sure our applications and data are as secure as possible. • Establishing a secure development process, • Using 3rd party controls, • Code-level security checks.

35. Virtual Fox Fest CIS Controls CIS Control 17: Incident Response Management  Know how to recognize an “incident” and what to do when it is discovered. CIS Control 18: Penetration Testing  This includes the dramatic “red-teaming” to ensure your network defenses are intact, but also includes having someone test your applications for vulnerabilities by inputting edge cases, poking odd buttons, and trying to find ways to make it do things you didn’t intend.

37. Virtual Fox Fest VFP and Security

38. Virtual Fox Fest Three Different Contexts 1 Development Is VFP Secure? 2 Deployed Apps Are my apps secure? 3 Environment Are the things I need to run my apps secure?

39. Virtual Fox Fest Is VFP9.exe itself secure? 1 2 3

40. Virtual Fox Fest VFP is probably ok. What else? ActiveX Controls w/ Vulnerabilities  ComCt232.ocx  MsChrt20.ocx  MsFlxGrd.ocx  MsMask32.ocx  MsWinSck.ocx  Update those w/ Service Packs  MSXML 1 2 3

41. Virtual Fox Fest Anything else? www.cve.org 1 2 3

42. Virtual Fox Fest What about VFPA and X#? VFPA Same as VFP9 Look at Externalities  Firewall logs X# Open Source Source Code Analyzers 1 2 3

43. Virtual Fox Fest Secure Application Development  Keep a manifest of all 3rd party tools that you use • Even Windows components ♦ Webview? Webview2? • ActiveX Controls • FLLs, Thor Tools, APIs, 16.4. Establish and manage an inventory of third-party software components 16.5. Use up-to-date and trusted third-party software components 1 2 3

44. Virtual Fox Fest Secure Code and Testing – Error Handling and Logging Centralize Place to Collect Errors / Logs ErrorHandler Class (Doug Hennig?) 16.2. Establish and maintain a process to accept and address software vulnerabilities 16.3. Perform root cause analysis on security vulnerabilities 1 2 3

45. Virtual Fox Fest Secure Code and Testing – Input Validation 16.10. Apply secure design principles in application architectures Never trust user input Do it in the U/I AND in the database! 1 2 3

46. Virtual Fox Fest Secure Code and Testing – Authentication and Authorization 16.10. Apply secure design principles in application architectures • If you can, Outsource Identity Access Management to 3rd party • Google Login • Active Directory • Okta • Use Multi-Factor Authentication for Sensitive Data • If you store credentials in your apps • Salted Hashes Only! 1 2 3

47. Virtual Fox Fest Secure Code and Testing – Authentication and Authorization 16.10. Apply secure design principles in application architectures • Don’t allow unauthenticated users to open database outside of your application 1 2 3

48. Virtual Fox Fest Secure Code and Testing – Database Security PROCEDURE BeforeOpen LOCAL lReturn lReturn = PEMSTATUS(_VFP, “oUser”, 5) AND VARTYPE(_VFP.oUser.CanOpenDatabase) RETURN lReturn 1 2 3

49. Virtual Fox Fest Secure Code and Testing – CRYPTOGRAPHIC PRACTICES • e.g. _crypt.vcx for Cryptography • Protect keys and salts from unauthorized access. What’s a good way to store secrets in Visual FoxPro? • Never assume magic strings in source code are safe! 16.11. Leverage vetted modules or services for application security components 1 2 3

50. Virtual Fox Fest Secure Code and Testing – Web Apps OWASP TOP 10 • XSS • XSFR / CSRF • SQL Injection 1 2 3

51. Virtual Fox Fest Secure Code and Testing – Source Control • Source Control • Use It! • No Sensitive Information • Push Early and Often • Use VPFX’s Project Explorer to automate much of the drudgery away • Automatically check in / check out • Automatically serialize • Monitor 3rd party access to repositories 16.1. Establish and maintain a secure application development process 1 2 3

52. Virtual Fox Fest Secure Code and Testing – Testing 16.12. Implement code-level security checks 1 2 3 • Dynamic Analysis • FoxUnit • Static Analysis • VFPX CodeAnalysis • Human Testing

53. Virtual Fox Fest Deployment - SMB 1 2 3 Server Message Blocking v 1.0 had huge bug v 2 & 3 better Turn off Opportunistic Locking

54. Virtual Fox Fest Deployment - Code Signing  Required as of Windows 11 2H22 if “Smart App Control” enabled  ~$70/yr for a certificate  SIGNTOOL from SDK  See Doug’s “Deploying VFP Apps” whitepaper 1 2 3

55. Virtual Fox Fest Deployment - Encryption  ReFox  C++ Compiler for VFP  See John Ryan’s session next Wednesday 1 2 3

56. Virtual Fox Fest Automate your Deployment 16.1. Establish and maintain a secure application development process 1 2 3

57. Virtual Fox Fest Summary

58. Virtual Fox Fest What You Learned Today  Give you an idea of what my days are now like  Overview of IT Frameworks and the CIS Controls  How what I’ve learned applies to VFP devs  Fox Rocks…  …And so do you!

60. Virtual Fox Fest Thank You! Eric Selje Eric@SaltyDogLLC.com

SELJE - VFP and IT Security.pptx

You are reading a preview.

Check these out next

SELJE - VFP and IT Security.pptx

More Related Content

Similar to SELJE - VFP and IT Security.pptx (20)

More from Eric Selje (17)

Recently uploaded (20)