ISACA - The False Sense of Security

The red or blue pill – The Matrix (1999)

The False Sense of Security
Fabian Borg
Founder and Managing Director of
ISEC and HLS-D Corporation Ltd.

The typical glass of water:
It’s half full or;
It’s half empty
* Water (potable or not)
* Pure Alcohol
* Vodka
* White Vinegar
* Acid, etc.
A perpetrator, attacker, hacker, etc, would look at the so called “glass of water” as a
transparent recipient containing transparent liquid, that might be:

The typical glass of water:
It’s half full or;
It’s half empty
* Water (potable or not)
* Pure Alcohol
* Vodka
* White Vinegar
* Acid, etc.
A perpetrator, attacker, hacker, etc, would look at the so called “glass of water” as a
transparent recipient containing transparent liquid, that might be:
The scope of this example is a simple one...
Assumptions
Humans naturally and regularly assume and
make inferences based on assumptions.

The scope of this example is a simple one...
Assumptions
Humans naturally and regularly assume and
make inferences based on assumptions.
In an information security perspective, these assumptions
account for the majority of root cause in organisational
security breaches.
We simply assume that we are secure because:
• Our firewalls are up and running
• The security implementation was very costly
• The vendor said so and it was written on the tin
• Everyone we know of has adopted the same implementation
• Our competitors did implemented such
• And so on and so forth...
We live happily in our oblivion until a security breach happens.
Then we are suddenly faced with a disappointing reality that we
were lulled in a False Sense of Security.

Let us for the time being, put aside all the security that we implement to provide
confidentiality, integrity and availability. (e.g. encryption, authentication systems,
access control, etc.
Setting the scene – defining the real and ultimate threat
Let us also for the time being, put aside all the threats to confidentiality, integrity and availability
(e.g. breaking of the encryption algorithms, exhaustive key searches, dictionary attacks, time
memory tradeoffs, primitive (basic processes) and algorithm specific attacks, DDoS, vectors
(malware), zero day attacks, etc.
To uncover the real and ultimate threat
The human mind

Setting the scene – defining the real and ultimate threat
The human mind
“The biggest threat to any system is the
ingenuity of the human mind”
Steve Purser
A practical guide to managing information security
“If you know the enemy and know yourself you need not fear the results of a hundred battles”
Sun Tzu (BC 496)
Adversus the compelling and unpredictable
Attacker’s logic

Payment cards and their systems
How secure is the commodity that we use everyday, everywhere?
We simple assume that the card issuer has taken all the necessary security provisions...
...to safeguard its infrastructure and not to secure us explicitly from merchants
Fraud for instance is handed over to the Law Enforcement agencies to investigate
So who protects us from merchants?

The Payment Card Industry Security Standards Council (PCI SSC) issued the PCI DSS.
PCI DSS is a comprehensive security standard that establishes common processes and precautions
for handling, processing, storing and transmitting credit card data.
PCI DSS has 12 core requirements and ad in crica 250 controls.
The three main issues are:
1) All merchants, must achieve and maintain compliance at all times;
2) Merchants cannot store credit card information:
• CVV2, CVC2 and CID codes,
• track data from the magnetic strip
• PIN data
3) Certain security standards are required to allow storage of credit card information such as:
• Name
• Credit card number
• Expiration date
But who is enforcing that merchants’ comply?

What if we were not to assume at all and ask ourselves questions:
• Is the EPOS tested to be PCI DSS compliant?
• Did the EPOS vender provide adequate testing and certification to the EPOS operator?
• Does the EPOS store my card’s information including CVV2, CVC2 and CID codes, Track and PIN data?
• Why is there no PCI DSS certification at cash point?
• Can a replay attack be performed past my transaction?
• Can a manual transaction be carried out once the merchant learns my details?
• Does the merchant have a dedicated network connection for the EPOS or does EPOS use the merchant’s
connection used to browse the internet?
• For WIFI enabled EPOS, can anyone capture data packets or is the data encrypted?
• Does the merchant have CCTV implemented at cash point that can shoulder sniff my pin?
• Can the cashier learn my PIN by shoulder sniffing my PIN whilst inputting?

The payment card on the other hand has inherent security
design flaws displayed on it:
The font of the card displays:
• The 16 digit personal account number
• The card holder name
• The expiry date
The back of the card displays:
• The card holder’s signature
• The CVV2, CVC2 and CID codes
The above are all valid details needed for on-line purchases most especially for sites that do not compare billing
address with shipping as an anti fraud measures.
So, do not hand over your credit card to the waiter at the restaurant... ;)

Firewalls
“Why bother, we have our firewalls up and running...”

Firewalls
Definition of a firewall
A firewall is a network security device intended to restrict access to resources. Firewalls are only
capable of blocking communications and not enable them. ISG RHUL
It is important to recognise that firewalls generally operate on incomplete information about the
data they are controlling therefore they are not complete security devices. ISG RHUL
A firewall must be the only means of communication between the trusted and untrusted networks
in order for it to be an effective point of control. ISG RHUL
Types of firewalls:
• Packet filters - obsolete
• Circuit-level proxies - obsolete
• Stateful packet filters – most common type of firewall
• Application-level proxies – most secure yet very complex to configure and maintain
• Personal firewalls – client OS

Firewalls
Attacker’s definition of a firewall
A firewall is a network security device intended to restrict the internal user’s access to the outside.
“It important to recognise that firewalls generally operate on incomplete information about the
data they are controlling therefore they are not complete security devices.” ISG RHUL
Encryption (be it legitimate traffic or an encrypted active attack) transgresses firewalls that are
not application-level proxy with key management.
An application-level proxy with key management is transgressed by a conjoined DDoS attack that
will over capacitate its client and server’s cache and will stop inspecting packets.
Firewalls being edge devices cannot stop internal compromised machines (through malware)
from sending traffic out from the firewalls as it is understood that the internal traffic is ‘trusted’,
all the more if this traffic is masked as HTTPS
There is a new methodology to transgress an application-level proxy with key management by
presenting an overwhelming amount of PKIs and force the ALP firewall to perform an exhaustive key
search that will over capacitate its client and server’s cache and will drop its key management.

Firewalls
A side note: with the introduction of integrated systems (routers with firewall capabilities)
penetration is essentially easier as once the machine take over happens, the entire network
is owned by the attacker.
Main tools for the job (note that these are free and highly documented on the internet):
• Nmap – Active attack with custom scripts - Tool proficiency is a must
• Hping3 – Active attack with custom scripts - Tool proficiency is a must
• Metasploit

IPS and IDS
As with firewalls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are
inapt to detect encrypted attacks. Why is this?
OSI Model
TCP/IP Internet
Protocol Suite
Layer No. Layer Layer No. Layer
HostLayers
Data
7 Application
5 Application6 Presentation
5 Session
Segments
4 Transport 4 Transport
MediaLayers
Packet/Datagram
3 Network 3 Network
Frame
2 Data Link 2 Data Link
Bit
1 Physical 1 Physical
IPS and IDS inspect unencrypted or uncompressed
network traffic and packet payload data. To detect
attacks in encrypted or compressed traffic, IPS and
IDS must have the ability to access the data in a
non-encrypted and non-compressed form at the
application level.
Host based Intrusion Detection System (HIDS) with
key management can detect attacks (at client or
server level) after the packet payload has been
decrypted or decompressed and before an
application processes the payload.

IPS and IDS
As with Application-Level Proxy Firewalls with key management , an HIDS with key management
can be defeated by the latest methodology introduced in the slide before, whereby the attacker will
present the HIDS an overwhelming amount of PKIs to force “fool” the HIDS key management to do
an extensive key search that will result in a buffer overflow.
To add further insult, the attacker will take over the HIDS’s privileges and use the buffer overflow
to establish an interactive session on the target machine (generally the server), running with the
HIDS’s privileged status.

A logical thought progression.
Seeing that security devices and services are inapt at encrypted attacks, can one disable
encryption altogether?
No as even the very basic of client to server user authentication relies on encrypted traffic...

BYOD and corporate mobile devices
Whist BYOD (Bring your own device) cuts costs and improve
productivity, it is information security worse enemy –
“the enemy within” and the risks are rising exorbitantly.
Some risks associated with this phenomenon:
• Jailbreaking/Rooting gives the device owner (user) administrator level permissions, enabling them to
install and run apps that could be potentially malicious in nature.
• Users can install a myriad of free apps (generally masked adware and spyware) on the same device used for
corporate, typically granting permissions to restrictions during the app installation.
• Lost or stolen devices that contain sensitive corporate information. If device has no password lock screen
enabled, this exposes the likes of email, contacts and any downloaded content to anyone.
• Data leakage – sensitive corporate information is backed-up on public cloud services automatically.
• Rogue access points - devices have the facility to act as a wireless access point – sharing their internet
connection, thereby bypassing all the network security features installed on the corporate network. Whilst
users can deactivate such functions, malware can reactivate them as background tasks.
• Data capture - devices have the ability to search and connect to WIFI hot-spots automatically
for app synchronisation and to download email, where eavesdropping could occur.
• Software updates - manufacturers stop updating and patching obsolete mobile devices (2 years and older)
• Tracking – mobile devices are easily tracked and located.
• Network mapping - Mobile devices can map an entire corporate network, identifying servers, other clients,
honeypots, firewalls, etc. etc.
• Phishing attacks - mobile devices do not reveal full urls to links and phishing attacks are highly likely to
succeed

Would you ban the use of android from corporate networks?
“Android accounts for 92% of mobile malware, malicious apps increase 614%...”
http://appleinsider.com/articles/13/06/26/android-accounts-for-92-of-mobile-malware-malicious-apps-increase-614
“Attacks against the Android operating system continue to drastically exceed those targeted at other
mobile platforms, including Apple iOS....”
http://www.mcafee.com/us/security-awareness/articles/pc-and-android-malware-on-the-rise.aspx
“Malware, as expected, is on a steady rise, with the volume of known malware samples (excluding
madware and grayware) reaching almost 275,000 in June 2013 and recording a four-fold increase
from June 2012.”
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/madware_and_malware_analysis.pdf

ISEC’s advice on BYOD:
• Do not implement BYOD if it is not a corporate necessity
• Corporate email access should be restricted only to key
people.
• Make sure that only Secure SSL/TLS is used to send and
receive emails (due to automated public hot-spot connectivity).
• Corporate documentation should not be downloaded but
read only. Also disable the device from caching the pages.
• Just for the sake of charging the devices, please implement
a policy to have the devices charged from a power point
and not the terminal’s usb.
• Provide adequate secure user training.
A personal recommendation (for who wishes to accept it):
Avoid as much as possible the use of internet banking on Android Devices, as most of the malware
is in form of man-in-the-middle with notorious findings as the Zeus Trojan that is capable of session
take over once the users log in.

Cloud computing (private and public)
Please take care when you upload personal data on the cloud, as you might be infringing the Data
Protection Act. Make sure that the cloud service provider keeps your data within the EEA.

Risks associated with Cloud computing:
• Location - where is data physically stored?
• Who may have access to my data?
• Data retention - How is data handled when no longer needed?
• Who owns your data and what can the cloud provider do with it? - Many public cloud providers,
including the largest and best known, have clauses in their contracts that explicitly state that the
data stored is theirs.
• Shared access – can your data accidently leak to others?

Risks associated with Cloud computing (cont):
• Authentication, authorization, and access control:
• Are unused accounts removed?
• What type of authentication is required?
• If Single-sign-on (SSO) is used; is it on a shared namespace?
• How many privileged accounts can access your data?
• If data encryption is used are private keys shared among others?
• Are account lock-out policies in place?

Risks associated with Cloud computing (cont):
• Availability (e.g. Dropbox was not available last week-end) every cloud service claims provides fault
tolerance and availability, yet we see the biggest and the best go down for hours or even days with
service interruptions.
• Apart from being subject to all risks pertaining to physical infrastructures, cloud environments have
added virtual exploit risks being:
• Server host only (the hypervisior in itself)
• Guest to guest
• Host to guest
• Guest to host
• Cloud used as attack platforms
• Mass proliferation and distribution of malware

WIFI
Is WIFI secure?

WIFI

WIFI
WIFI security threats:
• Pre-shared key cracking is very possible (now even without using dictionary attacks as was
practice with aircrack-ng)
• The Evil Twin - Fraudulent APs that advertise the same network name (SSID) as legitimate
APs, causing nearby Wi-Fi clients to connect to them.
• Rouge Access Point – unauthorised APs connected to the LAN that permit attackers to conduct
a man-in-the-middle attack. (Rouge Access Points have become a common place with the
introduction of BYOD and misconfigured devices)
• Eavesdropping – Attackers can capture WIFI traffic with ease.
• Denial of Service (DoS) a simple aireplay-ng -0 1 -a BSSID (MAC_ADDR) will
deauthenticate all connected clients.
• Wireless network viruses e.g. the virus worm MVW-WiFi, which propagates itself through
wireless networks by sending out wireless probe request packets to find other local wireless
networks and then forwards itself to adjacent wireless networks.
• MAC address spoofing – Attackers can very easily replace their MAC address with ones of
legitimate clients.

WIFI
Kali Linux on Galaxy Samsung Note 10.1

DDoS (Distributed Denial of Service)
How real is the threat? http://www.digitalattackmap.com

How real is the threat? http://www.digitalattackmap.com 2 October 2013 – Cyberwarfare

How real is the threat? http://www.digitalattackmap.com 20 January 2014

Perceived vs. real security
Our perceived security in Firewalls, IDS, IPS, HIDS, BYOD, cloud and WIFI’s is distinct from the real
security that these implementations have on offer.
This perceived security lulls us into a false sense of security.
Is the human “trust” vulnerability the culprit?
Is the human ingenuity another contributing factor?
So what leads us to such a mindset:
Could it be that we don’t know any better?

F.Y.I
Elite hackers will always succeed in their attacks, no matter the level of security implemented
Elite hackers will enter and exit your network with a copy of your valuable data without raising alarms

F.Y.I
Information security is not just IT Security....

F.Y.I
Due to our ingenuity we fall prey to the greatest threat of allSocial Engineering

Quotes
“Keep security simple like a glass of water, risk access and manage it.”
Fabian Borg - ISEC
“There is no complete state of security, but you can achieve a complete security minded culture.”
Fabian Borg - ISEC
“Security devices help to raise the fence of the sheep pen higher, but the tenacious wolf will succeed
to jump in.” Fabian Borg - ISEC

Finial points
By over securing, the less secure we are:
• adding vulnerabilities and threats
• adding compatibility issues
• adding the chances of misconfiguration or oversights
• lesser accessibility for employees, provoking work around security measures
Be careful when uploading data to the cloud as you might be in breach of the Data Protection Act.

Security in de-evolution
Where are the food tasters, these days...
By Jean Wavrin (Chronique de France et d'Angleterre, 15th Century) [Public Domain], via Wikimedia Commons

Fabian Borg
Founder and Managing Director of
ISEC and HLS-D Corporation Ltd.
Thank You

ISACA - The False Sense of Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to ISACA - The False Sense of Security

Similar to ISACA - The False Sense of Security (20)

ISACA - The False Sense of Security