_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: July 2011 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Monday, July 18, 2011

Control 7: Application Software Security

Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked.

  • Teach yourself about the OWASP Top 10 Project. Use this information to create an ongoing workshop for your developers to learn these concepts and be better prepared to avoid them. Meet with your developer and quality assurance teams monthly and review one of the categories each session. With the prevalence of virtualization solutions available, it will be easy to create an environment for them to test these concepts from the comfort of their own cubicles. 
  • A most excellent pre-configured platform to use by your developers and quality assurance teams is Samurai Web Testing Framework (WTF) on a virtual machine. This free linux distribution is purpose built for web application penetration testing, includes numerous tools and is maintained by Kevin Johnson.
  • Integrate at least one component of your information security program into each step of the Software Development Life Cycle (SDLC). The key is to get to the point where the developers seek you out. This may have to involve bribery, staying late with them and an occasional Starbucks run, but this partnership is very possible to achieve with some effort.
  • Look for ways to avoid the 25 Most Dangerous Programming Errors published by Mitre and SANS. Categories of these errors include Insecure Interaction Between Components, Risky Resource Management and Porous Defenses.
  • Institute a peer review program where code is reviewed before it is published by a fellow developer. Consider implementing a nominal reward for each security issue identified before it is released into production.

Using these very cost effective techniques will go a long way to increase the security posture of your applications.

Monday, July 4, 2011

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Logs are the single most important place to look when it is time to answer the question "what just happened". The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This will put all of the logs in one place and also keeps another copy in an alternate location.

SANS provides a Log Vendor Listing that includes popular vendors. Martin Holste wrote his own Enterprise Log Search and Archive (ELSA) solution.

A good tool not only allows you to search through the logs, but also lets you schedule recurring searches and alert when something is found. The following examples of reports and alerts can serve as the foundation of your indications and warnings of attack or misconfiguration.

  • Any successful (and unsuccessful) logins to firewall
  • All firewall rule changes
  • Daily log volume report for the last several days
  • Alert when a host has not sent logs over the last 24 hours
  • All RDP traffic
  • All two factor authentication system and device usage
  • Security log cleared
  • New users, especially in privileged groups
  • Basic File Integrity Monitoring (FIM) alerts generated by increased logging on critical files and folders

SANS provides a Top 5 Essential Log Reports (PDF) lists categories of events that certainly should be addressed in log review. They are broad enough to be valid in all environments and serve as good conversation starters when looking for proper log review and analysis.

  • Attempts to Gain Access through Existing Accounts
  • Failed File or Resource Access Attempts
  • Unauthorized Changes to Users,Groups and Services
  • Systems Most Vulnerable to Attack
  • Suspicious or Unauthorized Network Traffic Patterns

Control 5 - Boundary Defense

Control 5 builds on Control 4 and is concerned with increased awareness and defense of the network boundary. To defend the boundary means you must be aware of what traffic goes through all network segments. Change control procedures that are strictly followed is also an important step toward successfully implementing this control.

What can be done and where do you start implementing this control to monitor and better manage the boundary defenses?

Good Ingress and Egress filtering must be in place. What traffic is allowed into your network is just as important as what is allowed to leave your network. Blacklist known bad sites. Whitelist approved business sites. Once this is done, a careful analysis of what remains will be fruitful.

What if your business does no business with foreign countries? Filters at the router can be added that will deny inbound and outbound communication with IP addresses assigned to these nations. The Internet Assigned Numbers Authority (IANA) provides a listing of Top Level Domains.

AfriNIC : Africa, portions of the Indian Ocean
: Portions of Asia, portions of Oceania
ARIN : Canada, many Caribbean and North Atlantic islands, and the United States
LACNIC : Latin America, portions of the Caribbean
RIPE : Europe, the Middle East, Central Asia

Always send alerts of successful logins and policy changes to every member of the security team.

Monitor aggregate data from your NIDS to look for trends or new hosts. A fast and free way to do this is with Security Onion. This is a Linux distribution that is pre-installed and configured with Snort, Squil, Squert and many more tools and was created by Doug Burks.

SANS AuditCast 1, Auditing Routers and Switches with Nipper with David Hoelzer gives practical advice and show notes on performing an audit on network equipment.

Security zones must be created and diligently maintained that are based on the different types that traverse your network. All other things being equal, this will help validate that your security efforts are focused on the right network segments.