Saturday, 11 April 2009

The Quantification of Information Systems Risk

I am underway with my latest research project. I am undertaking PhD studies at CSU for another PG degree. The research topic follows.

The goal of this research project is to create a series of quantitative models for information security. Mathematical modelling techniques that can be used to model and predict information security risk will be developed using a combination of techniques including:

  • Economic theory,
  • Quantitative financial modelling,
  • Algorithmic game theory and
  • Statistical hazard/survival models.
The models will account for Heteroscadastic confounding variables and include appropriate transforms such that variance heterogeneity is assured in non-normal distributions. Process modelling for integrated Poisson continuous-time process for risk through hazard will be developed using a combination of:
  • Business financial data (company accountancy and other records),
  • Legal databases for tortuous and regulatory costs and
  • Insurance datasets.
This data will be coupled with hazard models created using Honeynets (e.g. Project Honeynet), reporting sites such as the Internet Storm Centre and iDefence. The combination of this information will provide the framework for the first truly quantitative security risk framework.
Support has been sought and received from SANS (including DShield), CIS (Centre for Internet Security) and the Honeynet project. At present, the DShield storm centre receives logging from over 600,000 organisations. This is a larger quantity of data than is used for actuarial data in the insurance industry. The problem being that this information is not collated or analysed in any quantitatively sound manner. This data will provide the necessary rigour in which to model survival times for types of applications. There is also a body of research into quantitative code analysis for risk that could be incorporated.

The aim of this research is to create a series of models (such as are used within mechanical engineering, material science etc) and hence to move Information Risk modelling towards a science (instead of an art). Stengel R.F. (1984,1996) “Optimal Control and Estimation” provides an indication of such a framework in systems engineering.

Some of the methods used in the creation of the risk framework will include
  • Random forest clustering,
  • K-means analysis,
  • Other classification algorithms, and
  • Network associative maps in text analysis forensic work.
The correlation of reference data (such as IP and functional analysis data) between C&C (Command and Control) systems used in “botnets” is one aspect of this research.
Start from the outside (the cloud and perimeter) and working inwards to the network, the risk model would start by assessing external threats and move into internal threat sources, becoming gradually become more and more granular as one moves from network to individual hosts and finally to people (user behaviour) and application modelling.

The eventual result will be the creation of a model that can incorporate the type of organisation, size, location, application and systems used and the user awareness levels to create a truly quantitative risk model. This would be reported with SE (standard error) and confidence level rather than a point estimate.

To begin, a number of questions can be answered and a number of related papers can be published on this topic. For instance, the following are all associated research topics in this project:
  1. Is a router/firewall stealth rule effective
  2. What types of DMZ are most effective for a given cost
  3. How economical is the inclusion of additional router logging outside the perimeter firewall
  4. Are "drop" or "reject" rules more effective at limiting attacks - by type
  5. How do Firewalls, IDS, IPS influence and impact system survival times
The creation of a classification model (published on the SANS reading room site soon) that allows for the remote determination of an application versions for DNS software (which is to be expanded to other applications and devices – e.g. routers) has already been completed and published.

I would like to have a collection of data from the honeynet project aligned with this information. We can collect and model survival times for types of applications. These is also a body of research into quantitative code analysis for risk that could be incorporated.
Code to import data from hosts and networks, using raw “pcap traces” will be developed such that system statistics and other data can be collated into a standardised format. This code will be developed in “R” and “C++”.

This will enable the creation and release of actuarially sound threat risk models that incorporate heterogeneous tendencies in variance across multidimensional determinants while maintaining parsimony. I foresee a combination of Heteroscadastic predictors (GARCH/ARIMA etc) coupled with non-parametric survival models. I expect that this will result in a model where the underlying hazard rate (rather than survival time) is a function of the independent variables (covariates). Cox's Proportional Hazard Model with Time-Dependent Covariates would be a starting point, going to non-parametric methods if necessary.

The end goal will be to create a framework and possibly a program that can assess data stream based on a number of dependant variables (Threat models, system survival etc) and covariates and return a quantified risk forecast and standard error.

I am looking at incorporating fractal statistics, but this seems to be an area with little existing research.

Sunday, 5 April 2009

Forensic Recovery and the Blackberry

It is possible to acquire an image of a bit-by-bit backup using the Blackberry Software Development Kit (SDK). The SDK is available from RIM at http://www.blackberry.com.

The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped, it can be examined and reviewed using traditional methods with your favourite hex editor or other tool. At this point it is basically a raw image file. This is a memory image of course, so you cannot carve files in the same manner as from an NTFS partition, but it is similar to memory forensics. Strings are available and the image will hold binary files and a number of databases.

As for commercial tools, I do not think that there are a great deal to choose from. A few do exist, but I generally have been sticking to the SDKs as the commercial tools are not as mature as they could be.

In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit. The simulator crashes on a number of non-standard calls as RIM have not thought of things that are not designed for the Blackberry in the first place. It does act as a Blackberry for the most part and you can copy image files such that you do not alter evidence.

The SDKs are a good start if you have some programming skills. E.g.

  • http://www.blackberry.com/developers/downloads/jde/index.shtml
I used to have a link to the Blackberry C++ Software Development Kit, but it seems to have changed and moved or have been deleted. I have a copy of the C++ SDK, but the link has moved. The Java SDK is active and this is what I have been using.

  • There is a Yahoo developer group with a few people working in this area- http://tech.groups.yahoo.com/group/BB386dev/

This group has no commercial quality code, but there is source that you can use to do the following:
  • View the contents of any file in the user flash area
  • Dump Flash memory
The group is primarily focused on the older versions.

There are some tools in the SDK that you can use to dump flash. Also the Yahoo site used to have a tool hosted called "programmer.exe" that would dump the complete flash (bit wise) from a BB and save it as a raw image. I have not checked the link location for a while and have a copy anyway. The SDK has replaced the “programmer.exe” file with the javaloader application (javaloader.exe). I do not know which versions support which phone off the top of my head and would have to look up the SDK documentation. The newer Blackberries certainly use the Java version.

There are several places where you can hide information in a Blackberry. It is possible to create hidden databases and hide information in partition gaps. Data can also be hidden in the gap between the OS/application and file partitions.

Alternatively, numerous tools and methods to attack a Blackberry are available. Firstly, there is a toolset called the Blackberry Attack Toolkit, which along with the BBProxy software can be used to
Load exploitable Web site vulnerabilities and hence attack the BlackBerry using a number of JavaScript and Java code issues.. The next Attack Vector involves downloading (what is generally) malicious software to the Blackberry. Such a method is the method of hijacks (or blackjacks). As the name implies, this allows someone to hijack a legal user’s Blackberry and replace them on the network with potentially harmful devices.

The Presentation and toolkit for blackjacking are available at:
  • http://www.praetoriang.net/presentations/blackjack.html
They have also developed Metasploit patches for those who cannot run code manually.

BBScreenShooter and BBScreenStream use “javaloader.exe” from RIM to function. They can provide screen shots and captures

Have a look at (http://na.blackberry.com/eng/developers/started/) for more information.

On top of this, there are a number of other tools that are of use. One such program is “JL_Cmder”. This is short for the “JavaLoader Commander”. The JavaLoader commander is the blackberry command line tool (from RIM and not a random internet source). The “JL_Cmder” programme simplifies the process of accessing most of the common JavaLoader.exe commands. It can also be scripted and used in Java .cab files and even in Javascript from a website.

“JL_Cmder” will allow you to issue the following commands:
  1. deviceinfo - Displays information about the handheld.
  2. eventlog - Retrieves and displays the handheld event log.
  3. screenshot - Takes a picture of the handheld screen. (OS 4.0.2+ required)
  4. wipe - Erases the handheld OS. Not really, but that is the simpliest way to explain it.
  5. resettofactory - Removes the IT Policy from the device. (OS 4.3+ required).
JL_Cmder can be used to automatically export data from the device into a text file for easier reading/imaging. It also has a screenshot function.

The man file follows:
Usage: JavaLoader [-u] [-p|] [-b] [-d0|-d1] [-w] [-q]

  • -u Connect to USB handheld (default is serial)
  • -p Specifies the serial port (serial handhelds only)
  • -p Specifies the handheld PIN (USB handhelds only)
  • -b Specifies the baud rate (serial handhelds only)
  • -d0 Disables VM debug mode
  • -d1 Enables VM debug mode
  • -w Connects using the specified password
  • -q Quiet mode
dir [-d] [-s]
  • Lists modules on the handheld
  • -d Display dependency information
  • -s Display siblings
deviceinfo
  • Provides information from the handheld
load <.cod file> ...
  • Loads modules onto the handheld
save ...
  • Retrieves modules from the handheld
info [-d] <.cod file> ...
  • Provides information on the specified modules
  • -d Display dependency information
wipe [-a|-f]
  • Wipes the handheld
  • -a Wipe applications only
  • -f Wipe filesystem only
erase [-f] ...
  • Erases modules on the handheld
  • -f Force erase of in-use modules
debugmode
  • Enables VM debug mode
eventlog
  • Retrives the handheld event log
settime
  • Sets the time on the handheld to the current time
radio on|off
  • Turns the handheld's radio on or off
enum
  • Enumerates all USB handhelds
siblinginfo <.cod file> ...
  • Provides sibling information on the specified modules
screenshot <.bmp file>
  • Retrieves the current screen contents and saves it as a BMP file